®

Lab Exercises
Mastering Mobile Management and
Security for Android devices using IBM
MaaS360
Course code LML0041X

IBM Training
October 2018 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.

© Copyright International Business Machines Corporation 2018.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Android exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Starting the lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Exercise 1 Log in to the portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Exercise 2 Review the MaaS360 portal home page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Exercise 3 Review Watson Insight Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Exercise 4 Add a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Exercise 5 Enroll an Android device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exercise 6 Review Device Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Exercise 7 Creating a device group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Exercise 8 Adding a custom alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Exercise 9 Uploading and distributing a document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Exercise 10 Adding and distributing an app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Exercise 11 Creating and assigning compliance rules sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Exercise 12 Creating an Android policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Exercise 13 Applying a policy to an Android device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Exercise 14 Review MaaS360 configurations on the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Exercise 15 Install and review distributed apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Exercise 16 Downloading distributed documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Exercise 17 Unenrolling the Android device from MaaS360 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Exercise 18 Removing and deactivating portal artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Help Desk overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Exercise 1 Creating a Help Desk administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Exercise 2 Reviewing device inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Exercise 3 Using advanced search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Exercise 4 Managing enrollments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Exercise 5 Monitoring device actions and events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Exercise 6 Checking security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Exercise 7 Managing users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Exercise 8 Monitoring apps and docs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Exercise 9 Reviewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Exercise 10 Unenrolling the Android device from MaaS360 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Exercise 11 Removing and deactivating portal artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Signing up for a trial account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

© Copyright IBM Corp. 2018 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Introduction
IBM MaaS360 is a comprehensive unified endpoint management platform. With MaaS360, IT
departments can deliver end-to-end security and management for applications, documents, email,
and devices. It provides employees with secure access to corporate resources and information
from their mobile devices, without compromising the user experience, data security, or privacy.
MaaS360 simplifies the process by providing everything that you need to securely manage all your
mobile assets on demand from an intuitive portal. Notebook and desktop support is also provided
for macOS and Windows 7+, but is not covered in this lab.

In this lab, you learn how to manage mobile devices with MaaS360 and enhance mobile user
security and productivity. This lab is a basic introduction to managing Android mobile devices with
MaaS360. If you are a mobile security administrator or mobile security consultant, there are several
in-depth training courses on the IBM Security Learning Academy that you can take to broaden your
MaaS360 skills.

You complete simple administrator tasks that use the MaaS360 portal to manage devices and
distribute content. You complete simple user tasks with a device.

As an administrator, you perform the following tasks in this lab:

• Create a one-time passcode enrollment request for a device

Note: If you are interested in learning how to configure self-service enrollment using a directory
service such as Active Directory, refer to the additional content on the MaaS360 Cloud Extender in
the Security Learning Academy.

• Create a device group to group devices based on custom attributes

• Create an informational alert to track groups of devices
• Upload a document to the Content Library and distribute it to devices
• Add a public app to the Apps Catalog and distribute it to devices
• Create a compliance rule set to identify rules and corresponding actions to keep devices in
compliance with corporate policy
• Create a security policy that restricts device features and enforces passcodes
• Remove MaaS360 control of the device upon lab completion

As a mobile device user, you perform the following tasks:

• Enroll your device in MaaS360 mobile device management

© Copyright IBM Corp. 2018 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Introduction

Uempty
• Review noncompliance warnings and take action to resolve
• Download distributed corporate documents
• Review and install distributed apps

Important: Conference lab participants are provided with an Android tablet and a MaaS360 portal
account to complete the lab. Check with the conference proctors to get a device and a portal
assignment. Make sure that you complete the last two exercises to unenroll the device and
remove portal artifacts so that the device is ready for the next student.

© Copyright IBM Corp. 2018 2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Starting the lab

Uempty

Android exercises
In these exercises, you learn how to use MaaS360 to enroll and manage Android devices using
Android Enterprise integration with MaaS360. You use an Android 5+ device to enroll in MaaS360.
In addition, you use a notebook that has a browser to access the MaaS360 portal. The portal is
where administrators run workflows to manage devices. Then, you use the Android device to enroll
and install the MaaS360 app on the device. It’s important that administrators understand the device
users’ steps in addition to their own tasks.

Starting the lab

To complete the exercises, you need a browser to access the MaaS360 portal and lab files. You
also need an Android 5+ device and a Google account. In this lab, you integrate MaaS360 with
Android Enterprise. The Android Enterprise features differ from the legacy device admin style
MDM. Android Enterprise is a unified management feature, capable of securing all Android devices,
regardless of OEM. The setup process you follow creates a bind between MaaS360 and Android
services. If you have an Android device that is Android 4.4.2 to Android 5.0 and cannot use Android
Enterprise, the device can still be enrolled but the exercises might not apply. Notes are made
throughout the lab to identify the differences. Therefore, it is recommended that you use an Android
5+ device.

1. Download the MMS_Labfiles file to your lab machine.

2. If you are not part of a proctored conference, start a free MaaS360 trial and use your own
Android device. The exercises are geared towards Android 5+ devices.

3. Go to the instructions for setting up a free training trial account and enabling Android Enterprise
integration in the Appendix on page 69.

Important: If you already have a trial account where you have service administrator authority, you
can continue to use it for these exercises. Go to instructions for setting up Android Enterprise
integration using the Quick Start on Step 5 of the Appendix on page 69.

4. If you are participating in a conference, ask the lab proctor to provide you with portal account
credentials and an Android tablet.

© Copyright IBM Corp. 2018 3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 1 Log in to the portal

Uempty
Exercise 1 Log in to the portal
1. If you are not already logged in to the MaaS360 portal, open the browser from your desktop.

Note: The following browsers are supported: Chrome, Firefox, and Internet Explorer 11+.

2. Enter https://login.maas360.com/ in the browser. Bookmark the URL.

https://www.maas360.com/login

The MaaS360 login page opens.

3. Enter your credentials.

Note: If you are part of a conference, the proctor will provide your credentials.

The MaaS360 portal home page opens. When an administrator uses the browser on the notebook
to log in to MaaS360, it is called the Maas360 portal. This is the SaaS-based platform where you
enroll, manage, and support devices.

© Copyright IBM Corp. 2018 4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 2 Review the MaaS360 portal home page

Uempty
Your username and organization’s account number opens at the bottom of each screen. Use this
account number when working with IBM Support.

Exercise 2 Review the MaaS360 portal home

page
When you first start a trial account or have a new customer account, there are no devices, users, or
content. There are default system components based on the services your account is entitled to.
The home page in the portal provides a snapshot of the mobile environment. Administrators can
quickly review total devices, users, apps, and docs in the upper right. In addition, an activity feed on
the right serves as an audit trail of all the portal actions. The alert center is a summary of
informational and security alerts for the enterprise. Items displayed in red are noncompliant, and an
administrator can quickly review and respond to these alerts.

At the top of the screen, the menu includes all workflows administrators can use to manage your
mobile enterprise. Because you are signed in as a Service Administrator, you have access to all
workflows. You can create Administrators with different access levels based on role. For example,
Administrators with only the Help Desk role cannot create security policies but they can view them.
When your account is first created, the My Activity Feed has the list of system security policies

© Copyright IBM Corp. 2018 5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 3 Review Watson Insight Advisor

Uempty
published. You can also use the quick search in the upper right to find specific devices, content,
and users.
1. Explore the home page and make note of the alerts, activity feed, and snapshot counts. When
you begin to add devices and content, the counts, information, and feeds change.

