Mobile Security - FAQ and USER GUIDE.pdf

Internal Use Only

MOBILE SECURITY FAQ AND USER GUIDE

Page 1 of 43

MOBILE SECURITY

FREQUENTLY ASKED QUESTION

And

USER GUIDE

Internal Use Only


Page 2 of 43

TABLE OF CONTENTS

Contents Page

PART I: FREQUENTLY ASKED QUESTION 3

PART II: MOBILE SECURITY AGENT INSTALLATION GUIDE 11

INSTALLING MOBILE SECURITY/TEM CLIENT ON ANDROID DEVICES 12

UN-INSTALL MOBILE SECURITY/TEM CLIENT FROM ANDROID DEVICE. 21

INSTALLING MOBILE SECURITY/TEM CLIENT ON APPLE / IOS DEVICES 30

UN-INSTALLING TEM CLIENT FROM IOS / APPLE DEVICE. 41

Internal Use Only


Page 3 of 43

PART I: FREQUENTLY ASKED QUESTION

Internal Use Only


Page 4 of 43

Q1. What is Mobile Security

Mobile Security is to ensure only compliant smartphones & tablets can access MHMail. It will safeguard company data on these devices in compliance with Personal Data Protection Act 2010. The summary as follow:

Q2. What are the Application Details?

Details IOS Android

Version Date: 23 Nov 2012 17 Jan 2013

Client Version 8.2.40035 8.2.50627.0

Size 0.9 MB 4.2 MB

URL address https://mobilesec-

ios.malaysiaairlines.com/

https://mobilesec-

android.malaysiaairlines.com/

Screen

Captured

Which Device? What is required? When will it happen?

MHmail Mobile users using the following smartphone and tablets: 1. iOS

2. Android

Users to install Mobile Security application in their devices.

Phase 1: Agent deployment May 13 Phase 2: Policy enforcement - Jun 13 .

MHmail Mobile users using Windows smartphone and tablets

No agent will be required. User profile will be visible from the monitoring console

Non supported device 1. Blackberry Enterprise

Services (BES)

2. Blackberry Service (BIS)

BES supported by our BB enterprise system BIS will not be supported by Sept 2013.

BES Not applicable

Internal Use Only


Page 5 of 43

Q3. What do you mean by Mobile Security?

Mobile Security refers to enabling a set of basic security settings to protect data residing on a smartphone or tablet in the event that the device is lost or stolen.

Q4. Why is MAS requiring this?

More than 5,000 staff access MAS business information on mobile devices. Many of these people store email messages with sensitive MAS business data such as financial data, contract, passenger data and employee information. In addition, a number of regulations require the protection of certain types of data. PDPA 2010 protects Customer and employee information, and PCI protects credit card information.

Q5. How does this protect MAS data?

The settings enabled on the device will protect the data from unauthorized exposure by placing a screen lock timeout of no longer than 15 minutes and allowing the user (or an authorized IT staff member) to remotely wipe the device of all data. These simple settings will protect MASs and your personal data in the event that the device is lost or stolen.

Q6. What devices are going to be affected?

The Mobile Device Security Standard affects all iOS devices (iPhones, iPads, iPod touch), Android devices (both phones and tablets) and Windows mobile devices that connect to MASs Exchange email system.

Q7. Why should I care about this? I dont think I store any MAS data on my device.

The fact that you work at Malaysia Airlines means that you could receive sensitive MAS business data on your mobile device at any time via email. In addition, your personal data on the device will be protected. Do you access your Facebook or other social network site from your phone? Do you carry pictures of your family that you wouldnt want to lose? Do you have any online accounts like Dropbox or Evernote that someone who found your phone would have access to? These security settings with specific configuration will protect your personal data, too.

Q8. What should I do to prepare?

There are three things that you need do to prepare for the Mobile Device Security Standard:

Update your device. Ensure your device is running the most current operating system software. Check with your device manufacturer for updates.

