Lenovo Tp Tablet Deployment Guide User Manual Think Pad Type 1839
2014-03-20
User Manual: Lenovo Tp Tablet Deployment Guide Deployment Guide - ThinkPad Tablet ThinkPad Tablet - Type 1839 ThinkPad Tablet, 1839
Open the PDF directly: View PDF 
.
Page Count: 26
| Download | |
| Open PDF In Browser | View PDF |
ThinkPad Tablet Deployment Guide ThinkPad Tablet Deployment Guide Note: Before using this information and the product it supports, read the general information in Appendix A “Notices” on page 17. First Edition (August 2011) © Copyright Lenovo 2011. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925. Contents Chapter 1. Overview. . . . . . . . . . 1 Lenovo Device Policy Manager Service . . . . . 2 Chapter 2. Configuration . . . . . . . 5 XML configuration files . . . . . . . . . Active Directory domain server . . . . . . Configuration Profile Sign and Encrypt Utility . Lenovo Profile Manager . . . . . . . . . © Copyright Lenovo 2011 . . . . . . . . 5 11 11 11 Chapter 3. Using Microsoft Exchange ActiveSync . . . . . . . . . . . . . . 13 Chapter 4. Lenovo Mobility Manager . . . . . . . . . . . . . . . . 15 Appendix A. Notices . . . . . . . . . . 17 Trademarks . . . . . . . . . . . . . . . . 18 iii iv ThinkPad Tablet Deployment Guide Chapter 1. Overview The Lenovo ThinkPad Tablet gives you the ability to configure and manage the tablet using regular tools such as you use within your enterprise. You can control tablet functions, enable corporate security, passwords, encryption and digital signatures. You can push down configuration or policy settings to the ThinkPad Tablet in these ways: • Microsoft Exchange ActiveSync • An XML configuration file • Lenovo Mobility Manager © Copyright Lenovo 2011 1 Here is the information flow for the ThinkPad Tablet: Figure 1. ThinkPad Tablet flow Microsoft Exchange is used as the corporate email communication method. You can create or modify an XML file using either a text editor or an XML editor to push down to the ThinkPad tablet through the Lenovo Configuration File Handler APK . Or you can use Lenovo Mobility Manager Suite to manage your user’s ThinkPad tablets using the supplied Lenovo Mobility Manager APK. These methods then are passed through the Lenovo Device Policy Manager Service. For more information, see “Lenovo Device Policy Manager Service” on page 2 . Lenovo Device Policy Manager Service The Device Policy Manager Service handles the management of the ThinkPad Tablet. This component provides an interface that allows management tools, such as ActiveSync, an XML file, or Lenovo Mobility Manager to configure device features, such as WiFi profiles and device policies. 2 ThinkPad Tablet Deployment Guide This interface allows you to push the following configurations to the ThinkPad Tablet: • WiFi profiles • WiFi access point filters • WiFi radio power settings • Microsoft Exchange E-mail server configuration • VPN configuration • ActiveSync server configuration • Device feature disable, including: – Camera – USB port – SD card – Microphone – Pen – Bluetooth – WiFi • Client certificates • Web proxy • SD card encryption • Android Password policies Chapter 1. Overview 3 4 ThinkPad Tablet Deployment Guide Chapter 2. Configuration The ThinkPad Tablet allows you to configure the corporate services that users need by specifying configuration settings in XML files. When these XML files are delivered to users and imported by the ThinkPad Tablet, the settings are applied by the ThinkPad Tablet. Configuring the ThinkPad Tablet with XML files helps make it easier for users to connect to their corporate networks and accounts, and quickly be productive. XML configuration files The ThinkPad Tablet allows you to configure corporate services for users by specifying configuration settings in the XML file. When these XML files are delivered to users and loaded on the ThinkPad Tablet, the settings are automatically applied by the tablet. Configuring the ThinkPad Tablet with XML files makes it easier for the user to connect to corporate networks and accounts. Using the XML file, you can configure the following: • Microsoft Exchange e-mail server • Virtual Private Network (VPN) • Wireless Network Settings • Digital certificates • Active Directory domain server • Device Policies You can create a single, common XML configuration file for multiple users. The XML file may contain, for example, the configuration settings for the secure corporate wireless network, the CA certificate for the wireless network, and the address of the corporate Exchange server. You can make this