mobilEcho Client Management Server

Introduction

mobilEcho Client Management Server provides comprehensive tools that allow you control and track the devices that access your mobilEcho servers. This includes the ability to create mobilEcho client policies that regulate the settings and capabilities of your mobilEcho clients. These tools ensure IT has full control over secure mobile device access to corporate files.

Client Management options include:

• Device level tracking and status
• PIN-based mobilEcho client enrollment can be required for client access
• User profiles
• Group profiles
• Client app password lock policies
• Application-level file permission policies (view, edit, create, delete, rename)
• Application-level file distribution policies (allow emailing, printing, editing in other applications)
• Caching policy
• Assignment of servers, folders, and home directories displayed in the client application
• Whitelisting and blacklisting of third party apps allowed to open mobilEcho files
• Remote application lock password reset
• mobilEcho app-specific remote wipe capability

mobilEcho Client Management allows profiles to be assigned to Active Directory users or groups. Group profiles are assigned an order of precedence and a user is governed by the highest priority group profile they are a member of. In the case that a specific user needs a special set of capabilities, user profiles can be created and take precedence over group profiles, ensuring that the user gets the profile settings required.

Once mobilEcho Client Management profiles have been established, the IT administrator invites users to activate their mobilEcho client app by using the mobilEcho Client Management Administrator to email them a mobilEcho Enrollment Invitation. If two-factor client enrollment is desired, this invitation email can optionally contain a one-time use PIN number, required to enroll the device in your mobilEcho management system. From their device, the user simply taps a link in the enrollment email which launches the mobilEcho app and automatically starts the enrollment process. The user is then asked to enter their Active Directory account password. If PIN number and account credentials are valid, the user is asked to set an application lock password if required, warned of any restrictions that will remove existing files from the device, and from that point on, the mobilEcho client application is managed by established management profile settings. Each time the mobilEcho client is started, it calls home to the Client Management Server and is updated with any settings changes or assigned servers that have been added or removed from the profile.

As a complement to mobilEcho Client Management, administrators can also use a Mobile Device Management (MDM) system to enforce iOS level policies for corporate devices. For example, you can require the use of an iOS Passcode Lock through an iOS Configuration Profile set up through an MDM server. The profile can also be configured to require that any device data backed up through iTunes will be encrypted on the computer. For more information about Mobile Device Management, see http://www.apple.com/ipad/business/integration/mdm.

Enabling the mobilEcho Client Management Server

If you wish to remotely manage your mobilEcho clients, at least one mobilEcho Server must have its mobilEcho Client Management Server component enabled. The mobilEcho Client Management Server is installed when you install mobilEcho Server, but is disabled by default. Even if you have many mobilEcho file servers, it is typical to maintain only one mobilEcho Client Management Server that manages all your mobilEcho clients. The selected server can act as a file server and management server simultaneously and can handle thousands of clients.

If you are deploying mobilEcho across widely separated geographical locations or in multiple departments with unique IT policies or Active Directory structure, multiple mobilEcho Client Management Servers can be configured as needed.

Domain Membership Your client management server must be a member of the domain that your mobilEcho file servers reside on. Users will authenticate to the management server with their Active Directory credentials.

Configuring the Client Management Service

Before the Client Management service is enabled, some fundamental settings must be entered in its configuration file. To access the mobilEcho Client Management configuration file:

1. Ensure that mobilEcho is installed on the Windows server designated as your mobilEcho Client Management Server.
2. Navigate to the mobilEcho Server program folder. The default location is C:\Program Files\Group Logic\mobilEcho Server on 32-bit versions of Windows and C:\Program Files (x86)\Group Logic\mobilEcho Server on 64-bit versions of Windows.
3. Enter the ManagementUI folder and open the mobilEcho_manager.cfg file a text editor application. If your default language includes Unicode characters, be sure that your text editor is UTF-8 compatible and saves the config file in UTF-8 format.

The mobilEcho_manager.cfg file contains the base settings that mobilEcho Client Management requires to function. Detailed instructions are included in the file. Required settings include:

HTTPS_PORT

The mobilEcho Client Management Server UI uses port 3000 for HTTPS web browser access by default. This port can be changed to anything you like. A change to this setting requires a restart of the mobilEcho Management service to take effect.

MANAGEMENT_SESSION_TIMEOUT

The number of minutes the mobilEcho Client Management Administrator can be idle before a session is terminated and the administrator is required to log in again.

HTTPS_USE_AUTOGENERATED_CERTS

This setting defaults to true. When set to true mobilEcho will generate a self-signed SSL certificate. This will allow network access to the mobilEcho Client Management web UI to be encrypted, but will produce a warning in most web browsers. If you would like to obtain, or already have, a third-party issued SSL certificate for this server, you can change this setting to false and enter the paths to your key and certificate in the related settings below. A change to this setting requires a restart of the mobilEcho Management service to take effect.

Firefox Incompatibility In Firefox, auto-generated certificates can often result in an error regarding a duplicate certificate serial number. It is recommended you do not use Firefox to access servers using auto-generated certificates.

HTTPS_KEY

Enter the path on disk to your certificate's key. A change to this setting requires a restart of the mobilEcho Management service to take effect.

HTTPS_CERT

Enter the path on disk to your certificate. A change to this setting requires a restart of the mobilEcho Management service to take effect.

MANAGEMENT_SERVER_ADDRESS

Enter the DNS name or IP address of this management server. This information is used to create the client management invitation file that instructs your mobilEcho clients where to access the management server.