Internal Use Only


Page 6 of 43

Check your Email Setting. Make sure that your mobile device is fetching email using an ActiveSync configuration This is the approved configuration to enable receiving MHmaill on your mobile device. For assistance in this regard visit ExQuizIT

Back up your device. While it's unlikely that you'll have any problems, its a good idea to make a copy of important information that you have on your device.

Choose a numeric four-digit PIN (passcode) you can remember, and that is difficult for someone else to guess.

Q9. Where can I read the Mobile Device Security Standard?

You can find the Mobile Device Security Standard at http://oneit.mas.net

Q10. What will I notice when the Policy is activated?

After the enforcement of the policy, MAS mobile users (except Windows smartphone & Tablet) without the Mobile Security agent will not be able to access email via their mobile device.

Youll also notice that the screen will lock after 15 minutes of inactivity (or as per your configuration, whichever is earlier)

Q11. What will happen to my personal data when Group IT perform remote wipe?

Remote wipe it is not a new feature, it has been enabled by default for a number of years on any device that connects to MASs Exchange system via Microsoft's ActiveSync protocol. The protocol does not allow any selectivity in wiping data; only the entire device is erased back to a factory default state. A device will only be wiped in the event of loss or theft, or upon instruction by employee to IT Helpdesk.

Q12. Can I wipe my own device? How do I do that?

Yes, you can wipe your own device. BE CAREFUL, this is NOT reversible.

To remotely erase all data from your device through Outlook Web Access (OWA), do the following:

1. Open a browser to https://mhmail.malaysiaairlines.com and log in using your MAS ID and password.

2. In the upper-right corner of the OWA window click Options > See all options.

3. Click Mobile Devices on the left.

Internal Use Only


Page 7 of 43

4. If you have configured multiple devices for Exchange, they will each be listed here. Select from the list the device you wish to erase.

5. Click Wipe All Data Device.

6. A message box will appear that says, Are you sure you want to wipe your device? After the device wipe is complete, remove the device from the list.

7. Click Yes.

8. Before you quit, select the device from the list (if it's not still selected) and click the Delete icon, (it looks like a black X) to remove it from the list.

9. All data has been erased from your device.

Q13. Why are you doing this to my personal device?

MAS and its employee are responsible for its data. Therefore in the event of theft of loss, regardless of ownership, we have to protect the information from being leaked to unauthorized party.

Q14. I have more than one mobile device (such as a phone and tablet). Is there any limitation to the number of device accessing MAS Mail? Will the standard apply to both?

Yes. Each user is allowed to one device either smartphone or tablets regardless of its operating system (iOS, Android or Windows) to access your Mhmail via ActiveSync.

Q15. What if I don't check my MAS email on my device?

If you do not check MAS email on your device, then the standard will not be automatically enforced on your device. However, if you store sensitive non-email data on your device you are still required to manually apply the security settings. If you choose to add your MAS email account to your device in the future the security settings will be enforced the first time you connect to MHmail.

Q16. I use Android's pattern lock feature. Does that meet the PIN requirement?

The Android pattern lock feature is supported as long as it meets the minimum requirement of 4 characters.

Q17. Will Group IT be able to access data on my device or monitor my activities?

No, Group IT cannot access data on your device or monitor your activities. The Mobile Device Security application only ensures that data is secured in the event that your device is lost or stolen.

Internal Use Only


Page 8 of 43

Q18. I have an Android device and when I receive the "device administrator" prompt it says something about disabling the camera. Is my camera really going to be disabled?

No, your camera will not be disabled. The message that you're seeing is static and reflects what the standard could be set to do, but does not reflect what is actually being done.

Q19. What if I need to make an emergency call and my phone is locked?

Nearly all phones have an "Emergency Call" feature that you can access from the lock screen. You can choose this option to call 999 or other phone numbers that are memorized on your device.

Q20. I don't want to take part in this. What are my options?