Exercise 3 Review Watson Insight Advisor

On the MaaS360 Home Page, MaaS360 with Watson provides insights and recommendations that
empower the administrator. At the bottom of the home page, Insights Advisor provides contextual
best practices, productivity improvement opportunities, and emerging threat alerts that are sourced
from MaaS360 data sources, IBM X-Force Exchange, and third-party data sources. Zero-day
mobile threat alerts can provide remediation steps for IT based on industry best practices.
1. Scroll to the bottom of the home page.
Insights Advisor defaults to All insight types and data from the Last 180 Days.

2. In the upper right, click the combo box. You can select All, Information, Opportunity, or Risk
Exposure.
Because this portal is new and device data does not yet exist, only the Information alert for
joining the MaaS360 Community and Privacy is shown.

© Copyright IBM Corp. 2018 6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 4 Add a device

Uempty
3. Click Learn More below each alert to get more details.

4. Close the Learn More window.

5. You can select alerts from 30, 60, and 180 days to limit the amount the data displayed.
These are real-time alerts that are sourced based on the current data and time, the mobile
device data, the configurations in your portal, and relevant security intelligence and insights
from data sources. Because no devices are enrolled yet, intelligence or threats specific to your
set-up are not displayed yet.

6. In the upper right, click the Mailbox icon to receive daily Advisor Insights in your email. You can
also unsubscribe here.

7. Return to the Insights Advisory and review the rest of the alerts.

Exercise 4 Add a device

In this exercise, you generate a device enrollment request from the portal. An administrator can
initiate device enrollments for mobile device users in several ways. Typically, in a production
implementation, an administrator provides a generic URL to all mobile users in an enterprise, to
enroll their devices by using their corporate credentials. This is called self service enrollment and
requires integration with your corporate directory services using an additional component called the
MaaS360 Cloud Extender.

Specific platforms, such as iOS, Windows, Android Enterprise, and Knox, also have advanced
enrollment capabilities that you can take advantage of to easily roll out large quantities of
corporate-owned devices. When using advanced enrollment capabilities, the user needs only to
power on the device, and the enrollment occurs automatically. The MaaS360 portal also has a bulk
enrollment capability for Androids where administrators can upload a spreadsheet of Android
devices to enroll.

© Copyright IBM Corp. 2018 7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 4 Add a device

Uempty
In this exercise, you are acting as an administrator and you generate an enrollment for one device
using a one-time passcode, to review how the enrollment process works. Mobile device users do
not have access to the MaaS360 portal. Service Administrators can provide access to a User portal
where device owners can only review and take specific actions on their own devices.
1. On the MaaS360 home page, place your cursor over Devices and click Add Device.
The Add Device pane is shown.

2. Click Add.

3. In the Add User window, enter the following information:

– Full Name: Terri Jones
– Username: tjones
– Domain: ibmemm.edu
– Email: your email address
– Phone Number: <cleared>
– Add New Device: <checked>
– Notify User: Email
– Managed Google Play Account Type: User Account

Note: You can enter your cell phone number and select SMS if you want to receive a text also.
Normally, this is the mobile device user’s information. But for the lab, you might want to receive the
enrollment request.

© Copyright IBM Corp. 2018 8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 4 Add a device

Uempty

4. Click the Advanced tab.

In the Advanced Tab, you can choose a specific Platform and MDM policy. Because this portal
is new, only the default MDM policies are available. A WorkPlace Persona Policy is not yet
available in the portal, because no services that require a persona policy are enabled. If you do
not choose a policy, the default MDM policy for the platform is assigned to the device.

5. In the Platform & MDM Policy field, select Android and Default Android MDM Policy.

6. In the Ownership field, select Employee.

Employee indicates this is a Bring Your Own Device (BYOD) rather than a corporate owned
device.

7. Click Save.

8. In the Security Check window, enter your portal password and click Confirm.
The Enrollment Request Sent page opens. A message, User created successfully, is
displayed to indicate that tjones was added to the user directory.

© Copyright IBM Corp. 2018 9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty

Note: The Enrollment Request Sent page shows the unique enrollment URL that you access from
the mobile device to complete the enrollment. Keep this window open or make note of the
enrollment URL, corporate identifier, and passcode, because you use them to complete the
enrollment of the device. To enroll, you can also use the QR code, the email link, or SMS text.

Exercise 5 Enroll an Android device

In this exercise, you enroll the device using the URL and one-time passcode. You can open the
email or SMS text on your device to click the enrollment URL, or you can enter the information from
the enrollment request.
1. Turn on the Android mobile device.

2. Open the native browser on the Android mobile device and enter the enrollment address that is
displayed in the Enrollment Request Sent window from Step 7.
You also have the option of opening the email or SMS text on the device.

© Copyright IBM Corp. 2018 10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
3. You can open the enrollment email on the device, and click the Device Enrollment URL or use
the QR code which is shown in the following graphic.

Note: If a QR Reader is on the device, you can use it to read the QR Code for Enrollment URL
instead of typing it.

© Copyright IBM Corp. 2018 11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
The Instructions with steps to enroll are displayed.

4. In Step 1, tap Install.

You are redirected to the Google Play Store and the MaaS360 MDM for Android app is
downloaded.

5. Tap Install.

6. Tap Open.

© Copyright IBM Corp. 2018 12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
The Add Device pane opens.

Note: The email address and Corporate ID from the Enrollment Request are populated.

7. Tap Continue.

© Copyright IBM Corp. 2018 13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
The Authenticate pane opens.

8. Enter the Passcode from the enrollment request.

9. Tap Continue.

© Copyright IBM Corp. 2018 14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
The Steps pane opens.

10. Tap Continue.

The Accept Terms pane opens.

11. Select I have read and accept the terms.

12. Tap Continue.

© Copyright IBM Corp. 2018 15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
The Configure Google Account pane opens.

Hint: If you did not select Android Enterprise in the Add Device pane, the Configure Google
Account and Work Profile prompts are not shown.

13. Tap Continue.

The Terms and Condition pane is displayed based on your Android type.

© Copyright IBM Corp. 2018 16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty

14. Review the Terms and Conditions, and if you accept them, click Agree.

© Copyright IBM Corp. 2018 17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
The Set up work profile pane is shown.

15. Tap Next.

© Copyright IBM Corp. 2018 18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
The informational message indicates that MaaS360 will manage your device.

16. Tap OK.

The Set up work profile pane is shown and the Configuring Google Account and Installing Apps
pane is shown.

© Copyright IBM Corp. 2018 19

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 5 Enroll an Android device

Uempty
After the work profile and MaaS360 App are installed, the MaaS360 App opens and displays the
Docs and Settings shortcuts, which indicates that your device is enrolled.