It is possible to configure your mobilEcho file servers to require that a client is managed by a particular mobilEcho management server, ensuring that all clients have the proper application and security settings in place before they gain access. In order for this feature to work, the address used by the client must match the address allowed on the server. Therefore, it is important that you use a consistant DNS name or IP address on all mobilEcho clients so they access the mobilEcho management server using the same address.

It is recommended that you create a unique DNS name for your management server that can be reconfigured to point to any server you may decide to move the management server role to in the future.

VALID_LOGIN_NAMES

The mobilEcho Client Management Administrator authenticates users with Active Directory at login. For this setting, provide a comma separated list of the usernames or Active Directory groups that you would like to be allowed to log into the administrator web UI. This setting simply serves as an allow list. The username and password entered will always be verified with Active Directory before a user can successfully log in.

LDAP_HOST

Enter the DNS name or IP address of the Active Directory server you would like mobilEcho Client Management to use for regulating access to the web UI and for setting up your user and group profiles.

LDAP_PORT

The default Active Directory port is 389. This will likely not need to be modified.

LDAP_IS_SSL

The default is no. Change this setting to yes to connect to Active Directory using secure LDAP.

LDAP_DOMAIN

Enter your domain name. As an example, GroupLogic's full domain name is grouplogic.com. For this setting, just the base domain name grouplogic is entered.

LDAP_SEARCHBASE

Enter the root level you would like searches for users and groups to be assigned mobilEcho profiles to begin. If you would like to search your entire domain, enter "dc=domainname, dc=domainsuffix". For the GroupLogic example, this would be:  dc=grouplogic, dc=com

SMTP_SERVER_ADDRESS

Enter the DNS name of an SMTP server that will be used to send client management enrollment email invitations to your users. This is required to add devices to the mobilEcho management server.

SMTP_SERVER_PORT

Enter your SMTP server port. This setting defaults to port 587.

SMTP_USE_SECURE

Enable or disable the option to use a secure SSL connection to your SMTP server. This setting defaults to false. Set this to true to enable secure SMTP.

SMTP_USERNAME

If required by your SMTP server, enter a username for SMTP authentication. Leave this blank if no authentication is required.

SMTP_PASSWORD

If required by your SMTP server, enter a password for SMTP authentication. Leave this blank if no authentication is required.

SMTP_FROM_NAME

Enter the name that users will see as the From name when they receive an enrollment invitation email.

SMTP_FROM_ADDRESS

Enter the email address that users will see as the From address when they receive an enrollment invitation email.

SMTP_EMAIL_SUBJECT

Enter the Email Subject that users will see when they receive an enrollment invitation email.

DEFAULT_INVITATION_TIMEOUT

Enter the default number of days you would like an enrollment PIN number to be valid before it expires.

Save the configuration file

Once these options have been configured, save the mobilEcho_manager.cfg file.

These settings can later be confirmed from the mobilEcho Client Management Administrator's Settings page.

Enabling the mobilEcho Management Service

mobilEcho Client Management runs as a standard Windows service. This service is disabled by default. To enable the mobilEcho Management service:

1. Open the Windows Start menu
2. Right click on My Computer and select Manage to open the Computer Management console
3. Under the Services and Applications section, select Services
4. Scroll down to the mobilEcho Management service
5. Right click mobilEcho Management and select Properties
6. Change Startup type to Automatic
7. Click the Start button
8. Click OK to close the Properties dialog
9. Confirm that the mobilEcho Management service is listed as Started and close the Computer Management console

The mobilEcho Management service is now started and will start up automatically any time your server is rebooted.

Configuring mobilEcho Client Management Profiles

Once the mobilEcho Management service is started, you can proceed to log in and configure your management settings.

Logging In

The mobilEcho Client Management Administrator is accessed through a web browser. This will always work when using a browser running on the actual management server. Note again that Firefox is not recommended if you are using the default automatically generated self-signed SSL certificate on your server.

Firewall Requirements

If you would like to access the mobilEcho web interface from another computer, you will need to ensure that there is an exception configured for the mobilEcho web interface in the Windows Firewall service.

The default HTTPS port used by the mobilEcho Client Management Administrator is port 3000. It is recommended that you configure a generic, port-specific firewall exception for this port.

mobilEcho URL

To connect to the mobilEcho web interface, enter this URL in your browser. Note that you must start the URL with https://

• https://servername:3000

If you have modified the default port, you will need to use the new value instead of 3000.

Log In

The initial page you will see is the Log in page. You may log in with any account that was included in the VALID_LOGIN_NAMES setting in the mobilEcho_manager.cfg config file. Enter your Active Directory username and password.

If you have trouble logging in, confirm that your LDAP settings are valid in the mobilEcho_manager.cfg config file.

Entering your mobilEcho File Server names

The mobilEcho Client Management Server needs to know about the mobilEcho File Servers on your network. You will need to configure this list of servers before setting up profiles. This list is used in the profile creation process to assign the servers that will automatically appear in the user's mobilEcho client application. Therefore, it is recommended that servers are configured before you begin creating profiles.

Adding a Server

1. Click Servers & Folders in the top menu.
2. Click the Add new server button.
3. Enter the Server Name or IP Address that you would like clients to use to connect to the server.
4. Enter a Display Name. This name will be shown in the mobilEcho client application to identify the server.
5. Optionally, choose any existing User and Group Profiles you'd like to assign this new server to, and click Add. This will automatically add the server to each of the selected profile's Assigned Servers list.
6. Click the Save button.