The easiest, and preferred, way to opt out is to remove your device from MHmail and delete any sensitive MAS information from your mobile device. Then you wont be storing sensitive MAS information on your device and the standard will not apply. You may still check your e-mail by using your browser to visit https://mhmail.malaysiaairlines.com. For all other users, opting out of the standard is highly discouraged and anyone who stores sensitive MAS information on their mobile device (including email) is expressly prohibited from opting out

Q21. What if my device is jailbroken or rooted?

Devices that are "rooted" or "jailbroken" are not allowed to access or store MAS data since these devices have been compromised and are highly insecure.

Q22. I use Touchdown for my e-mail on my Android Device. Why do I have to type my PIN in twice to get to my e-mail?

Touchdown is a 3rd party mail app for Android that uses its own implementation of Active Sync protocols instead of the built in implementation on Android. As a result, when the security settings are applied via Active Sync, they get applied to Touchdown, not to the phone. If youve manually set a PIN on your phone, you will be required to enter both PINS to access e-mail. Depending on your Android device, you may be able to disable the PIN that is used to unlock your phone, but that would leave the rest of your phone unprotected. We do not have the ability to change this behavior at the e-mail servers.

Q23. I already have a PIN code. What will happen?

Nothing. Your device will continue to work as you have been using it (as far as the PIN is concerned).

Internal Use Only


Page 9 of 43

Q24. Are you installing software on my device to monitor anything?

No. TEM Mobile Security software enables the security features already built into your devices operating system. These features are being activated through the existing ActiveSync protocols used between your device and the Exchange Server. We will not be able to monitor the use of your device in any way.

Internal Use Only


Page 10 of 43

PART II: MOBILE SECURITY AGENT INSTALLATION GUIDE

Internal Use Only


Page 11 of 43

PART II: MOBILE SECURITY AGENT INSTALLATION GUIDE

The purpose of this user guide is to equip user with the installation/enrollment and un-installation/un-enrollment (if required only) procedures of the Mobile Security agent. This document will cover steps for the following platform: You may click on the system below to go direct to the user guide for each system.

Installing Mobile Security agent on ANDROID devices

Un-Installing Mobile Security agent on ANDROID devices

Installing Mobile Security agent on Apple/IOS devices

Un-Installing Mobile Security agent on Apple/IOS devices

Internal Use Only


Page 12 of 43

INSTALLING MOBILE SECURITY/TEM CLIENT ON ANDROID DEVICES This guide provides instructions on how to install TEM client on Android devices.

Following solutions applies to:

Android (ARM) versions 2.2, 2.3.x, 3.x, 4.x (includes phones and tablets)

* For Windows Mobile 5.x, 6.x do not require this steps as they are agent-less.

Pre-requisite: Recommended to have 3G or access to WIFI 1. Launch your Internet browser e.g. Google Chrome or Firefox Mozilla (It can

be any Internet browser depending on your device platform) 2. At your URL address, type in https://mobilesec-android.malaysiaairlines.com.

You may receive a security warning. Click Continue to proceed.

NOTE: This is a normal encounter.

3. Key in your Work Email Address and Password as shown below and hit Login.

4. You are now at the enrollment page. As you can see, your email address is

now visible in the Work Email Address field.

[email protected]

Internal Use Only


Page 13 of 43

5. Proceed by selecting I own this device under the Device Ownership. Please read the user terms and agreement carefully before clicking the I Agree checkbox. Once you are done, hit Submit button.

Internal Use Only


Page 14 of 43

6. Choose Option 1 Install the Mobile Client app.

7. This is where you will need to download the Mobile Application from Google Store. You will need an Internet connection to do this.

8. Once you have Internet Connectivity, just hit Install to begin the download

and installation of IBM Endpoint Manager mobile client / agent into your mobile.

NOTE: Depending on your Android version, you may be asked to choose Accept and Download as well to continue the installation.