XML file available to the user by sending it to the user’s personal e-mail account, which the user can access using an unsecured visitor network connection, or the user’s home internet connection. Or you can also put the XML configuration file on a Web server, making it accessible to any user that already has the proper intranet credentials. Once the XML configuration file is received by the user, that user simply taps the file and the Lenovo Configuration Profile Handler is launched to import and apply the configuration settings on the device. The user may be prompted to enter personal logon credentials if they were not included in the configuration file, but all of the common server information and settings will be predefined for the user. You can secure the XML configuration file by digitally signing and/or encrypting it. Encrypting helps ensure that sensitive data included in the configuration file, such as passwords, cannot be read by unauthorized users. Digital signatures helps ensure that the contents of the file are not changed in any way. The Configuration Profile Sign and Encrypt Utility allows signing of the configuration profile with an embedded private key. The utility also allowsthe file to be encrypted using an encryption key derived from the password provided to the utility. The XML configuration file naming convention always has a file extension of .lenovoconfig, so that the ThinkPad Tablet will recognize it as a configuration file. The file consists of three parts: 1. LenovoConfigSettings 2. LenovoPolicySettings 3. AndroidPolicySettings © Copyright Lenovo 2011 5 The LenovoConfigSettings section provides control for the security and encryption for the ThinkPad Tablet. It imports configuration settings such as WiFi profiles, corporate domain servers, virtual private networks, and certificates. Once these are applied, they cannot be deleted. The LenovoPolicySettings section allows you to set controls for the various functions of the ThinkPad tablet such as the camera, microphone, SD cards and Bluetooth, and Wifi radios. Any of these functions can be enabled or disabled depending on your corporate policy. The AndroidPolicySetting section is used to set up policy settings supported natively by Android, including storage encryption, password length, number of numbers and letters required. Note that a UUID is required for each XML file that you create. If you want to overwrite or remove any existing policies, you can send down a new file with the same UUID of the existing applied policy, and it will overwrite the existing file. Since multiple XML files (with different UUIDs)can be resident on the ThinkPad Tablet, the file with the strongest policies will be applied. For example, if you have an XML file that requires only a numeric password and another file with a different UUID that requires a longer, alphanumeric password, the file with the alphanumeric password will be applied. The following tables provide information on settings for the XML file. The table headers are: • Setting - The setting in the xml file that you can use require a user to log in to a corporate server or to allo or prevent user from using a certain function require of the device. • Parameter - The fields in the setting that you assign a value for the user to fill in • Value - The required value you need to enter for that field such as server address, user id, Yes/No and so on. • Notes - Any special notes that apply to a setting. Table 1. LenovoConfigSettings Setting Email Account Domain Server Parameter Values Notes • Type • Exchange Microsoft Exchange is the only supported email type at this time. • SSL • Yes/No • AcceptAllCerts • Yes/No • ServerAddress • Server address • UserID • User ID • Server address is required • Password • Password • Optional • Optional Certificate Type VPN • Type • Root/User • Name • Certificate Name • Filename/Encoded • ? • PPTP • Point-toPoint Tunneling Protocol – Name – Protocol names – Server – Server IP address – OverwriteIfExists – Yes/No – DNSSearchDomain – Domain IP Address – DNSSearchDomain – Domain IP address – Encryption – Yes/No • L2TP – Name 6 ThinkPad Tablet Deployment Guide • Layer 2 Tunnel Protocol – Name of the server Certificates may be included in the XML file in a Base-64 encoded format. Table 1. LenovoConfigSettings (continued) Setting Parameter Values – Server – Server IP address – OverwriteIfExists – Yes/No – DNSSearchDomain – IP Address – Encryption – Yes/No • L2TPIPSecPSK • Android PSK – Name – PSK name – Server – Server URL – OverwriteIfExists – Yes/No – Secret – Password – IPSecPresharedKey – Preshared Key • L2TPIPSecCrt • L2TPIPSecCrt – Name – – Server – URL – OverwriteIfExists – Yes/No CRT Name – DNSSearchDomain – – DNSSearchDomain – Domain IP adress – UserCertificate – – CaCertificate – Certificate info • AnyConnect Notes Domain IP Address Certificate name • AnyConnect – Name – VPN names – Host – Host IP address – OverwriteIfExists – Yes/No – UserCert – Yes/No – CertCommonName – Certificate name Table 2. LenovoPolicySettings Setting DeviceControl Field Values • Camera • Allow/Block • SDCardSlot • Allow/Block • Mic • Allow/Block • Bluetooth • Allow/Block • Dataroaming • Allow/Block • USBPort • Allow/Block • MicroUSBPort • Allow/Block • SDCardSlot • Allow/Block • UnknownSources • Allow/Block • USBDebugging • Allow/Block • Wifi • Allow/Block • HDMI • Allow/Block • Tethering • Allow/Block Notes Chapter 2. Configuration 7 Table 2. LenovoPolicySettings (continued) Setting SecurityPolicy Field Values • Hotspot • Allow/Block • SDCardEncryption • Not required/Required • ADScreenLock • Not required/Required Notes Table 3. AndroidPolicySettings Setting Field StorageEncryption Password Values • Required/Not required • maxFailuresForWipe • maxTimeToLock • Number of failures before device is wiped • expirationTimeout • Number in milliseconds • historyLength • Number in milliseconds • minLength • Number of previous passwords • minLetters • Minimum character length • minLowercase • • minNonletters • Minimum number of lowercase letters • minNumeric • Minimum number of nonletters • minSymbols • Minimum numeric digits • minUppercase • Minimum symbols • Quality • Minimum Uppercase letters Minimum number of letters • Set password restrictions such as numerics and alphanumerics For more information on Android Policy Settings, see http://www.google.com/support/a/bin/answer.py?answer=1056433&topic=14576 Here is a sample XML file:The ThinkPad Tablet XML schema can be found on the Lenovo Website at www.lenovo.com/support. Active Directory domain server An exclusive feature of the Lenovo ThinkPad tablet is that you can use Microsoft Active Directory to allow the user to unlock the ThinkPad Tablet using corporate credentials. You set the XML file to require an Active directory logon, and the user touches Settings->Location & Security->Configure lock screen->Corporate logon. The user enters the domain name or IP address, user name, and password. After this, the user can only use the Active Directory domain credentials to unlock the machine. Configuration Profile Sign and Encrypt Utility IT administrators can secure the XML configuration file by digitally signing and/or encrypting it. Encrypting helps ensure that sensitive data included in the configuration file, such as passwords, cannot be read by unauthorized parties. Digital signatures help ensure that the contents of the file are not tampered with. The Configuration Profile Sign and Encrypt Utility allows signing of the configuration profile with an embedded private key. The utility will also allow the file to be encrypted using an encryption key derived from the password provided to the utility. This component is intended only for the preparation of the XML configuration file for deployment to devices. It is available at www.lenovo.com/support and click Download Drivers & Software Lenovo Profile Manager The Lenovo Profile Manager is an Android application (APK) that is preloaded on the ThinkPad Tablet. This APK takes XML configuration files and has the configuration and policy settings applied, and displays information about new and installed configuration profiles. Chapter 2. Configuration 11 A configuration file received by the ThinkPad Tablet must have a specific file extension (.lenovoconfig). The Lenovo Profile Manager is registered as the handler for files with this extension. When a file with this extension is received on the device and tapped by the user, the XML Configuration Profile Handler will run. The Lenovo Profile Manager calls into the Lenovo Device Policy Manager Service to perform an initial parse of the contents of the file. The initial parse: • Verifies that the XML file contents are valid against the schema • Determines what settings are included in the file The Lenovo Profile Manager is registered as an Android Device Administration Receiver using the native Android capabilities. The Lenovo Profile Manager also displays information about the installed profiles to the user. When the user touches Settings->Location & security->Configuration profiles, a list of installed profiles will be displayed using