Adding a Folder

In addition to Servers, Folders can also be assigned to mobilEcho user and group profiles, allowing them to automatically appear in a user's mobilEcho client application. Folders can be configured to point to any mobilEcho shared volume, or even a subdirectory within a shared volume. This allows you to give a user direct access to any folders that might be important to them.  By doing so, they don't have to navigate to the folder by knowing the exact server, shared volume name, and path to the folder.

Folders can optionally be configured to sync to the client device. mobilEcho folder sync options include:

• None - The folder will appear as a network-based resource in the mobilEcho client app and can be accessed and worked with just like a mobilEcho server.
• 1-Way - The folder will appear as a local folder in the mobilEcho client app. Its complete contents will be synced from the server to the device and it will be kept up to date if files on the server are added, modified, or deleted. This folder is intended to give local/offline access to a set of server-based files and appears as read-only to the user.
• 2-Way - The folder will appear as a local folder in the mobilEcho client app. Its complete contents will initially be synced from the server to the device. If files in this folder are added, modified, or deleted, either on the device or on the server, these changes will be synced back to the server or device.

Require Salesforce activity logging

• GroupLogic has partnered with Salesforce to offer an option for logging access to files shown to customers using mobilEcho. Enabling this option will require any user who has this folder assigned to their mobilEcho management profile to log a customer activity in Saleforce before they can open any file in the folder. This is done completely within the mobilEcho client app. 
• All items in this folder will be restricted from being emailed, printed, copied or moved outside this folder, or opened in other apps on the device. 
• This feature requires a mobilEcho client and server of version 3.1 or later.
• mobilEcho clients earlier than version 3.1 will not receive these restrictions. If you need to ensure that all clients accessing this folder are on 3.1 or later. You can set the minimum client version setting on the server the folder resides on to: 3.1.0.133  Details can be found in this knowledge base article: Setting the minimum allowed mobilEcho client version on a mobilEcho server

To add a folder:

1. Click Servers & Folders in the top menu.
2. Click the Add new folder button.
3. Enter a Display Name. This name will be shown in the mobilEcho client application to identify the server.
4. Select the server where the folder is located. If the server is not listed, you must first add it to the Servers list on the Servers & Folders page.
5. Enter the folder's Path. The path must begin with the mobilEcho shared volume name. If you would like to give access to a subfolder in that shared volume, include the full path to that subfolder in the Pathfield.

   • You can include the wildcard string %USERNAME% (case sensitive) in the path. This wildcard will be replaced with the user's account username.

     Warning: The shared volume name is case sensitive. If you mistype it, you will receive a "The share is unavailable." message when trying to access this folder in your mobilEcho client. If you have already received that error, but still keep seeing it after correcting the issue, it is possible that the old folder path has remained cached in the mobilEcho client. The fastest way for the changes to take effect would be to change the display name of the folder.

6. Choose a Sync option. None, 1-way, or 2-way. See above for details on each option.
7. Optionally, enable Require Salesforce activity logging.
8. Optionally, choose any existing User and Group Profiles you'd like to assign this new folder to, and click Add. This will automatically add the folder to each of the selected profile's Assigned Folders list.
9. Click the Save button.

Adding a Network Reshare Path Mapping

mobilEcho includes a 'Network Reshare' feature, that allows a mobilEcho server to host a shared volume that gives access to data located on a second file server. The mobilEcho server uses the SMB/CIFS protocol to connect to the secondary file server.

mobilEcho also includes the ability to automatically show a user's Active Directory assigned home folder in the mobilEcho client app. These home directory locations are specified by SMB path in the user's Active Directory user account profile.

Warning: The shared volume name is case sensitive. If the case sensitivity is not followed in the SMB path, you will receive a "The share is unavailable." message when trying to access the home folder in your mobilEcho client. If you have already received that error, but still keep seeing it after correcting the issue, it is possible that the old SMB path has remained cached in the mobilEcho client. The fastest way for the changes to take effect would be to change the display name of the home folder.

If mobilEcho is installed directly on the server hosting your users' Active Directory assigned SMB home folders, and a mobilEcho shared volume has been created with the same name and location as the SMB home folders shared volume, the mobilEcho UNC path to the home folders shared volume will be identical to the UNC path to the SMB home folders shared volume, and the UNC path specified in the user's Active Directory profile home folder setting will be correct for both SMB access and mobilEcho access.

If you are using mobilEcho's Network Reshare feature to give access to home directories on a secondary SMB file server, the SMB UNC path in a user's Active Directory profile home folder setting will not match the mobilEcho UNC path, since mobilEcho servers access their home folders by connecting to a different server.

In this case, you will need to configure a Network Reshare Path Mapping, so that mobilEcho knows how to translate the SMB UNC path it gets from the Active Directory profile home folder setting to the mobilEcho UNC path that the mobilEcho client needs to know to connect to the home folder. 

1. Click Servers & Folders in the top menu.
2. Click the Add new path mapping button.
3. Select the mobilEcho server where the mobilEcho network reshare shared volume is located. Then enter the name of the mobilEcho Shared Volume (case sensitive).
4. Click Next.
5. Enter the UNC Path that you would like to be redirected to the mobilEcho Shared Volume you specified in the previous step. 
6. Important Note: Because mobilEcho is matching on this path, the UNC Path needs to use the exact server name and SMB shared volume name as it appears in your users' Active Directory user profile home folder setting. If an SMB home folder's path in Active Directory uses a different name for the server than is entered in the path mapping setting (such as "\\fileserver.company.com\sharename" vs. "\\fileserver\sharename") the home directory will not work in the mobilEcho client. If you've used more than one method for representing your server's name in the Active Directory profile home folder setting for your users, you will need to create a path mapping for each variation on the server name.
7. Click the Save button.