© Copyright IBM Corp. 2018 20

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 6 Review Device Inventory

Uempty
Exercise 6 Review Device Inventory
In this exercise, you explore device inventory and perform simple management actions from the
MaaS360 portal. You are logged in as a Service Administrator so you will see more actions than an
Administrator who has only the Help Desk role.
1. In the MaaS360 portal, place your cursor over Devices and click Inventory.

Note: The Device snapshot was increased by one and the My Activity Feed shows the New User
and New Device you just added.

The Device Inventory pane opens with a list of enrolled devices.

2. In the Device Name column, click View for the device that you enrolled.

© Copyright IBM Corp. 2018 21

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 6 Review Device Inventory

Uempty
The inventory details for the selected device open.

3. Click Summary and explore the device details.

Administrators use the Device Summary information to troubleshoot problems with devices.

4. In the upper right, the most common actions used by Help Desk Administrators are displayed:

© Copyright IBM Corp. 2018 22

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 6 Review Device Inventory

Uempty
– Message is used to send a message to the device.
– Buzz is used to send a buzzing sound to a device to help a user locate it in the immediate
area.
– Lock is used to lock the home screen on the mobile device.
– Request Data Refresh synchronizes the device data with any outstanding actions or
assignments from the portal.

Hint: Locate is not shown. It is used to find the geographic location of the device. The action is not
available for Android Enterprise Profile Owner which is geared towards BYOD devices. If you
enroll as Android Enterprise Device Owner which is for corporate owned devices, the locate
device action is available.

5. To review more actions, click More.

The Actions menu opens. The Service Administrator has access to all actions. Other
administrators with different roles, such as Help Desk, only have access to a subset of the
actions.

Note: The Administrator uses these actions to troubleshoot and manage mobile devices.

6. In the More menu, review the various actions.

7. Send a message to the device by using the appropriate action.

© Copyright IBM Corp. 2018 23

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 7 Creating a device group

Uempty
8. Return to the device. A notification that there is a message opens. In addition, there is a
Messages shortcut in the MaaS360 app with a badge count.

9. Tap the Messages shortcut.

The Message opens.

Exercise 7 Creating a device group

Administrators can place managed devices in device groups to simplify the management of devices
with similar attributes. Administrators define group membership criteria by using standard or
custom attributes. You can create public or private device groups, with different actions associated
with the group, depending on the type.

© Copyright IBM Corp. 2018 24

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 7 Creating a device group

Uempty
In this exercise, you define a custom attribute and create a public device group.
1. From the Device Inventory, select the Summary, select Custom Attributes.

Note: The default device view is Summary.

2. Click Edit.
The Custom Attributes page opens.

Note: You can create custom attributes as filters for device group affiliation.

3. In the Department/Business Unit field, enter Training.

4. Click Save.

5. At the top of the screen, place your cursor over Devices and click Advanced Search.

© Copyright IBM Corp. 2018 25

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 7 Creating a device group

Uempty
The Advanced Search menu opens.

6. Review the default settings for searches.

7. In the Search For field, select All Devices.

8. In Last Reported, select All Records.

9. Define the search criteria for Condition 1 as follows:

– Custom Attributes
– Department/Business Unit
– Equal To
– Training

10. Click Search and verify that your device is listed in the search results.

11. To define the device group, click Create New Device Group and enter the following
information:
– Group Name: Trainingxxx, where xxx is a unique identifier such as your initials
– Description: Devices in the group are currently in training

© Copyright IBM Corp. 2018 26

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 7 Creating a device group

Uempty
– Group Type: Public

12. Click Save.

A message opens that indicates the group is successfully saved.

13. Click OK.

14. Place your cursor over Devices and select Groups.

The Groups page opens.

15. Verify that the Trainingxxx group is listed.

The columns identify the Policies and Rule Sets assigned to the group, and the Apps and Docs
that are distributed to the groups. In this case, nothing has been assigned or distributed to this
group yet.

© Copyright IBM Corp. 2018 27

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 8 Adding a custom alert

Uempty
Exercise 8 Adding a custom alert
Administrators can create custom alerts for your organization. These alerts are displayed in the
MaaS360 portal on the My Alert Center dashboard. You can define alerts as either security alerts or
information alerts. Information alerts are displayed in the My Alert Center dashboard in blue.
Security alerts display as either red or green, depending on whether the alert requires attention.

In this exercise, you create a custom information alert.

1. Return to the MaaS360 portal and click the Home icon ( ).
The My Alert Center page opens.

2. In the upper right of the dashboard, click the Add Alert icon.

The Add Alert window opens.

3. Define the new alert that only you can see by entering the following information:
– Name: XXX Training Devices, where XXX is a unique identifier such as your initials
– Description: Training Department Devices
– Type: Info
– Available for: Only me
– With Device Types: Smartphones and Tablets

4. Define the search criteria for Condition 1 as follows:

– Custom Attributes
– Department/Business Unit
– Equal To
– Training

5. Click Update.

© Copyright IBM Corp. 2018 28

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 9 Uploading and distributing a document

Uempty
The My Alert Center dashboard now shows at least one device in Training Devices.

Exercise 9 Uploading and distributing a

document
Administrators use MaaS360 to distribute documents and files to managed devices. Documents
must be uploaded to the MaaS360 content library before they are distributed. You can access the
content library from the Docs menu in the portal. MaaS360 also provides integration with corporate
content, such as Windows files shares and internal Sharepoint, and web-based content such as
Box, IBM Connections, and OneDrive repositories.

In this exercise, you upload a file to the content library and then distribute it to managed devices.
1. Place your cursor over Docs at the top of the screen and select Content Library from the
menu.
The Content Library page opens. Remember that in a new portal, there are no documents.
I

2. In the upper right of the Content Library page, click Add Documents.

© Copyright IBM Corp. 2018 29

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 9 Uploading and distributing a document

Uempty
The Add Documents window opens. There are Security Settings, Download Policies, and
Distribution details that the Administrator can set on a per document basis.

3. Click Browse.

4. From the C:\Labfiles\MMS_Labfiles folder in the file list, select Test Document.txt.

5. Click Open.

6. Verify that the Document Names field contains the string Test Document.

7. In the Tags field, enter Test, Training.

Hint: The Tags field contains a comma-separated list of document tags.

8. From the Distribute to menu, select Device and enter the device you just enrolled.

Note: Begin typing tjones in the Device field, and the device name can be selected.

9. Select a date one week from today as the expiration date.

© Copyright IBM Corp. 2018 30

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 10 Adding and distributing an app

Uempty

Note: When the expiration date is reached, the file is automatically removed from the devices it
was distributed to. Additionally, you can set a start date for the document to be available to device
users.

10. Click Save.

The Security Check pane is shown.

11. Type your password and click Confirm.

The document is uploaded, listed in the content library, and distributed to the specified devices.

Exercise 10 Adding and distributing an app

Administrators can also create a MaaS360 enterprise app catalog to distribute apps to managed
devices. Apps must be added to the MaaS360 App Catalog before they can be distributed. You can
access the app catalog from the Apps menu in the portal. For Android Enterprise integrated
accounts, administrators must authorize all Google Play apps to be distributed.

In this exercise, you add the MaaS360 Docs App, an entertainment/game app, and a business app
to the App Catalog and distribute it to managed devices.
1. In the MaaS360 portal, place your cursor over Apps and select Catalog.
The App Catalog page opens.