the “DisplayName” property of the configuration file. If no profiles are installed, the application will display the message “No configuration profiles have been applied.” If multiple profiles are installed, the user will see a list of them. The device will show which policy is the applied policy at the bottom of the page. If the user selects an installed profile from the list, the details of the configuration settings in that list will be displayed. All installed profiles are displayed by the Configuration Profile Handler. This allows the user to view all configuration settings that have been applied. The profile display also allows the user to remove selected profiles. Only configuration profiles that were installed by the Lenovo Profile Manager can be removed by the user, as long as you did not set the property indicating that the policy cannot be removed. Configuration settings that were not set by the Lenovo Profile Manager will be displayed, but cannot be removed by the user. The Lenovo Profile Manager also calls into the Lenovo Device Policy Manager Service to receive a list of installed profiles, and receives the list of installed profiles, their source, and whether the profile is allowed to be installed from the Lenovo Device Policy Manager Service. 12 ThinkPad Tablet Deployment Guide Chapter 3. Using Microsoft Exchange ActiveSync The ThinkPad Tablet includes support for Microsoft Exchange ActiveSync. The ThinkPad Tablets can be managed with Microsoft Exchange ActiveSync in the same way as other mobile devices. Microsoft Exchange ActiveSync offers pushmail capability for mobile devices. In addition to pushing e-mail and calendar entries, ActiveSync allows the you to push device policies. The ThinkPad Tablet supports the following Exchange ActiveSync controls: • Remote wipe • Password policies • Device encryption • Camera • Wi-Fi • Bluetooth • Sync from PC • Removable storage • SD card encryption Once a ThinkPad Tablet is configured to connect to the Exchange server, policy settings pushed to the device from the Exchange server are automatically applied, ensuring that the device maintains the security settings that your IT department requires. The ThinkPad tablet e-mail client includes support for Exchange ActiveSync policies. These policies are for password enforcement and for device encryption. Those settings natively supported by Android, including password and device encryption, are supported without change by Lenovo. This component extends the native ActiveSync capability built into the e-mail client to support additional device policies not natively supported by Android. The additional ActiveSync policies supported on the ThinkPad Tablet include: • Removable storage (USB port and SD card enable/disable) • Camera • WiFi • Desktop synchronization (micro USB enable/disable) • Bluetooth (only Bluetooth enable/disable is supported. If the you set Bluetooth to “Handsfree only” in the ActiveSync console, it disables the Bluetooth radio). © Copyright Lenovo 2011 13 14 ThinkPad Tablet Deployment Guide Chapter 4. Lenovo Mobility Manager Lenovo has a mobility management plug-in that enables you to: • Discover devices, without an agent at the point of data access, through Microsoft Exchange ActiveSync systems • Know which users are consuming corporate data and what devices they are using • Push down corporate management and security settings to out-of-policy devices • Wipe data using a single user-based policy from devices that are lost or stolen or when someone leaves your organization • Improve business processes for reclaiming corporate IT assets and proprietary information as in the case of employee termination The Lenovo Mobility Manager requires the user to log in to the configuration server using a PIN, which the user retrieves by logging in to a PIN server from a PC. The user authenticates to the PIN server using corporate credentials, and supplies that PIN when logging on to the Lenovo Mobility Manager configuration server from his ThinkPad Tablet. After connecting to the configuration server, the IT-provided configuration information is pushed to the device and the device is automatically configured. To use the Mobility management tools, the following prerequisites are required: • Lenovo ThinkManagement Console Version 9.0 with SP2 or later. • For Exchange-enabled devices, you must have installed the Exchange Management Tools, available as an option from within the Microsoft Exchange installation. • Windows Communication Foundation (WCF) and Internet Information Services (IIS) must