Home Directory support when mobilEcho server is running on a non-default port mobilEcho clients connect to mobilEcho servers on port 443 by default. If the mobilEcho server that contains your home directory shared volume is configured to use a different port, you will need to create a Network reshare path mapping that points to the correct mobilEcho server and share on the correct port, so that the mobilEcho client will know to connect to the server on the non-default port. This will be necessary, even if your home directory share is located directly on local storage on your mobilEcho server. In this case a path mapping is necessary to translate an AD home directory SMB path like "\\fileserver.company.com\sharename" to the correct mobilEcho path "\\fileserver.company.com:444\sharename". The correct port just needs to be appended to the server's name or IP address when you add the server to the mobilEcho Client Management server list.

Deleting a Server, Folder, or Network Reshare Path Mapping

Servers, folders, and network reshare path mappings can be deleted from the Servers & Folders lists by clicking delete. When servers or folders are deleted, they are removed from any profiles they are assigned to.

Creating a Third Party App Whitelist or Blacklist

mobilEcho Client Management allows you to create whitelists or blacklists that restrict mobilEcho's ability to open files into other apps on a mobile device. These can be used to ensure that any files accessible through the mobilEcho client can only be opened into secure, trusted apps.

Whitelists - allow you to specify a list of apps that mobilEcho files are allowed to be opened into. All other apps are denied access.

Blacklists - allow you to specify a list of apps that mobilEcho files are not allowed to be opened into. All other apps are allowed access.

In order for mobilEcho to identify a particular app, it needs to know the app's Bundle Identifier. A list of common apps, and their bundle identifiers, are included in the mobilEcho Client Management Administrator by default. If the app you need to whilelist or blacklist is not included, you will need to add it to the list.

Adding Apps

To add an app to be included on a whitelist or blacklist:

1. Click Allowed Apps in the top menu bar.
2. Click Add app in the Apps Available for Lists section.
3. Enter the App name. This can be the name of the app as it appears in the App Store, or an alternate name of your choosing.
4. Enter the app's Bundle identifier. This must match the intended apps bundle identifier exactly, or it will not white or blacklisted.
5. Click Save.

There is unfortunately no way to look these Bundle Identifiers up in the App Store or elsewhere at this time. To find a bundle identifier, you will need to look at a file inside the app.

Finding an app's bundle identifier in an iTunes Library

If you sync your device with iTunes and the app you desire is either on your device, or was downloaded through iTunes, it will exist on your computer's hard drive. You can locate it on your hard drive and look inside the app to find the bundle identifier.

1. Navigate to your iTunes Library and open the Mobile Applicationsfolder.
   1. On a Mac, this is typically in your home directory, in ~/Music/iTunes/Mobile Applications/
   2. On a Windows 7 PC, this is typically in C:\Users\username\My Music\iTunes\Mobile Applications/
2. If you have recently installed the app on your device, make sure you have performed an iTunes sync before you continue.
3. Locate the app that you require in the Mobile Applications folder.
4. Duplicate the file and rename the extension to .ZIP
5. Unzip this newly created ZIP file and you'll end up with a folder with the application name.
6. Inside that folder is a file called iTunesMetadata.plist
7. Open this PLIST file in a text editor.
8. Find the softwareVersionBundleId key in the list.
9. The string value below it is the bundle identifier value that you will need to enter for the app in mobilEcho. These are commonly formatted as: com.companyname.appname

Finding an app's bundle identifier by browsing the files on your device

If you use software that allows browsing the contents of your device's storage, you can locate a app on the device and determine its bundle identifier. One app that can be used for this is iExplorer.

1. Connect your device to your computer with USB and open iExplorer or a similar utility.
2. Open the Apps folder on the device and locate the app you require.
3. Open that app's folder and locate its iTunesMetadata.plist file.
4. Open this PLIST file in a text editor.
5. Find the softwareVersionBundleId key in the list.
6. The string value below it is the bundle identifier value that you will need to enter for the app in mobilEcho. These are commonly formatted as: com.companyname.appname

Creating a whitelist or blacklist

mobilEcho allows you to create any number of app whitelists or blacklist. Because whitelists inherently allow no apps by default, and blacklists inherently allow all apps by default, mobilEcho only allows one whitelist or blacklist to be assigned to a mobilEcho user or group profile.

To create a new list:

1. Click Allowed Apps in the top menu bar.
2. Click Add list in the Lists section.
3. In App list name, give your list a descriptive name of your choosing.
4. Select the type of list you would like to create, Whitelist or Blacklist.
5. Select the checkbox next to each app you would like to include in the list.
6. If you would like to go ahead and assign this new list to any existing user or group profiles, select them in the Available Users and Groups list and click Add.
7. Click Save.

Whitelists and blacklists can also be assigned to profiles within the profiles configuration page. This process is detailed in the next section of this guide, Managing Group Profiles.

Managing Group Profiles

mobilEcho Client Management allows profiles to be assigned to Active Directory groups. Group profiles will usually address most or all of your client management requirements. The group profiles list is displayed in order of precedence, with the first group in the list having the highest priority. When a user contacts the mobilEcho management server, their settings are determined by the single highest priority group profile they are a member of.

Group Management Tips If you would like all or most of your users to receive the same profile settings, you can set up a profile for the Domain Users group and place it at the bottom of the prioritized list. Any groups that need special profiles can be created and prioritized above the Domain Users group. If you would like to deny a group of users access to mobilEcho management, ensure that they are not members of any configured group profiles. As long as a user account does not match any group profiles, they will be denied the ability to enroll in mobilEcho client management.