2. Click Add.

© Copyright IBM Corp. 2018 31

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 10 Adding and distributing an app

Uempty
The Add menu opens.

3. To expand the list, click Android and the plus icon.

4. Click Google Play App.

5. In the App Name field, type angry birds free.

The apps list is filtered and shows a list that contains the search string.

6. Select any free Angry Birds app.

The Permissions for the App pane is shown.

7. Click I Agree.

8. Click the Policies and Distribution tab.

9. Select the MDM Control Removal and Selective Wipe check boxes.

Note: The MDM Control Removal and Selective Wipe features are only available for specific
Android platforms. Enabling these settings removes the app when a selective wipe or MDM
control removal is initiated on the device.

10. For the Distribute to options, select Specific Device and your specific device.

Hint: To find your specific device, enter the username tjones in the search.

11. Click Add.

The Security Check window opens, and you are prompted to enter your password to complete
the operation.

12. Enter your password and click Confirm.

© Copyright IBM Corp. 2018 32

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 10 Adding and distributing an app

Uempty
The app is added to the App Catalog and distributed to the specified devices.

13. Click Add and then click plus icon next to Android.

14. To add a Google Play App, click Google Play App.

15. Type MaaS360 Docs in App Name and select the MaaS360 Docs apps in the list.

Note: In order to view documents from the MaaS360 Content Library on the device, the MaaS360
Docs app must be installed. Devices that are not using Android Enterprise do not require the
MaaS360 app to be added to the MaaS360 App Catalog. In the training you are using the
MaaS360 and Android Enterprise integration, so the Maas360 Docs app must be added.

16. To accept the permissions, click I Agree.

17. Click Policies and Distribution.

18. Select the MDM Control Removal and Selective Wipe check boxes.

19. Click Instant Install.

20. For the Distribute to options, select Specific Device and your specific device.

21. Click Add.

The Security Check pane is displayed.

22. Type your password and click Confirm.

23. To add a business app from Google Play, click Add > Android > and Google Play App.

© Copyright IBM Corp. 2018 33

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 11 Creating and assigning compliance rules sets

Uempty
24. In the App Name, type IBM Verify.
The Permissions for the App pane is shown.

25. Click I Agree.

26. Click the Policies and Distribution tab.

27. Select the MDM Control Removal and Selective Wipe check boxes.

28. Select Instant Install.

29. For the Distribute to options, select Specific Device and select your specific device, by typing
tjones.

30. Click Add.

The Security Check pane is displayed.

31. Type your password and click Confirm.

You view the apps and docs on the mobile device in a later exercise.

Exercise 11 Creating and assigning compliance

rules sets
With MaaS360, administrators can apply compliance rules to your managed mobile devices.
Compliance rule sets are conditions that are checked on devices on a real-time basis. If a device is
not in compliance with the defined rule sets or conditions, enforcement actions are taken on the
device based on the administrators’ configurations.

Compliance rules have an added benefit that security policies do not. When the user remediates
the compliance violation, the compliance rule immediately rolls back the enforcement action. For
example, an administrator can set up a compliance rule that selectively wipes corporate data from
the device when a restricted app is on the device. When the user removes the restricted app, the
compliance rule rolls back the selective wipe and reinstates the corporate data. Administrators with

© Copyright IBM Corp. 2018 34

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 11 Creating and assigning compliance rules sets

Uempty
only the Help Desk role do not have access to create compliance rules, but it is important for Help
Desk administrators to understand how compliance rules work.

In this exercise, you create and assign a compliance rule set.

1. In the MaaS360 portal, place your cursor over Security and select Compliance Rules.
The Compliance Rules page opens.

Note: MaaS360 does not have default system generated compliance rules like security policies.

2. Click Add Rule Set.

The Add Rule Set page opens.

3. As the Rule Set Name, enter Testxxx, where xxx is a unique identifier such as your initials and
click Continue.
The Update Rule Set page opens. There are several types of OS’s you can enable for
compliance rules. By default, all are enabled.

4. On the left, click Enforcement Rules.

5. Select the check box beside Enrollment.

The enforce Enrollment options are displayed.

© Copyright IBM Corp. 2018 35

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 11 Creating and assigning compliance rules sets

Uempty
6. In the Trigger Action on Managed Status settings, clear the following check boxes:
– Not Enrolled
– Pending Control Removal
– Control Removed

Only User Removed Control is activated. If the user removes MaaS360 control from the device
so that it is no longer managed, an enforcement action can be set. There are several actions
you can take based on the enforcement rule. In this case, you send an email alert with another
enrollment URL.

7. Select Send Enrollment Request in Email and verify the Enforcement Action is set to Alert.

8. Click Save.
The Security Check window opens and you are prompted to enter your password to save the
changes.

9. Type your password and click Confirm.

10. Review the other Compliance Rules that you can configure for devices.

11. To return to the Compliance Rules page, click the blue arrow in the upper left .
The Compliance Rules are listed. In this case, there is only the one rule you just created. Note
the status is Active.

© Copyright IBM Corp. 2018 36

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty
12. Under the Testxxx compliance rule set, click the Assign link.
The Assign Rule Set window opens.

13. For the Group field, select TrainingXXX.

By default, the rule set is automatically assigned to new devices that enroll. You can clear this
and require the rule set to be assigned manually so that different groups receive unique rule
sets.

14. Click Submit.

The Assign Rule Set pane opens.

15. Review and click Continue.

The Security Check pane is shown.

16. Type your password and click Confirm.

Exercise 12 Creating an Android policy

Policies and compliance rules work together to ensure that mobile users in your enterprise are
adhering to corporate policy. Administrators enter policies in the MaaS360 portal that align with
industry best practices and company standards. These policies can then be assigned to mobile
devices. Typically you set up policies and compliance rules before all devices in your organization
enroll. You can set up policies and compliance rules and test them out on a few devices before
assigning to all devices in your organization.

© Copyright IBM Corp. 2018 37

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty
In this exercise, you create an Android security policy.
1. In the MaaS360 portal, place your cursor over Security and click Policies.
The Policies page opens.

2. Click Add Policy.

The Add Policy page opens.

3. In the Name field, enter Test Androidxxx, where xxx is a unique identifier such as your initials.

4. In the Description field, enter Android test Policy used for training.

5. In the Type field, select Android MDM.

6. In the Start From field, you can choose from My Existing Policies, Community Based Policy, or
Business Templates based Policy.

Note: MaaS360 introduced Business Templates Based Policy to cater to multiple business use
case needs. Business Templates policy is available for iOS MDM, Android MDM and Persona
policy only.

© Copyright IBM Corp. 2018 38

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty

Note: MaaS360 introduced Community Based Policy that provides recommendations on policy
configuration based on policy settings within similar organizations in the community.

7. For this lab, select Business Templates based Policy.

Review the Business Usecase selections.

8. To select a management type business template for a bring your own device deployment,
select BYOD.

9. Click Continue.

© Copyright IBM Corp. 2018 39

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty
The Test AndroidXXX policy is created based on the setting from the BYOD business usecase
policy. You can now edit the policy to customize it.

