[KB8206] Deploy ESET Endpoint Security for Android using ESET PROTECT On-Prem

Issue

Solution

ESET PROTECT On-Prem Mobile Device Management component is scheduled for End of Life

The last supported release of the MDM component for ESET PROTECT On-Prem is version 10.0.14.0. The MDM component will be removed in ESET PROTECT On-Prem version 11.1 (expected mid-year 2024). To migrate Android devices, use the CMDM migration tool. All other devices must be manually unenrolled from ESET PROTECT On-Prem and re-enrolled to ESET PROTECT CMDM. 

Do you manage Apple iOS devices?

I do not use ESET PROTECT On-Prem to manage my network: Perform these steps on individual client devices.

Prerequisites


Android devices enrolled via Microsoft Intune

When your Android device is enrolled via Microsoft Intune, ESET Endpoint Security for Android version 3.5 and later ignores the following settings when the corresponding policy is applied:


To enroll Android devices in ESET Mobile Device Connector (MDC), follow the steps in each section:

Existing MDM Policy

If you already have a Mobile Device Management (MDM) Certificate and MDM Policy, enroll your Android device. Sections I and II only need to be completed again if a change was made to the hostname, policy, or certificate after the initial Certificate or Policy creation. 

  1. Create an MDM Certificate
  2. Create an MDM Policy
  3. Register your Android device in ESET PROTECT On-Prem
  4. Enroll your Android device
  5. Create an Activation task for Android MDM

I. Create an MDM certificate

If you already have an MDM certificate, proceed to Section II: Create an MDM Policy.

MDM Certificate automatically created during some installations

The MDM certificate is automatically created if you used the all-in-one installation of ESET PROTECT Server with Mobile Device Connector or the Mobile Device Connector (Standalone) Installation.

To verify the existence of an MDM certificate, follow these steps:

  1. In the ESET PROTECT On-Prem Web Console, click Computers.

  2. Select the device on which Mobile Device Connector is installed and click Show Details.

  3. Click Configuration → Request Configuration. The ESET PROTECT On-Prem Mobile Device Connector configuration will be displayed. Select it and click Open Configuration to open it.

  4. Click General  HTTPS certificate to verify that the MDM certificate is being applied.

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Expand More, click Peer CertificateNewCertificate.

Figure 1-1
Click the image to view larger in new window
  1. In the Basic section, type the Description of the certificate and select Mobile Device Connector from the Product drop-down menu. Type the IP address or Hostname of the server where Mobile Device Connector is installed in the Host field and type the Passphrase into respective fields. In the Attributes (Subject) section, type the organization name used in ESET PROTECT On-Prem in the Organization name field. Click Continue.
If the MDM server does not have internet access and communications are port-forwarded from a router connected to an outside network

If the MDM server does not have internet access and communications are port-forwarded from a router connected to an outside network, use the IP address or Hostname of that router instead. You can also type in the IP address from the HTTPS certificate.

The Hostname in the HTTPS certificate must match the Hostname in the ESET Mobile Device Connector Policy

If you are using the hostname from the HTTPS certificate, you must also use this same hostname in the ESET Mobile Device Connector Policy.

Figure 1-2
Click the image to view larger in new window
  1. In the Sign section, click Select certification authority
Figure 1-3
Click the image to view larger in new window
  1. Select the check box next to the certification authority that you want to use and click OK.
Figure 1-4
Click the image to view larger in new window
  1. Click Finish and proceed to Create an MDM Policy

II. Create an MDM Policy

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Click PoliciesNew Policy.

Figure 2-1
Click the image to view larger in new window
  1. In the Basic section, type a name for the policy in the Name field (the Description field is optional). Click Continue.

  2. In the Settings section, select ESET Mobile Device Connector from the drop-down menu. Type the organization name used in ESET PROTECT On-Prem into the Organization field. This name will be used by the enrollment profile generator to update the profile. Click Change certificate next to HTTPS certificate.