To access the group profiles list, click the Groups option in the top menu.

Modifying Group Priority

To change a group's priority, click the up or down arrow in the Manage Groups Profiles list. This will move the profile up or down one level.

Adding a New Group

To add a new group: 

1. Click the Add new group button to add a new group. This will open the Add a new group profile page.
2. In the Find group field, enter the partial or complete Active Directory group name for which you'd like to create a profile.
3. Click Search and then find and click the group name in the listed results.

The following options can be defined in a group profile:

Security Policy settings

• Require mobilEcho application lock password - The mobilEcho client application can be set with a lock password that must be first entered when launching the application. This setting will force the user to configure an application lock password if they do not already have one.
• App will lock - This setting configures the application password grace period. When a user switches from mobilEcho to another application on their device, if they return to mobilEcho before this grace period has elapsed, they will not be required to enter their application lock password. To require that the password is entered every time, choose Immediately upon exit. If you would like the user to be able to modify their App will lock setting from within the mobilEcho client settings, select Allow user to change this setting. 
• Minimum password length - The minimum allowed length of the application lock password.
• Minimum number of complex characters - The minimum number of non-letter, non-number characters required in the application lock password.
• Require one or more letter characters - Ensures that there is at least one letter character in the application password.
• mobilEcho client app will be wiped after X failed app password attempts - When this option is enabled, the settings and data in the mobilEcho client app will be wiped after the specified number of consecutive failed app password attempts.
• User can remove mobilEcho from management - Enable this setting if you would like your mobilEcho users to be able to uninstall their management profile from within mobilEcho. Doing so will return the application to full functionality and restore any configuration that was changed by their profile.
• Wipe all mobilEcho data on removal - When user removal of profiles is enabled, this option can be selected. If enabled, all data stored locally within the mobilEcho application will be erased if it is removed from management, ensuring that corporate data does not exist on a client not under management controls.
• Allow iTunes to back up locally stored mobilEcho files - When this setting is disabled, the mobilEcho client will not allow iTunes to back up its files. This will ensure that no files within mobilEcho's secure on-device storage are copied into iTunes backups.

Application Policy settings

• Require confirmation when deleting files - When enabled, the user will be asked for confirmation each time they delete a file.
• Set the default file action - This option determines what will happen when a user taps a file in the mobilEcho client application. If this is not set, the client application defaults to Action Menu. If you would like the user to be able to later modify this setting, select Allow user to change this setting.
• Allow files to be stored on the device - This setting is enabled by default. When enabled, the user can copy files to a local file storage area within the mobilEcho client application, called My Files. If this option is disabled, no files will be stored on the device, ensuring that no corporate data is on the device if it is lost or stolen. If this setting is disabled, the user will not be able to save files for offline use, cache files for improved performance, or send files from other applications to mobilEcho.
• Cache recently accessed files on the device - If enabled, server-based files that have been recently access will be saved in a local cache on the device, for use if they are accessed again and have not changed, providing performance and bandwidth conservation benefits. Maximum cache size can be specified and the user can optionally be allowed to change this setting.
• Allow file copies / creation - If this option is disabled, the user will not be able to save files from other applications or from the iPad Photos library to a mobilEcho server. They will also be unable to copy or create new files or folders on the mobilEcho server. This setting supersedes any NTFS permissions that client may have that allow file creation.
• Allow folder copies - If this option is disabled, the user will not be able to copy folders on or to the mobilEcho server. This setting supersedes any NTFS permissions that client may have that allow folder creation. File copies / creation must be enabled for this setting to be enabled.
• Allow file / folder deletes - If one of these options is disabled, the user will not be able to delete files or folders from the mobilEcho server. This setting supersedes any NTFS permissions that client may have that allow file or folder deletion.
• Allow file moves - If this option is disabled, the user will not be able to move files from one location to another on the mobilEcho server, or from the server to the mobilEcho application's local My Files storage. This setting supersedes any NTFS permissions that client may have that allow file or folder moves.
• Allow folder moves - If this option is disabled, the user will not be able to move folders from one location to another on the mobilEcho server, or from the server to the mobilEcho application's local My Files storage. This setting supersedes any NTFS permissions that client may have that allow file or folder moves. Folder copies must be enabled for this setting to be enabled.
• Allow file / folder renames - If one of these options is disabled, the user will not be able to rename files or folders from the mobilEcho server. This setting supersedes any NTFS permissions that client may have that allow file or folder renames.
• Allow adding new folders - If this option is disabled, the user will not be able to create new, empty folders on the mobilEcho server.
• Allow opening mobilEcho files in other applications - If this option is disabled, the mobilEcho client application will omit the Open In button and not allow files in mobilEcho to be opened in other applications. Opening a file in another application results in the file being copied to that application's data storage area and outside of mobilEcho control.
• App whitelist/blacklist - Select a predefined whitelist or blacklist that restricts that third party apps that mobilEcho files can be opened into on the device. To create a whitelist or blacklist, click Allowed Apps in the top menu bar.
• Allow sending files to mobilEcho from apps using 'Open In' - If this option is disabled, the mobilEcho client application will not accept files sent to it from other applications' Open In feature.
• Allow sending files to mobilEcho using Quickoffice 'Save Back' - If this option is disabled, the mobilEcho client application will not accept files sent to it from the Quickoffice app's Save Back feature.
• Allow emailing files from mobilEcho - If this option is disabled, the mobilEcho client application will omit the Email File button and not allow files in mobilEcho to be emailed from the application.
• Allow printing files from mobilEcho - If this option is disabled, the mobilEcho client application will omit the Print button and not allow files in mobilEcho to be printed.
• Allow copying text from previewed files - If this option is disabled, the mobilEcho client will not allow the user to select text in previewed documents for copy/paste operations. This will prevent data from being copied into other applications.
• Allow PDF annotation - If this option is disabled, the mobilEcho iPad client will not be allowed to annotate PDFs. 