10. In the upper right of the Test Android policy page, click Edit.

11. On the left navigation pane, select Android Enterprise Settings.

© Copyright IBM Corp. 2018 40

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty

Note: Android Enterprise Settings only apply to devices that are enrolled as Device Owner or
Profile Owner using the Android Enterprise integration. If you have a device that has an earlier
version of Android, less that 5.0, you can only configure the Device Settings and Advanced
Settings in the policy.

12. In the Passcode section, select the Configure Passcode Policy check box.
The Passcode Settings options are displayed. Different settings apply to different versions of
Android and different types of Android Enterprise enrollments (Profile Owner and Device
Owner).

13. Define the Passcode Settings as follows:

– Minimum Passcode Quality: Numeric
– Minimum Passcode Length: 4
– Maximum Passcode Age (in Days): 30
– Allowed Idle Time (in minutes) Before Auto-Lock: 10 minutes
– Number of Failed Password Attempts Before All Data is Erased: 0

Note: The entries you are making are for training purposes only. You must check with your IT
organization to get policy requirements for mobile devices.

14. To Configure security settings, click Security.

© Copyright IBM Corp. 2018 41

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty
15. Scroll to App Security, and clear Allow uninstallation of Apps.

16. Scroll to Data Security, and clear the Screen Capture selection.

Hint: You are disabling screen captures and the uninstallation of apps on devices that are
assigned this policy. You select these two configurations in order to demonstrate the effect of
policies on your training device. The configurations you set for production implementation are
based on your organization’s requirements and or the community based and business use case
templates.

17. Review the rest of the policy settings in the Android Enterprise Settings section.

Note: In the left navigation pane, administrators can set up the configurations for wifi, VPN, and
ActiveSync mail to be pushed to mobile devices. This eliminates the need for mobile device users
to manually configure these settings on their devices and reduces configuration errors.

18. in the upper right of the policy page, click Save and Publish.
The Publish window opens. Note there are Cognitive Recommendations shown. The
recommendations compare your policy configurations to the MaaS360 community policy
settings.

© Copyright IBM Corp. 2018 42

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty
19. To review the Cognitive Recommendations, click the plus icon next to Passcode, Restrictions,
Security, Device Management, and Passcode.

© Copyright IBM Corp. 2018 43

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 12 Creating an Android policy

Uempty

Note: You can apply all of the cognitive policy recommendations, by clicking Apply in each
category, which updates your policy. For training purposes, only review the recommendations.

20. In the Description field, enter the following information:

Test Android Policy for training

21. Type your password and click Confirm.

Version 1 of the Test Android policy is published and can now be applied to devices.

© Copyright IBM Corp. 2018 44

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 13 Applying a policy to an Android device

Uempty
Exercise 13 Applying a policy to an Android
device
In this exercise, you apply the Android security policy to the managed device. You created this
policy in Exercise 12, “Creating an Android policy,” on page 37.
1. Place the cursor over Devices and click Inventory.
The Device Inventory page opens and shows a list of managed devices.

2. Click View below your device to open the device inventory summary.
The Summary page opens.

3. From the upper right More menu, select Change Policy.

The Change Policy window opens.

4. For Android Policy, select Test Androidxxx and click Submit.

The Security Check window opens.

5. Type your password and click Confirm.

Exercise 14 Review MaaS360 configurations on

the device
1. Switch to your Android device.

2. Check your device to ensure that the policy is changed.

– Open the MaaS360 app, tap Settings > My Device and scroll down to the Policy.
– If the policy is not changed to Test Android, tap Update Device Data in the upper right
menu.

© Copyright IBM Corp. 2018 45

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 15 Install and review distributed apps

Uempty

3. If you do not have a passcode set that matches the security policy setting, a Device out of
compliance message opens and you are prompted to set a password.
If this is your personal device, you have one hour before the device locks and requires you to
enter a passcode. Therefore, you can ignore the warning and continue with the exercises or to
test the passcode, enter 1234.
– Tap Settings, then tap Compliance Status.
– To bring your device back into compliance, tap Change Device Passcode and enter the
passcode (4-digit PIN) 1234.

4. Try to take a screen capture on the device.

The message Can’t take screenshot due to security policy is shown. You set
this security setting in the Android policy.

Exercise 15 Install and review distributed apps

When an administrator adds apps to the MaaS360 App Catalog and distributes them to devices, a
MaaS360 App Catalog shortcut displays on the device. Some mobile device operating systems
support instant install, which is set in the portal, and the app automatically installs on the target
device as soon as it is distributed from the App Catalog.

In this exercise, you manually install an app from the App Catalog and review an app that was
automatically installed.
1. Return to the MaaS360 app on the managed device and tap App Catalog.

2. Tap the Angry Birds app to install it.

You are redirected to the Angry Birds app in the Google Play store.

3. Tap Continue.

© Copyright IBM Corp. 2018 46

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 15 Install and review distributed apps

Uempty
4. Tap Install.
The Angry Birds app is downloaded and installed on the device.
You don’t have to open the app. This lab only demonstrates how to install an app manually from
the MaaS360 App Catalog and how it is automatically removed when unenrolled from
MaaS360.

5. Return to the MaaS360 App Catalog, notice that the IBM Verify app was automatically installed.

6. Go to you device home page, notice that all of the apps that are distributed from the MaaS360
App Catalog and the MaaS360 App all have the work icon. This icon indicates that these apps
are part of your Android Work profile, which is separate from your personal profile on the
device. This is unique to MaaS360 Android Enterprise Profile Owner enrollments, which
separates work from personal.

7. Try to uninstall the IBM Verify App.

The Uninstall unsuccessful message is shown.

Note: Because you disallowed uninstall of MaaS360 managed apps in the Security Policy, the
IBM Verify App cannot be uninstalled.

© Copyright IBM Corp. 2018 47

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 16 Downloading distributed documents

Uempty
Exercise 16 Downloading distributed
documents
In this exercise, you verify that you can access the document that was distributed in Exercise 9,
“Uploading and distributing a document,” on page 29.
1. On the managed device, open MaaS360 app.

2. Tap Docs.
The MaaS360 Docs app was automatically downloaded and installed from the MaaS360 App
Catalog because you selected Instant Install.
The Docs app includes Corporate and Local Docs. The Doc that you distributed from the portal
is considered a Corporate Doc because it came from the MaaS360 portal. Local docs, are local
copies of documents that the user creates or copies inside the MaaS360 container in the Docs
app.

3. Tap Corporate.

© Copyright IBM Corp. 2018 48

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 17 Unenrolling the Android device from MaaS360

Uempty
4. In the Documents list, verify that Test Document.txt is listed.

5. Tap Test Document.

The test.txt file is downloaded to the device and you are provided a list of native apps to
open the document.

Note: If you create a WorkPlace Persona Policy and enable the Secure Docs Viewer, you also
have the option of opening the file with the MaaS360 Secure Docs Viewer, which ensures that the
documents open in the device secure container.

Exercise 17 Unenrolling the Android device

from MaaS360
To remove MaaS360, the container apps, and MaaS360 management of your device, you must
remove control. The mobile device user can do this from the mobile device if that feature is not
disabled or the Administrator can remove control of the device. By default, not all Administrator
roles, including those with the Help Desk role, have access to remove control. In this exercise, you
are logged in as a Service Administrator.