Figure 2-2
Click the image to view larger in new window
  1. Click Open certificate list.

Changing the certificate used in your policy for MDM

When the certificate change is initiated, do not restart the MDM service or the MDM host device until the certificate change is completed. Restart during the certificate change may damage the process.

Figure 2-3
Click the image to view larger in new window
  1. Select the MDM Certificate created in Section I and click OK.
Figure 2-4
Click the image to view larger in new window
  1. In the Assign section, click Assign to display all Static and Dynamic Groups and their members. Select the check box next to the Mobile Device Connector instance to which you want to apply the policy and click OK.

Figure 2-5
Click the image to view larger in new window
Changing the HTTPS certificate for MDC

When changing the HTTPS certificate used in your policy for MDC, follow the steps below to avoid disconnecting mobile devices from your MDM:

  1. Create and apply the new policy that uses the new HTTPS certificate.

  2. Allow devices to check in to the MDM server and receive the new policy.

  3. Verify that devices are using the new HTTPS certificate (the HTTPS certificate exchange is completed).

  4. Allow at least 72 hours for your devices to receive the new policy. After all the devices have received the new policy (MDM Core alert "HTTPS certificate change still in progress. The old certificate is still being used" is no longer displayed in the Alerts tab), you can delete the old policy.

  1. When you are finished, proceed to Section III: Register your Android device in ESET PROTECT On-Prem and send an enrollment link.

III. Register your Android device in ESET PROTECT On-Prem and send an enrollment link

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Click Computers, select the group to which you want to add your mobile device and then click Add New → Mobile devices.

Figure 3-1
Click the image to view larger in new window
  1. In the Basic section, ensure that Android or iOS/PadOS is selected. Select the check box next to I accept the End User License Agreement and acknowledge the Privacy Policy and click Continue
Figure 3-2
Click the image to view larger in new window
  1. In the Distribution section, select Enrollment via email and click Configure server settings. Enroll a single device at a time
Figure 3-3
Click the image to view larger in new window
Configure SMTP server settings

Before you can add multiple devices using mass enrollment, you must set up the Simple Mail Transfer Protocol (SMTP) server.

Click the toggle next to Use SMTP server to enable it. Complete the required fields as shown in Figure 3-4. To verify that everything works correctly, click Send test email. If you get the Test email has been successfully sent notification, check your mailbox. If you receive the test email, everything is working correctly. Click Save to save the changes and click Computers.

Figure 3-4
Click the image to view larger in new window
  1. Follow steps 2–3 of this section again. Select Enrollment via email and click Continue.
Figure 3-5
Click the image to view larger in new window
  1. In the List section, click Add.

Figure 3-6
Click the image to view larger in new window
Import a CSV file

To simplify the mass enrollment process, prepare a comma-separated values (CSV) file with all the required data.

  1. To import the CSV file, click MoreImport CSV. The CSV file should be formatted as shown in the example below:

Email Address,Device Name,Description

Example1@domain.com,Samsung S20,Manager's phone

Example2@domain.com,OnePlus 9,Engineer's phone

Example3@domain.com,Samsung S10e,Intern's phone

Figure 3-7
Click the image to view larger in new window
  1. In the Upload section, click Choose File to select the CSV file to upload. After the file is selected, click Upload. Verify that there is a green check mark next to Choose File button. Click Continue.
Figure 3-8
Click the image to view larger in new window
  1. In the Delimiter section, select the delimiters that will divide the data in the CSV file from the drop-down menu (in this example, a comma is selected), or select the check box next to Other and specify the delimiter that is in your CSV file. Check the output from the CSV file in the Data Preview section. Click Continue.
Figure 3-9
Click the image to view larger in new window
  1. In the Column mapping section, select the check box next to First line of CSV contains headings to separate the headings (if applicable) in your CSV file. In the CSV column section, use the drop-down menu to select the data types in your uploaded CSV file. Preview the results in the Table Preview section. When you are finished, click Import to import the data.