Server Policy settings

• Required login frequency for servers assigned by this profile- sets the frequency that a user must log into the servers that are assigned to them by their profile.
  • Once only, then save for future sessions - The user enters their password when they are initially enrolled in management. This password is then saved and used for any file server connections they later initiate.
  • Once per session - After launching mobilEcho, the user is required to enter their password at the time they connect to the first server. Until they leave the mobilEcho application, they can then connect to additional servers without having to reenter their password. If they leave mobilEcho for any period of time and then return, they will be required to enter their password again to connect to the first server.
  • For every connection - The user is required to enter their password each time they connect to a server.

• Allow user to add individual servers - If this option is enabled, users will be able to manually add servers from within the mobilEcho client application, as long as they have the server's DNS name or IP address. If you want the user to only have their profile Assigned Servers available, leave this option disabled.
• Allow saved passwords for user configured servers - If a user is allowed to add individual servers, this sub-option determines whether they are allowed to save their password for those server.
• Only allow this mobilEcho client to connect to servers with third-party signed SSL certificates - If this option is enabled, the mobilEcho client will only be permitted to connect to servers with third-party signed SSL certificates. Note: If the management server does not have a third-party certificate, the client will be unable to reach the management server after it's initial configuration. If you enable this option, ensure you have third-party certificates on all your mobilEcho file servers.
• Warn client when connecting to servers with untrusted SSL certificates - If your users are routinely connecting to servers that will be using self-signed certificates, you may choose to disable the client-side warning dialog message they will receive when connecting to these servers.
• Client timeout for unresponsive servers - This option sets the client login connection timeout for unresponsive servers. If your clients are on especially slow data connections, or if they rely on a VPN-on-demand solution to first establish a connection before a mobilEcho server is reachable, this timeout can be set to a value greater than the 10 second default.
• Client is prompted to confirm before synced files are downloaded - Select the conditions under which the user must confirm before files in synced folders are downloaded. Options are: Always, While on 3G networks only, and Never.
• Only allow file syncing while device is on WiFi networks - When this option is enabled, mobilEcho will not allow files to be synced over 3G connections.
• Display the user's home folder- This option causes a user's personal home directory to appear in the mobilEcho client app.
  • Display name shown on client - Sets the display name of the home folder item in the mobilEcho client app.
  • Active Directory assigned home folder - The home folder shown in the mobilEcho app will connect the user to the server/folder path defined in their AD account profile.
  • Custom home directory path - The home folder shown in the mobilEcho app will connect the user to the server and path defined in this setting. The %USERNAME% wildcard can be used to include the user's username in the home folder path. %USERNAME% must be capitalized.
• Assigned Servers - Select servers in the Available Servers list and click Add to assign them. These servers will appear automatically in the user's mobilEcho client application. Servers can be added or removed from profiles at any time and changes will take effect the next time the client contacts the management server. If you see no servers listed here, you need to add your mobilEcho servers to the client management system. Click the Servers & Folders option in the top menu bar to do this. 
• Assigned Folders - Select folders in the Available Folders list and click Add to assign them. These folders will appear automatically in the user's mobilEcho client application. Folders can be added or removed from profiles at any time and changes will take effect the next time the client contacts the management server. If you see no folders listed here, you need to add mobilEcho folders to the client management system. Click the Servers & Folders option in the top menu bar to do this.

After setting the required profile options, click Save.

You will be returned to the Groups list and may then need to change the newly added group's priority.

Modifying Group Profiles

Existing Group profiles can be modified at any time. Changes to profiles will be applied to the relevant mobilEcho client users the next time they launch mobilEcho.

Client management connectivity requirements mobilEcho clients must have network access to the management server in order to receive profile updates, remote password resets, and remote wipes. If your client is required to connect to a VPN before they can access mobilEcho file servers, they will also need to VPN before management commands will be accepted.

To modify a group profile:

1. Click the Groups option in top menu bar. This opens the Manage Group Profiles page.
2. Click the group you would like to modify.
3. Make any changes necessary on the Edit User page and click Save.

Disabling Group Profiles

To temporarily disable a profile:

1. Click the Groups option in top menu bar. This opens the Manage Group Profiles page.
2. Uncheck the check box in the Enabled column for the desired group.
3. This change takes effect immediately.

Deleting Group Profiles

To delete a group profile:

1. Click the Groups option in top menu bar. This opens the Manage Group Profiles page.
2. Click the delete option next to the desired group.
3. You will be asked to confirm the delete request.

Managing User Profiles

User profiles are created and managed in the same way as group profiles. User profiles always take priority over any group profiles that the user might also be a member of. If you need to ensure that a specific user receives a specific profile configuration, you will want to create a user profile for that user.

Adding, Modifying and Deleting User Profiles

The adding, modifying and deleting of user profiles works just like group profiles. The only difference is there are no priority ordering controls in the user profile list. These are not necessary, as user profiles have a one-to-one relationship with their user.