9. Click on KEEP SHOPPING to go back to your Google Store IBM Mobile

Client Application Page.

Internal Use Only


Page 15 of 43

10. Your progress bar will indicate that the download has been initiated. The

download may take approximately 10-20 minutes depending on your Internet connection speed.

11. Once your download is completed, below screen will appear.

NOTE: DO NOT OPEN THE MOBILE CLIENT

12. Now launch your Internet browser again, choose 2. Enroll with the app.

Internal Use Only


Page 16 of 43

13. You will receive a pop-up message to activate the Tivoli Endpoint Manager as

a device administrator. Click on Activate to proceed with the enrollment. NOTE: This pop-up is just to notify you the capabilities of Mobile Security/TEM. Clicking Activate button will NOT activate these functions.

Internal Use Only


Page 17 of 43

14. Click on Accept to accept the terms and conditions of the device.

Internal Use Only


Page 18 of 43

Internal Use Only


Page 19 of 43

15. Once you see this image on your device, you have successfully installed Tivoli Endpoint Client / Agent on your device. You may exit the mobile client application.

CONGRATULATIONS!

Your device is now ready with the endpoint manager client / agent.

Internal Use Only


Page 20 of 43

HOW TO CONFIGURE ANDROID TO RECEIVE MH MAIL To enable you to receive MH Mail from your Android device, please go to this link:

http://xquizit.mas.net/article/how-to-configure-android-to-receive-mh-mail.html

Internal Use Only


Page 21 of 43

UN-INSTALL MOBILE SECURITY/TEM CLIENT FROM ANDROID DEVICE. This guide provides instructions on how to un-install TEM client on Android devices. Following solutions applies to:

Android (ARM) versions 2.2, 2.3.x, 3.x, 4.x (includes phones and tablets)

* For Windows Mobile 5.x, 6.x do not require this steps as they are agent-less.

Pre-requisite: Recommended to have 3G or access to WIFI

Internal Use Only


Page 22 of 43

1. On your android device, go to Settings.

Internal Use Only


Page 23 of 43

2. Scroll down and choose Security.

3. Under Device Administration, choose Device Administrators.

Internal Use Only


Page 24 of 43

4. By default, the IBM Endpoint Manager box is ticked; you will need to deselect it.

5. By deselecting the tick, will initiate a window which tells you that the

Administrator is active. Click on Deactivate.

6. A prompt window will require your confirmation to disable the Mobile Client device administrator. Hit OK.

Internal Use Only


Page 25 of 43

7. You will notice that the checkbox is now deselected.

Internal Use Only


Page 26 of 43

8. Return to Settings page, and click on Application manager.

Internal Use Only


Page 27 of 43

9. Click on Mobile Client

10. Choose Uninstall.

Internal Use Only


Page 28 of 43

11. A pop-up window will indicate that the Application will be uninstalled.

Internal Use Only


Page 29 of 43

12. Click on OK to exit the uninstallation.

Please note that you have completed the un-enrollment of TEM from Android device.

Internal Use Only


Page 30 of 43

INSTALLING MOBILE SECURITY/TEM CLIENT ON APPLE / IOS DEVICES This guide provides instructions on how to install TEM client on Apple / IOS devices


Apple iOS 4.x, 5.x, 6, 6.1 (iPhone, iPad, iPod Touch)

NOTE : For Windows Mobile 5.x, 6.x do not require this steps as they are agent-less.

Pre-requisite:

Apple user ID is required for you to install the agent.

Recommended to have 3G or access to WIFI

Clear your previous browsing history

1. Launch your Internet browser e.g. Safari (It can be any Internet Browser on your mobile device)

2. At your URL address, type in https://mobilesec-ios.malaysiaairlines.com. You may receive a security warning. Click Continue to proceed.

NOTE : This is a normal encounter.