In this exercise, you unenroll the device from MaaS360 and remove the MaaS360 app.
1. Return to the MaaS360 portal.

2. Click the Home icon.

The My Alert Center dashboard opens.

3. Place your cursor over Devices and select Inventory.

The Device Inventory page opens.

© Copyright IBM Corp. 2018 49

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 18 Removing and deactivating portal artifacts

Uempty
4. In the Device Name column, click View below the managed device.
The Summary page opens.

5. From the More menu, select Remove Work profile.

The Remove Control window opens.

Hint: If you enrolled an Android device using legacy device management instead of Android
Enterprise, select Remove MDM Control instead of Remove Work Profile.

6. Type any comments you have and click Continue.

The Security Check pane is shown.

7. Type your password and click Confirm.

Note: It might take a few minutes for the action to complete. The Managed Status changes to
Pending Control Removal and then to Inactive. The Inactive status signifies the Remove Control
action is complete. Wait until control is removed from the device before continuing. Review the
Managed Status in the WorkPlace & Security section in Device Inventory.

8. In order to refresh the Managed Status in the MaaS360 portal before the automatic data
update, click Request Data Refresh.

9. When the Managed Status changes to Inactive, return to your device.

10. Review the device apps. The MaaS360 App, Angry Birds, and IBM Verify have all been
uninstalled automatically and there is no longer a MaaS360 work profile on the device.

11. On the mobile device, tap the Settings icon and set your device passcode to your own
specifications, if you changed it.

Exercise 18 Removing and deactivating portal

artifacts
In this exercise, you clean up the portal artifacts that you created in the previous exercises. You
complete these tasks because, in conference settings, devices and portals are reused. Also, you

© Copyright IBM Corp. 2018 50

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 18 Removing and deactivating portal artifacts

Uempty
might take several MaaS360 labs using one MaaS360 portal and one device. Cleanup ensures the
data is reset for each lab.
1. Return to the MaaS360 portal.

2. Click the Home icon.

The My Alert Center dashboard opens.

3. Hover over the XXX Training Devices alert you created in Exercise 8, “Adding a custom alert,”
on page 28. Click the Delete icon.

4. Click Delete For All.

5. Place your cursor over Apps and click Catalog.

6. To delete the Angry Birds app, the IBM Verify, and the MaaS360 Docs app, from the MaaS360
App Catalog, select all 3 apps, then click Delete.

7. Type your password and click Confirm.

© Copyright IBM Corp. 2018 51

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Android exercises
Exercise 18 Removing and deactivating portal artifacts

Uempty
8. Place your cursor over Docs and click Content Library.

9. Delete the Test document.

10. Type your password and click Confirm.

11. Place your cursor over Security and click Policies.

12. To delete the Test Androidxxx android policy, click More and Delete.

13. Place your cursor over Devices and click Groups.

14. Click More and Change rule set for the Training group.

15. To remove the rule set assignment, click the X next to Compliance Rule Set.

16. Click Submit.

17. Click Yes.

18. In the Security Check pane, type your password and click Confirm.

19. To remove the Training group, click More and Delete.

The Delete Group pane is displayed

20. Click Yes.

21. Type your password and click Confirm.

22. You have removed the portal artifacts and completed the MaaS360 Android exercises.

© Copyright IBM Corp. 2018 52

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Help Desk overview
Help Desk personnel provide level 1 support to MaaS360 customers. In some organizations
Service Administrators might provide more access to Help Desk personnel to perform extra tasks.

In this part of the lab, you learn the workflows, actions, and information available to Administrators
with only the Help Desk role. The training portal account includes a Service Administrator.

Exercise 1 Creating a Help Desk administrator

In this exercise, you create a new administrator and assign the Help Desk role. You use the new
Help Desk administrator to complete the remainder of the exercises.
1. Log in to the MaaS360 training portal account.

2. Click Setup > Administrators.

3. In the upper right, click Add Administrator.

Administrator Details opens.

4. To create an administrator, enter the following information:

– Corporate Email Address: <use any email address that you can receive email>
– Username: <enter a unique username for the Help Desk administrator>

Note: For training purposes, you can use the same email as the one you used to create the trial
portal account.

5. Click Next.

© Copyright IBM Corp. 2018 53

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 1 Creating a Help Desk administrator

Uempty
The Assign Roles pane opens.

6. In the Role list, click Help Desk.

7. Review the Role Description for Help Desk.

8. To select Help Desk, click the arrow to move it into the selected list.

9. Click Next.
The Review Details pane opens.

10. Click Save.

11. Type your password in the Security Check pane.

The Administrator Created pane opens.

12. Log out of the portal.

13. Go to the email address associated with the Help Desk Administrator you just created.

© Copyright IBM Corp. 2018 54

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 1 Creating a Help Desk administrator

Uempty
The email includes the login details for the new Help Desk administrator. The only role that is
assigned is Help Desk.

14. Log on to the portal again. Use the new help desk user name and temporary password.
You are prompted to create a permanent password and complete your profile.

15. Select Do not show this again and click Accept.

The Help Desk home page opens. You have access to the My Alert Center, snapshot
information, and Activity Feed. The device, user, app, and doc counts that you added in the

© Copyright IBM Corp. 2018 55

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 2 Reviewing device inventory

Uempty
previous exercises are displayed. The informational tile with the devices in the Training group
does not display because it was created only for the Service Administrator account.

Exercise 2 Reviewing device inventory

In this exercise, you use the device inventory workflows to review device information and identify
actions that can be taken on devices. The device inventory is a primary workflow the Help Desk
administrator uses to manage devices and troubleshoot problems.
1. Click Devices > Inventory.

2. Click View below the device that was enrolled in the previous exercises.

3. Click Summary.
The Help Desk has access to all the same summary information.

© Copyright IBM Corp. 2018 56

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 2 Reviewing device inventory

Uempty

WorkPlace & Security provides a summary of the policy and compliance rules that are
assigned, the Managed Status, and any Failed Settings for wifi, VPN, or ActiveSync.

4. Click More.
The list of actions available to the Help Desk administrator is only a subset of what you saw
when you were logged in as a service administrator. Help Desk administrators can request a

© Copyright IBM Corp. 2018 57

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 3 Using advanced search

Uempty
data refresh to the device, reset the device passcode, lock, locate, buzz, and message a
device.

Note: The locate action is not shown here because the device was enrolled with Android
Enterprise profile owner which is a BYOD enrollment type and the locate action is prohibited.
Corporate devices that are enrolled using Device Owner show the locate action.

Exercise 3 Using advanced search

The Service Administrator can create advanced searches and then create device groups based on
the search results. Help Desk administrators can use advanced search only to create a list of
devices based on selected criteria. Advanced search is a great tool that you can use to identify
devices that meet a criteria that require more actions or follow up by the administrator. For example,
if a set of devices with a specific hardware configuration is causing a problem with mail
configuration, you can search for these devices to identify the owners and contact them.
1. Click Devices > Advanced Search.

2. Define the search criteria for Condition 1 as follows:

– Custom Attributes
– Department/Business Unit
– Equal To
– Training

3. Click Search.
The Search Results are listed.

In the lower right, you can customize the columns and select csv or Excel format to export to a
file. Experiment with Customize Columns and Export. You can use this when you
troubleshoot, to identify a list of devices that meet a specific criteria.