Invite Users to Install mobilEcho and Enroll in Management

To get started with mobilEcho, users need to install the mobilEcho client application through the Apple App Store. If you are using the mobilEcho Client Management system, they also need to enroll the mobilEcho app on their device with the mobilEcho Client Management system. Once enrolled, their mobilEcho client configuration, security settings, and capabilities are controlled by their mobilEcho user or group profile.

mobilEcho 3.5 includes two device enrollment mode options. This mode is used for all client enrollments. You will need to select the option that fits your requirements:

• PIN number + Active Directory username and password - In order to activate their mobilEcho app and gain access to mobilEcho servers, a user is required to enter an expiring, one-time use PIN number and a valid Active Directory username and password. This option ensures that a user can only enroll one device, and only after receiving a PIN number issued by their IT administrator. This option is recommended when the enhanced security of two-factor device enrollment is required.
• Active Directory username and password only - A user can activate their mobilEcho app using only their Active Directory username and password. This option allows a user to enroll one or more devices at any point in the future. Users just need to be given the name of their mobilEcho Client Management server, or a URL pointing to their mobilEcho Client Management server, which can be posted on a web site or emailed, simplifying the rollout of mobilEcho to large numbers of users. This option is preferred in environments where two-factor enrollment is not required and many users may need access to mobilEcho at any time, such as student deployments. 

To select an enrollment mode:

1. Click the Devices option in the top menu bar. This opens the Manage Devices page.
2. Select the desired Device enrollment requires option.

Inviting a user to enroll

Users are typically invited to enroll in the mobilEcho Client Management system with an email that is sent from the mobilEcho Client Management Administrator. If required by the server, this email contains a one-time use PIN number that is valid for a configurable number of days. The PIN number can be used to enroll the mobilEcho app on one device only. If a user has multiple devices, they will need to be sent one invitation email for each device that needs access. This email includes a link to the mobilEcho app in the Apple App Store, in the case the app first needs to be installed. It also includes a second link that, when tapped while on the device, will open mobilEcho and auto-complete the client enrollment form with the mobilEcho Client Management server's name, the unique enrollment PIN number, and the user's username. By using this link, a user simply enters their account password to complete client enrollment.

Using basic URL enrollment links when PIN numbers are not required:

• If your server is configured to not require PIN numbers for client enrollment, you can give your users a standard URL that will automatically start the enrollment process when tapped from the mobile device. To determine the enrollment URL for your management server, click the Invitations option in the top menu bar. The URL is displayed on this page.

To generate a mobilEcho enrollment invitation:

1. Click the Invitations option in top menu bar. This opens the Enrollment Invitations page.
2. Click the Send enrollment invitation.
3. Enter an Active Directory user name or group name and click Search. If a group is chosen, each email address in that group will be added to the Users to invite list. This will allow you to batch invite all members in a group. You can optionally remove one or more of those group members before sending the invitations.
4. Once you've added your first user or group, you can issue a new search and continue to add additional users or groups to the list.
5. Review the list of Users to invite. You can Delete any users you would like to remove them from the list.
6. If a user does not have an email address associated with their account, you will see No email address assigned - click here to edit in the Email Address column. You can click any of these entries to manually enter an alternate email address for that user. If a user is left with No email address assigned, a PIN number will still be generated for them, and will be visible on the Enrollment Invitations page. You will need to convey this PIN number to the user by another means before they can enroll their mobilEcho client.
7. If you prefer to manually communicate enrollment PIN numbers to their users, you can uncheck the Send an enrollment invitation email to each user with a specified address option. Each PIN number will be visible on the Enrollment Invitations page.
8. Choose the number of days you'd like the invitation to be valid for in the Invitation expires in field.
9. Click Send. 
10. If you get an error message when sending, confirm that the SMTP settings in your mobilEcho_manager.cfg file are correct. The default location of this file is: C:\Program Files\Group Logic\mobilEcho Server on 32-bit versions of Windows and C:\Program Files (x86)\Group Logic\mobilEcho Server on 64-bit versions of Windows. Changes to this file require a restart of the mobilEcho Management service (using the Windows services control panel) to take effect.

Once an enrollment invitation is generated, the invited users are displayed on the Enrollment Invitations page. Each user's PIN number is listed, in the case that you need to communicate it by a means other than the automatic email.

Once a user successfully enrolls their mobilEcho client using their one-time use PIN number, they will no longer appear in this list.

To revoke a user's invitation PIN number, click delete to remove them from the list.

User-side Management Enrollment Process

Each user sent a mobilEcho management enrollment invitation will receive an email that contains:

• A link to install mobilEcho from the Apple App Store
• A link used to launch the mobilEcho app and automate the enrollment process
• A one-time use PIN number
• Their management server address

The email guides them through the process of installing mobilEcho and entering their enrollment information in the mobilEcho client app.

If mobilEcho has been installed, and the user taps the "Click this link to automatically begin enrollment..." option while viewing this email on their device, mobilEcho will automatically launch and the enrollment form will be displayed. The user's server address, PIN number, and username are also encoded in this URL, so these fields are auto-completed in the enrollment form. At this point, the user simply has enters their password to complete the enrollment process.

The username and password required are the user's Active Directory username and password. These credentials are used to match them to the proper user or group management profile, and for access to mobilEcho file servers, if their management profile allows the saving of their credentials for mobilEcho server logins.

If their mobilEcho management profile requires an application lock password, they will be prompted to enter one. All password complexity requirements configured in their profile will be enforced for this initial password, and for any change of their application lock password in the future.