3. Key in your companys Work Email Address and Password and hit Login.

4. You are now at the enrollment page. As you can see, your email address is now visible in the Work Email Address field. Proceed by selecting I own this device under the Device Ownership. Please read the user terms and

Internal Use Only


Page 31 of 43

agreement carefully before clicking the I Agree check box. Once you are done, hit the Submit button.

5. Choose item 1 option Install your organization SSL Certificate shown in

the diagram below.

6. You will be prompted to install the profile. You may also be prompted for your passcode, if you have an existing passcode. Once you are done, Click Install to continue. Refer to the screenshot below.

Internal Use Only


Page 32 of 43

Internal Use Only


Page 33 of 43

7. Hit the Install button to proceed with the installation. Refer to the screenshot below. This will install the certificate into your mobile device.

8. Hit the Install button to proceed with the installation. Refer to the screenshot below.

9. Once the installation is completed, you will receive this message. Hit Done to complete the process.

Internal Use Only


Page 34 of 43

10. Now go back to your Internet Browser e.g. Safari, and choose item 2 option

Install the Mobile Client app.

11. This is where you will need to download the Mobile Application from the

iTunes store. You need an Internet connection to do this. 12. Once you have Internet Connectivity, just hit Install to begin the download

and installation of IBM Endpoint Manager mobile client / agent into your mobile device. Note i: Some devices will list it as FREE, so choose FREE first, then click Install.

Internal Use Only


Page 35 of 43

Note ii: You will also be prompted to insert your Apple ID Password to commence the installation.

Apple ID Password

Cancel OK

Internal Use Only


Page 36 of 43

13. Once the Client / Agent has been installed, you will see an icon residing in your app inventory on your mobile devices as shown below.

NOTE: DO NOT OPEN THE MOBILE CLIENT.

14. Now launch your Internet browser again, choose item option 3 Enroll with

the app.

15. You will be taken to the MDM Profile Installation page. This page will

automatically redirect you to the next part of the Install Profile section. If it does not redirect, just hit Install the profile as highlighted below.

Internal Use Only


Page 37 of 43

16. You will be prompted to install the profile again. You may also be prompted for your passcode, if you have an existing passcode. Once you are done, Click Install Now to continue. Refer to the screenshot below.

Internal Use Only


Page 38 of 43

17. You will receive a warning message prior to installation, this is a normal prompt. Hit Install to begin the installation process.

18. Once the installation is done, hit Done to complete the setup.

Internal Use Only


Page 39 of 43

19. Once the setup is completed, you will be taken back to the MDM Profile Installation page, just choose Return to the app as highlighted below to complete the enrollment process.

CONGRATULATIONS!

Your device is now ready with the endpoint manager client / agent.

Internal Use Only


Page 40 of 43

HOW TO CONFIGURE MH MAIL on iOS To enable you to receive MH Mail from your iOS device, please go to this link: http://xquizit.mas.net/article/how-to-configure-mh-mail-on-iphone-ipod-touch.html

Internal Use Only


Page 41 of 43

UN-INSTALLING TEM CLIENT FROM IOS / APPLE DEVICE. This guide provides instructions on how to un-install TEM client on Apple / IOS devices.


Apple iOS 4.x, 5.x, 6, 6.1 (iPhone, iPad, iPod Touch)

NOTE : For Windows Mobile 5.x, 6.x do not require this steps as they are agent-less.

Pre-requisite:

Apple user ID is required for you to install the agent.

Recommended to have 3G or access to WIFI

1. Open your IBM Endpoint Manager Client / Agent on your mobile device.

Just click on it to open.

Internal Use Only


Page 42 of 43

2. Once the Mobile Client is open, click on Info as highlighted in RED in the screenshot below on the next page.

3. Click Unenroll to remove the agent from the device. You have completed the removal of the agent from your device.

Internal Use Only


Page 43 of 43

Please note that you have completed the un-enrollment of TEM from Apple / IOS device.

Documents

Mobile Security - FAQ and USER GUIDE.pdf