© Copyright IBM Corp. 2018 58

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 4 Managing enrollments

Uempty

Exercise 4 Managing enrollments

The Enrollment view includes the list of enrollments that are completed or outstanding. If an
enrollment is not completed, you can delete or renew it.
1. Click Devices > Enrollments.
A list of the completed and outstanding enrollment requests is displayed.

You can use this information to research enrollment issues. If the Help Desk administrator
initiated a one-time passcode enrollment, there is the option to renew the request, which
generates another one-time passcode, or you can delete the request.
In the upper right, you can add a device and generate an enrollment request. If you click Other
Enrollment Options, you see more bulk add and OS-specific enrollment options.

2. To identify the type of enrollment request, you can add another column, Request Type. Open
the Customized Columns, and add Request Type. In this case, it is MDM (Android Enterprise).
You can also export the list of enrollments to a csv or excel file.

Exercise 5 Monitoring device actions and

events
Use actions and events to review system and administrator initiated events across your enterprise
mobile devices. MaaS360 Cloud Extender actions are also listed in this view. For example, a Help
Desk administrator can use the filter criteria to find all failed actions that occurred in a specified time

© Copyright IBM Corp. 2018 59

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 6 Checking security policies

Uempty
period. If several enrollments are failing, the actions and event view identifies any failed Cloud
Extender actions.
1. Click Devices > Actions & Events.
The Action History for devices opens. The Action column identifies the action. In this case, you
see a send message, change rule set, and change policy action from part 1 of this lab.

The top of the screen includes search fields that you can use to filter the results. For example,
you might want to find all of the actions for a specific device or a specific date.

2. Experiment with the filter options. This workflow is helpful when troubleshooting device issues
to identify what actions are complete on a device.

Exercise 6 Checking security policies

Help Desk administrators can use the security policy view to troubleshoot problems with devices.
You can identify what policy is assigned to a device in device inventory and then use the security
policy view to look at the detailed settings and configurations for that policy. The view also identifies

© Copyright IBM Corp. 2018 60

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 7 Managing users and groups

Uempty
whether the policy is the default and what version is currently published. A history of published
settings is also available.
1. Click Security > Policies.
The Help Desk role can only view, display history, and export policies. When troubleshooting
policy issues on a device, you can check the configurations for a policy and also make sure that
the published policy version matches what is on the device.

2. To view the history of a policy, click History below the security policy you created.

Exercise 7 Managing users and groups

In this exercise, you learn how you can use the users and groups workflows to manage users and
identify what content and devices are assigned to groups and users.
1. Click Users > Directory.
A list of local and corporate directory service users are included in the list. In this case, you
have only the one local user that was created when you generated the enrollment request.
Corporate directory users are imported by using the MaaS360 Cloud Extender or through
integration with cloud directory services.

You can also use Add Device below the user record, to generate an enrollment request.

2. Below the tjones user, click Reset Password.

© Copyright IBM Corp. 2018 61

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 7 Managing users and groups

Uempty
An email is sent to the email address associated with tjones. The email includes the password.

Important: You cannot reset passwords for users that are imported from corporate directory
services such as Active Directory.

3. In the upper right menu, you can add a new local user. Click More and you can import local
users and groups in bulk, and configure User Settings.

4. To review the user settings that you can configure, click More and User Settings.
Review the basic and advanced settings.

5. Click Users > Groups.

© Copyright IBM Corp. 2018 62

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 8 Monitoring apps and docs

Uempty
A list of device and user groups open. The Updated by identifies whether they are
system-generated groups that are provided with the MaaS360 portal, created by an
administrator, or imported from a corporate directory service.

You can also identify what Policies, Apps, and Docs are assigned and distributed to the groups.
This information can help with troubleshooting. If a device does not have the correct policy
assignment, you can check what groups the device or user belongs to and identify the policies
that are assigned at the group level.

Exercise 8 Monitoring apps and docs

In this exercise, you learn how you can use the apps and docs workflows to identify what content is
distributed and installed on devices.
1. Click Apps > Catalog.
The catalog opens with the apps that you added in part 1 of this lab. By default, Help Desk
administrators are not able to add new apps, but they can view app details and review
distributions. Viewing distributions can be important if users indicate that they have not received
apps on their devices.

2. Click View below Angry Birds.

© Copyright IBM Corp. 2018 63

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 9 Reviewing reports

Uempty
You can view all of the devices that the app is distributed and installed on, and you can also
stop distributions by clicking the X in the Distributions.

3. Click Docs > Content Library.

The All Docs pane opens.

4. Below the document, click View.

The document details and distributions are displayed. The Help Desk administrator does not
have access to edit or add new documents.

Exercise 9 Reviewing reports

Help Desk administrators can access several reports for an account. Report data is refreshed every
24 hours. Use the reports to create subscriptions and custom filters to gain insight into the

© Copyright IBM Corp. 2018 64

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 9 Reviewing reports

Uempty
enterprise’s mobile landscape. For example, the enrollments view displays only 90 days worth of
data. You can use the Deployment Overview report to review all enrollment data.
1. Click Reports.
The list of reports for the account opens.
The list of reports th

2. Review the reports. Click each one and practice using the filters and set up a subscription.
Report data can go back 180 days.

3. To view mobile metrics and compare your deployment to similar industries and similar sized
businesses within MaaS360, select Reports > Mobile Metrics and review all of the information
available to you.

© Copyright IBM Corp. 2018 65

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 10 Unenrolling the Android device from MaaS360

Uempty
4. Log out of the Help Desk administrator account and log back in with the Service Administrator
account.

Exercise 10 Unenrolling the Android device

from MaaS360
To remove MaaS360, the container apps, and MaaS360 management of your device, you must
remove control. The mobile device user can remove control from the mobile device or the
Administrator can remove control of the device. By default, not all Administrators, including those
with the Help Desk role, have access to remove control. In this exercise, you are logged in as a
Service Administrator.

In this exercise, you unenroll the device from MaaS360 and remove the MaaS360 app.
1. Return to the MaaS360 portal.

2. Click the Home icon.

The My Alert Center dashboard opens.

3. Place your cursor over Devices and select Inventory.

The Device Inventory page opens.

4. In the Device Name column, click View below your managed device.
The Summary page opens.

5. From the More menu, select Remove Work Profile.

The Remove Control window opens.

Note: If you enrolled an Android device using legacy device management instead of Android
Enterprise, select Remove MDM Control instead of Remove Work Profile.

6. Click Continue.
The Security Check window opens.

7. Enter your password and click Confirm.

Note: It might take a few minutes for the action to complete. The Managed Status changes to
Pending Control Removal and then to Inactive. The Inactive status signifies the action is complete.
Wait until control is removed from the device before continuing. Select Request Data Refresh to
refresh the device summary data in order to view the updated status in the portal.

© Copyright IBM Corp. 2018 66

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 11 Removing and deactivating portal artifacts

Uempty
8. In order to refresh the Managed Status in the MaaS360 portal before the automatic data
update, click Request Data Refresh.