be installed and registered. When a mobile device logs in to synchronize e-mail, contact, and calendar information, it does so using an existing Outlook mailbox account. Once the device has logged in, the Exchange server stores identifying information in its database, including the Device ID, owner, the date/time it logged in, and so on. That information can then be retrieved from the Exchange server and displayed in the Mobility management tool. © Copyright Lenovo 2011 15 16 ThinkPad Tablet Deployment Guide Appendix A. Notices Lenovo may not offer the products, services, or features discussed in this document in all countries. Consult your local Lenovo representative for information on the products and services currently available in your area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that Lenovo product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any Lenovo intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any other product, program, or service. Lenovo may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: Lenovo (United States), Inc. 1009 Think Place - Building One Morrisville, NC 27560 U.S.A. Attention: Lenovo Director of Licensing LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. The products described in this document are not intended for use in implantation or other life support applications where malfunction may result in injury or death to persons. The information contained in this document does not affect or change Lenovo product specifications or warranties. Nothing in this document shall operate as an express or implied license or indemnity under the intellectual property rights of Lenovo or third parties. All information contained in this document was obtained in specific environments and is presented as an illustration. The result obtained in other operating environments may vary. Lenovo may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Any references in this publication to non-Lenovo Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this Lenovo product, and use of those Web sites is at your own risk. Any performance data contained herein was determined in a controlled environment. Therefore, the result in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. © Copyright Lenovo 2011 17 Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: Lenovo The Lenovo logo ThinkPad ThinkVantage Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Active Directory, ActiveSync, and Windows are trademarks of the Microsoft group of companies. Other company, product, or service names may be trademarks or service marks of others. 18 ThinkPad Tablet Deployment Guide Part Number: Printed in USA (1P) P/N: ** Sample policy David Rivera Manual yes no gmail.com t.cloud09@gmail.com dc.lenovo.com 8 ThinkPad Tablet Deployment Guide Notesdrivera Corporate CA Cert MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTYwODAx MDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3 dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl cyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3 DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl/Kj0R1HahbUgdJSGHg91 yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg71CcEJRCX L+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGj EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG 7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZ qdq5snUb9kLy78fyGPmJvKP/iiMucEc= MyPPTPVPN pptp.server.com yes 10.10.10.10 11.11.11.11 no MyL2TPVPN l2tp.server.com no 12.12.12.12 123456789A MyL2TPIPSecPSKVPN ipsecpsk.server.com FEDCBA987654 MyPreshardKey MyL2TPIPSecCRTVPN ipseccrt.server.com 13.13.13.13 14.14.14.14 David Rivera Cert Corporate CA Cert MyCiscoVPN 20.20.20.20 yes David Rivera Cert Chapter 2. Configuration 9MyHomeNetwork MyHome Infrastructure Shared None 1 MyWEPKey MyOfficeNetwork MyOffice Infrastructure Open WPA_PSK somepresharedsecret RSN 10.10.10.34 8080 MyOffice MyHome WEP CoffeeShop 10 ThinkPad Tablet Deployment Guide Allow Allow Allow Allow Block Allow Allow Allow Block Allow Allow Allow Block Block Required –> Not required Not required Not required 10 5000 7776000000 5 8 2 1 1 3 1 1 393216
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Count : 26 EPS Processor : PStill version 1.74.14 JPEG Quality : 80 Compression Level : 6 Compression Type : auto Graphics Resolution Threshold : 900 Graphics Resolution : 600 Config File : E:\PTC\Arbortext PE\custom\lib\standard.pdfcf Creator : Arbortext 5.4 Create Date : 2011:10:11 02:33:43+08:00 Producer : PDFlib+PDI 7.0.4 (Win32)EXIF Metadata provided by EXIF.tools