Figure 3-10
Click the image to view larger in new window
  1. Type in the Device name and Email Address (this email address will be used to deliver the enrollment email message). The Description field is optional. To assign a specific user, click Pair with existing user to match it to an existing Computer User. Click the Save icon to save the device. Click Customize email if you want to make changes to the enrollment email. To add another device, click Add. Click Continue when you are finished adding devices.

Figure 3-11
Click the image to view larger in new window
  1. In the Enrollment section, click Send. The enrollment link will be sent to chosen devices.
Figure 3-12
Click the image to view larger in new window
Enroll a single device
  1. Follow steps 2-3 of Register your Android device in ESET PROTECT On-Prem and send an enrollment link section above.

  2. In the Distribution section, select Enrollment via QR code and click Continue.

Figure 3-15
Click the image to view larger in new window
  1. In the List section, click Add.
Figure 3-16
Click the image to view larger in new window
  1. Type the Device name and Email address in the appropriate fields. The Description field is optional. To assign a specific user, click Pair with existing user to match it to a designated policy. Click the Save (floppy disk) icon to save the device. To add another device, click Add. Click Continue when you are finished adding devices.
Figure 3-17
Click the image to view larger in new window
  1. In the Enrollment section, the preview window will display a summary of the enrollment, including the download link and the QR code. Send the enrollment link to the mobile device using email or an instant messaging application if the device is not physically present. If the device is physically present, scan the QR code with the mobile device and proceed to Section IV: Enroll your Android device and deploy ESET Endpoint Security for Android. To enroll another device, click Finish and repeat the process described in this sub-section.
Figure 3-18
Click the image to view larger in new window

IV. Enroll your Android device and deploy ESET Endpoint Security for Android

  1.  On the mobile device, open the enrollment email that was sent in Section III above and tap the enrollment link.
Figure 4-1
'Your Connection is not private' error message

If you do not use SSL protocol, you may be notified that the enrollment link is not private. If you receive this notification, tap Advanced and on the next screen, tap Proceed to hostname (Unsafe).

Figure 4-2
  1. Tap Connect.
Figure 4-3
  1. You will be redirected to the Google Play Store. Tap Install and wait for the installation to finish. Tap Open.
Figure 4-4
  1. Tap Continue and tap AllowAllow.

Figure 4-5
Click the image to view larger in new window
  1. Tap AllowAllow.
Figure 4-6
  1. Tap Allow if you want to allow the ESET LiveGrid feedback system.

Figure 4-7
  1. Type your name into the Name field and tap Save. This will help the administrator recognize your device.
Figure 4-8
  1. Tap Continue and tap the toggle next to Allow permission to enable it.

Figure 4-9
  1. Tap Enable to enable uninstall protection. Uninstall protection restricts unauthorized users from uninstalling ESET Endpoint Security for Android.

Figure 4-10
  1. Tap Activate to activate the Admin app.

Figure 4-11
  1. Tap Continue → ESET Endpoint Security for Android. Tap the toggle next to Allow usage tracking to enable it.

Figure 4-12
Click the image to view larger in new window
  1. Tap Finish to activate ESET Endpoint Security for Android as Device Administrator.

Figure 4-13
  1. The Android device is now protected.

Figure 4-14
  1. Proceed to Section V: Create activation task for Android MDM.
Reboot or wake up

Reboot or wake up reconnect the device. Android connects to MDM approximately every hour.

Unactivated devices

Devices that are not activated will have the red "License not activated" protection status and will refuse to handle tasks, set policies and deliver non-critical logs. Tasks sent to the unactivated device will fail with the error "License not activated." Policies and logs will fail silently.


V. Create activation Task for Android MDM

After completing sections I–IV above, the device will appear in the Computers section of ESET PROTECT On-Prem under Lost & Found and will automatically be added to the dynamic group Mobile devices → Android devices.

Follow the instructions to activate ESET business products using ESET PROTECT On-Prem.