9. When the Managed Status changes to Inactive, return to your device.

10. Review the device apps. The MaaS360 App, Angry Birds, and IBM Verify have all been
uninstalled automatically and there is no longer a MaaS360 work profile on the device. On the
mobile device, tap the Settings icon and set your device passcode to your own specifications, if
you changed it.

Exercise 11 Removing and deactivating portal

artifacts
In this exercise, you clean up the portal artifacts that you created in the previous exercises. You
complete these tasks because, in conference settings, devices, and portals are reused. Also, you
might take several MaaS360 labs with one MaaS360 portal and one device. Cleanup ensures that
the data is reset for each lab.
1. Return to the MaaS360 portal.

2. Click the Home icon.

The My Alert Center dashboard opens.

3. Hover over the XXX Training Devices alert you created in Exercise 8, “Adding a custom alert,”
on page 28. Click the Delete icon.

4. To delete the alert, click Yes in the Confirm Delete Alert.

5. Place your cursor over Apps and click Catalog.

© Copyright IBM Corp. 2018 67

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Help Desk overview
Exercise 11 Removing and deactivating portal artifacts

Uempty
6. To delete the Angry Birds app, the Web Clip, and the MaaS360 Docs App, select all three apps,
then click Delete.

7. Type your password and click Confirm.

8. Place your cursor over Docs and click Content Library.

9. Delete the Test document.

10. Type your password and click Confirm.

11. Place your cursor over Security and click Policies.

12. To delete the Test Androidxxx android policy, click More and Delete.

13. Place your cursor over Devices and click Groups.

14. Click More and Change rule set for the Training group.

15. To remove the rule set assignment, click the X next to Compliance Rule Set.

16. Click Submit.

17. Click Yes.

18. In the Security Check pane, type your password and click Confirm.

19. To remove the Training group, click More and Delete.

The Deleting Group pane is displayed

20. Click Yes.

21. Type your password and click Confirm.

22. You have removed the portal artifacts and completed the MaaS360 Android exercises.

© Copyright IBM Corp. 2018 68

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Appendix
If you are not part of the conference, you must sign up for a MaaS360 trial account to complete this
lab. Or you can use an existing trial account where you have service administrator access, if you
have one.

Signing up for a trial account

In this exercise, you access the IBM MaaS360 portal and create a training portal account by signing
up for a 15-day trial. You use a trial registration URL that was created for IBM MaaS360 training.
The first portal administrator account that you create is a service administrator. Service
Administrator is the highest-level access for an account. Make note of the user name and password
that you create. This account information is used throughout the exercises.

Important: Trial accounts that are created outside of the training environment at
http://www.maas360.com/trial, require you to create an IBM ID. In the training environment, you
create a trial account under a training umbrella that allows you to use just an email address.

Perform the following steps:

1. To complete this exercise, open the browser on your desktop.

2. In the navigation bar, enter the following address:

https://m3.maas360.com/tryMDM/SK_ENABLEME03_MDM_C

Note: After you sign up for an account, you can sign in to the portal by using this URL:
https://login.maas360.com. Bookmark the URL in your browser.

© Copyright IBM Corp. 2018 69

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix
Signing up for a trial account

Uempty
The trial registration page opens. It might display a 30-day trial, but your training account is only
active for 15 days.

3. In the Start Your Free Trial form, complete all of the fields.

Note: Ensure that the password you create is at least 8 characters long and includes both letters
and numbers. Make a note of the email and password because you need them to access the
portal. The email is the user name for your first Service Administrator account.

© Copyright IBM Corp. 2018 70

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix
Signing up for a trial account

Uempty October 2018

4. Accept the terms of agreement and click Start Your Free Trial.

Note: If you already signed up for a trial, you might receive a message that the name already
exists. You can either use your existing Trial credentials or change the name slightly and use a
different email address to create a new training portal. There are several web services that provide
methods to create temporary emails.

5. If you use an existing trial, when you log in, the Quick Start page might not open. If the page
does not open, select Return to Quick Start in the lower left side of the home page.

© Copyright IBM Corp. 2018 71

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix
Signing up for a trial account

Uempty
The Quick Start pane opens.

6. Click Get started.

The Quick Start Apple devices pane opens.

Note: When you have iOS devices, you must select Setup Apple enrollment to create and upload
an Apple Push Notification service (APNS) certificate. An APNS certificate is required for MDM
providers to manage iOS devices. The APNS can also be set up in the Services workflow when
you have service administrator access.

7. Click Skip for now.

© Copyright IBM Corp. 2018 72

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix
Signing up for a trial account

Uempty
The Android Enterprise Setup pane is shown.

Note: Android offers device management through embedded enterprise tools sets. The Android
enterprise features differ from legacy device admin style MDM in that it is a unified management
feature, capable of securing all Android devices, regardless of OEM. The setup process creates a
bind between MaaS360 and Android services, so that devices can be uniformly configured,
secured, and enterprise enabled. The following covers initial setup, enrollment, and app
distribution.

8. To configure Android Enterprise, click Setup Android Enterprise.

The Setup Android Enterprise pane is displayed.

9. To enable, click Enable via Managed Google Play Accounts (no G Suite).

© Copyright IBM Corp. 2018 73

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix
Signing up for a trial account

Uempty
The Sign up for Android Enterprise option is shown.

10. Click Sign up for Android Enterprise.

Follow the directions on the Google Play page. You must sign in with a gmail account. For
training, you can use any Google account. For a production implementation, do not use a
personal email account.

11. When complete, you are returned to the Setup Android Enterprise, click Continue.
The Managed Google Accounts is enabled.

12. Click Continue.

13. Review the Security Policy pane.

© Copyright IBM Corp. 2018 74

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix
Signing up for a trial account

Uempty
In the Security Policy section, you can select standard security policies based on Basic,
Intermediate, and Advanced security settings. For example, the Basic policy enables only a
device passcode whereas the Strict policy includes a list of security restrictions. In this training,
you learn how to create policies that use your own settings.

14. To continue with standard settings, and configure the policies outside of the Quick Start, click
Select in the Not Sure tile.
The Configure native email pane is shown.

Note: The Quick Start provides a simple way to set up a native email configuration as part of the
overall quick start process. This training focuses on using the standard workflows that are used by
administrators to configure policy settings.

15. To set up native email or to set up Secure Mobile Mail, later within the device policy or
WorkPlace Persona Policy, click Skip for now.
The Enroll device pane is shown.

16. To enroll devices using standard MaaS360 workflows outside of the quick start process, click
Skip for now.
The Quick Start completed! pane is shown.

17. Click Go to Home Page.

The Home Page with tips to help navigate the portal and the Welcome to MaaS360 pane is
shown.

18. Review the navigation tips and learning guidance on the home page.

© Copyright IBM Corp. 2018 75

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix
Signing up for a trial account

Uempty

Note: The Welcome to IBM MaaS360 pane directs you to learning that you can access on
demand by using the help icon in the upper right of the home page.

The portal home page opens.

19. You might need to scroll down in your browser to view all of the Watson Advisor insights, your
account information, and then return to quick start prompt.

© Copyright IBM Corp. 2018 76

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 ®

© Copyright IBM Corporation 2018. All Rights Reserved.