If their profile restricts the local storage of files on their device, they will be warned that existing files will be removed and allowed to cancel the management setup process if there are files they need to deal with before they are removed.

Ongoing Management Updates

After the initial management setup, mobilEcho clients will attempt to contact the management server each time the client app is started. Any settings changes, server or folder assignment changes, application lock password resets, or remote wipes will be accepted by the client app at that time.

Client management connectivity requirements mobilEcho clients must have network access to the management server in order configure management and to receive profile updates, remote password resets, and remote wipes. If your client is required to connect to a VPN before they can access mobilEcho file servers, they will also need to VPN before management commands will be accepted.

Managing mobilEcho Devices

Once a mobilEcho client has enrolled in the mobilEcho Client Management System, their mobile device will appear on the Manage Devices list. This list gives detailed status information for each device that has been activated with a PIN number, or previously managed by a mobilEcho 2.1 or earlier server, if that option is enabled.

Migration of existing, managed mobilEcho 2.X clients to mobilEcho 3.0 mobilEcho 2.X did not require a PIN number to enroll a client in the mobilEcho Client Management system. There are two options for migrating mobilEcho 2.X clients to the 3.0 management system. By default, mobilEcho servers that are upgraded from 2.X to 3.0 allow clients previously managed by the 2.X server to auto-enroll and appear in the mobilEcho 3.0 devices list without having to enter a PIN number. If you would like to ensure that all devices accessing the system have enrolled with a PIN number, you can disable this setting. In that case, if the user doesn't have "User can remove mobilEcho from management" privileges, the user will need to delete mobilEcho from their device and reinstall a new copy from the App Store before they can enroll using a PIN number. Also note that when this auto-enroll setting is enabled, it will be possible to do an iTunes backup of a device running a managed version of mobilEcho 2.X or 3.0, restore that backup to a new device, and as long as the user has the active directory username and password for the associated account, that new device can be automatically enrolled in mobilEcho without a PIN number. It is recommended that you disable the auto-enroll setting after your previously managed clients have all accessed the management server for the first time. They will appear in the Manage Devices list when this happens.

To allow mobilEcho clients that were already enrolled in mobilEcho 2.X Client Management to automatically enroll after your mobilEcho Client Management server is upgraded to 3.0, enable the Allow mobilEcho clients previously managed by 2.X servers and managed mobilEcho clients restored to new devices to auto-enroll without PIN setting.

To invite user(s) to enroll their devices, click Send enrollment invitation. This begins the same process as detailed above in the Inviting a user to enroll section.

The device table contains the following information on each managed device:

• Name - the user's Active Directory (AD) full name
• Username - the user's AD account username
• Device name - the device name set by the user
• Model - the device model/type
• System version - the device's OS version
• Version - the mobilEcho app version on the device
• Status - the status of the mobilEcho app on the device
• Last Contact - the last time this device contacted the mobilEcho management server

The each device includes an Actions menu. Device actions include:

• More info - show additional details about the device, including device unique ID and editable device Notes field.
• App password reset - remotely reset the mobilEcho application lock password on that device.
• Remote wipe - remotely wipe all mobilEcho data and settings on that device. No other apps or OS data is effected.
• Remove from list - remove the device from mobilEcho management without wiping it. This is typically used to remove a device that you do not expect to ever contact the mobilEcho Client Management server again. If you have enabled "Allow mobilEcho clients previously managed by 2.X servers and managed mobilEcho clients restored to new devices to auto-enroll without PIN", a device removed from the list will automatically reappear and become managed again if it ever makes contact with the server in the future.

Performing Remote Application Password Resets

The mobilEcho client can be secured with an Application Lock Password that must be entered when mobilEcho is launched. If a user forgets this password, they will not be able to access mobilEcho. The mobilEcho app password is independent of the user's Active Directory account password.

When a password is lost, the only recourse a user has is to uninstall mobilEcho from their device and reinstall it. This deletes any existing data and settings, which maintains security but will likely leave them with no access to mobilEcho servers until they are sent a new management invitation.

To avoid these issues, the mobilEcho Client Management system can perform a remote application password reset.

Reset an Application Password

To reset an application password:

• Click the Devices option in the top menu bar.
• On the Manage Devices page, find the device you'd like to issue an app password reset for and click the Actions menu link.
• Click App password reset...
• Enter and confirm the new password and click Reset Password.
• A 'Pending app password reset' status will appear in the Status column for that device. When the password reset has been accepted by the device, its Status will return just saying 'Managed'.
• App password resets can be canceled at any time before the client next connects to the management server. This option appears in the Actions menu after a password reset has been issued.

Performing Remote Wipes

mobilEcho Client Management allows a mobilEcho client application to be remotely wiped. This selective remote wipe removes all files that are locally stored or cached within the mobilEcho app. All mobilEcho settings are reset to previous default settings and any servers that have been configured in the app are removed.

Queueing a Remote Wipe

To issue a remote wipe:

• Click the Devices option in the top menu bar.
• On the Manage Devices page, find the device you'd like to issue a remote wipe for and click the Actions menu link.
• Click Remote wipe...
• Confirm the remote wipe by clicking Queue remote wipe.
• A 'Pending remote' status will appear in the Status column for that device. When the remote wipe has been accepted by the device, its Status will reflect this.
• Remote wipes can be canceled at any time before the client next connects to the management server. This option appears in the Actions menu after a remote wipe has been issued.

Client management connectivity requirements mobilEcho clients must have network access to the management server in order to receive remote wipes. If your client is required to connect to a VPN before they can access mobilEcho file servers, they will need VPN access before remote wipes will be accepted.