<<<<<<<<<<<<<>>>>>>>>>>>>>> Trend Micro Confidential - For Internal Use Only Trend Micro Inc., 2004-2014. All Rights Reserved. September 29, 2014 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Mobile Security for Enterprise Version 9.0 Service Pack 2 (SP2) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Mobile Security for Enterprise v9.0 SP2 uses the latest security technologies to defend against threats to mobile devices. Integrated filters can also block unwanted telephone calls and text messages. Mobile Security also provides Web Security that can help protect you from online fraud like phishing and pharming by blocking access to risky sites on the Web. The logon password protection helps protect your mobile device from an unathorized access. This version of Mobile Security offers the following features: - Supports multiple platforms, including iOS, Android, Windows Phone and BlackBerry. - Scheduled or manual component updates from the Trend Micro Mobile Security server to ensure up-to-date pattern, security policies, and program versions - Logon authentication to prevent unauthorized access to mobile device - Uninstallation protection using a preset password - Award-winning anti-malware scanning technology for mobile malware threats - Web Security to ensure safe Internet browsing - SMS filtering to block unwanted text messages - Call filtering feature to block calls from unwanted and anonymous callers - Comprehensive logs tracking scan results, security threats found, text messages and calls filtered, firewall rules enforced, and other events - Enables the administrator to: - provision Wi-Fi settings and control various features on mobile devices - enforce password authentication and configure password complexity - allow or block the installation of certain applications on mobile devices - create a list of apps for the users to install on mobile devices through Enterprise Applications - lock, locate or wipe the data off the mobile device remotely - authenticate a batch of mobile devices using their IMEI numbers and/or Wi-Fi MAC addresses. Contents ===================================================================== 1. Product Version Information 2. System Requirements and Compatibility List 3. Installation 4. What's New 5. Known Issues 6. About Trend Micro 7. Contact Information ===================================================================== 1. Product Version Information ======================================================================== Server Build: 9.0.0.3113 Android Client Build: 9.0.0.1221 iOS Client Build: 2.0.0.1140 2. System Requirements and Compatibility List ======================================================================== Trend Micro Mobile Security for Enterprise 9.0 SP2 requires the following hardware and software specifications on the computers where it is installed: 2.1 Mobile Security Management Server: ===================================================================== Hardware ~~~~~~~~ - 1-GHz Intel(TM) Pentium(TM) processor or equivalent - At least 1-GB of RAM - At least 400-MB of available disk space Platform ~~~~~~~~ - Microsoft Windows 2003 Server Family - Microsoft Windows 2003 R2 Server Family - Microsoft Windows 2008 Server Family - Microsoft Windows 2008 R2 Server Family - Microsoft Windows 2012 Server Family - Microsoft Windows 2012 R2 Server Family Recommended Platform ~~~~~~~~ - Windows Server 2003 R2 Enterprise Edition - Windows Server 2003 Enterprise Edition - Windows Server 2008 R2 Enterprise Edition - Windows Server 2008 Enterprise Edition SP1 - Windows Server 2008 Standard Edition - Windows Web Server 2008 Edition SP1 2.2 Mobile Security Communication Server ===================================================================== Hardware ~~~~~~~~ - 1-GHz Intel(TM) Pentium(TM) processor or equivalent - At least 1-GB of RAM - At least 40-MB of available disk space Platform ~~~~~~~~ - Microsoft Windows 2003 Server Family - Microsoft Windows 2003 R2 Server Family - Microsoft Windows 2008 Server Family - Microsoft Windows 2008 R2 Server Family - Microsoft Windows 2012 Server Family - Microsoft Windows 2012 R2 Server Family Recommended Platform ~~~~~~~~~~~~~~~~~~~~ - Windows Server 2008 R2 Enterprise Edition - Windows Server 2008 Enterprise Edition SP1 - Windows Server 2003 R2 Enterprise Edition - Windows Server 2003 Enterprise Edition - Windows Server 2008 Standard Edition - Windows Web Server 2008 Edition SP1 2.3 Mobile Security Exchange Connnector ===================================================================== Platform ~~~~~~~~ - Windows Server 2008 R2 (64-bit) - Windows Server 2012 (64-bit) - Windows Server 2012 R2 (64-bit) Hardware ~~~~~~~~ - 1-GHz Intel(TM) Pentium(TM) processor or equivalent - At least 1-GB of RAM - At least 200-MB of available disk space 2.4 SMS Sender ===================================================================== Operating System ~~~~~~~~~~~~~~~~ - Android 2.1 Eclair - Android 2.2 Froyo - Android 2.3 Gingerbread - Android 3.0 Honeycomb - Android 4.0 Ice Cream Sandwich - Android 4.1 Jelly Bean - Android 4.2 Jelly Bean - Android 4.3 Jelly Bean - Android 4.4 KitKat 2.5 SQL Server ===================================================================== - Microsoft SQL Server 2005/2008/2008 R2/2012/2005 Express/2008 Express/ 2008 R2 Express/2012 Express 2.6 BlackBerry Enterprise Server ===================================================================== - BES 5.x 2.7 iOS Mobile Device ===================================================================== Operating system ~~~~~~~~~~~~~~~~ - iOS 4.3 - iOS 5.x - iOS 6.x - iOS 7.x - iOS 8.0 Storage space ~~~~~~~~~~~~~ 3-MB minimum 2.8 Android Mobile Device ===================================================================== Operating system ~~~~~~~~~~~~~~~~ - Android 2.1 Eclair - Android 2.2 Froyo - Android 2.3 Gingerbread - Android 3.0 Honeycomb - Android 4.0 Ice Cream Sandwich - Android 4.1 Jelly Bean - Android 4.2 Jelly Bean - Android 4.3 Jelly Bean - Android 4.4 KitKat Storage space ~~~~~~~~~~~~~ 8-MB minimum 2.9 Windows Phone Mobile Device ===================================================================== Operating system ~~~~~~~~~~~~~~~~ - Windows Phone 8.0 - Windows Phone 8.1 3. Installation Overview ======================================================================== Note: Trend Micro cannot guarantee compatibility between Mobile Security and file system encryption software. Software products that offer similar features, such as anti-malware scanning, SMS management, and firewall protection, may also be incompatible with Mobile Security. You may be prompted to uninstall these software products before you can install Mobile Security on your mobile device. ------------------------------------------------------------------------ This section explains the key steps for installing this product. For detailed installation steps, refer to the Installation and Deployment Guide. Mobile Security for Enterprise 9.0 SP2 consists of five components: Mobile Security Management Server, Mobile Security Communication Server, SMS Sender, Exchange Connector, and Mobile Device Agents (the Mobile Security clients). Depending on your network topology and needs, you may install the necessary components. Mobile Security Management Server --------------------------------------------------------------------- Mobile Security Management Server allows you to control Mobile Device Agents from the administration Web console. Once mobile devices are enrolled with the server, you can configure Mobile Device Agent policies and perform updates. Mobile Security Communication Server --------------------------------------------------------------------- Mobile Security Communication Server handles communications between the Mobile Security Management Server and Mobile Device Agents. Mobile Device Agents can connect to the public IP address of the Communication Server. Mobile Security for Enterprise 9.0 SP2 supports two types of Communication Servers: Local Communication Server (which is installed in the local network) and the Cloud Communication Server (which is installed in the cloud and maintained by Trend Micro. Trend Micro Exchange Connector --------------------------------------------------------------------- You can install Exchange Connector if you want to manage Windows Phone, Android or iOS mobile devices that use Microsoft Exchange ActiveSync service. SMS Sender --------------------------------------------------------------------- You can install an SMS sender if you want to use the SMS messaging feature for notifications. Mobile Device Agent (Mobile Security Client) --------------------------------------------------------------------- Install the Mobile Device Agent (the Mobile Security client program) on supported platforms using one of the following methods: - SMS message notification - Email notification - Memory card - Manual installation 4. What's New ======================================================================== The following new features are available in Mobile Security for Enterprise v9.0 SP2: - Samsung KNOX Workspace Management: Adds support for Samsung KNOX workspace - Apple iOS Management Features Enhancement: The following enhancements are made in this release: - The administration Web console displays additional information for iOS 7 or above mobile devices. - More commands are included for iOS mobile device management. - AirPlay and AirPrint policy provisioning is added in this release. - Cellular policy is added to configure APN settings on iOS mobile devices. - Themes are added to set wallpapers on iOS mobile devices. - New feature lock options added for iOS 7 or above mobile devices. - Windows Phone Support: Adds support for Windows Phone. - Removed Windows Mobile and Symbian support: The support for Windows Mobile and Symbian is removed in this version. - Enterprise App Store Enhancement: The following enhancements are made in the Enterprise App Store in Trend Micro Mobile Security: - Displays hot apps on the Enterprise App store and the installed apps on mobile device. - Improved application search on the app store - Allows administrators to set specific applications as invisible for specific policies. - Improved Command Queue Management: Enables administrators to purge command queue manually or on a pre-determined schedule. - Improved Mobile Device Agent Tasks: Provides option to selective wipe rooted or jailbroken mobile devices. - Improved Mobile Device Status Display: When the mobile device status changes to Inactive, the mobile device status screen displays the reason of the change in the status. Refer to the Administrator's Guide for details. 5. Known Issues ======================================================================== Note: Trend Micro cannot guarantee compatibility between Mobile Security and file system encryption software. Software products that offer similar features, such as anti-malware scanning, SMS management, and firewall protection, may also be incompatible with Mobile Security. You may be prompted to uninstall these software products before you can install Mobile Security on your mobile device. The known issues for server in this release are as follows: 5.1 The status of mobile device that is displayed in the Mobile Security server is not "Inactive", even after: - the Android Mobile Device Agent is uninstalled. - the iOS "MDM Enrollment Profile" is removed from the mobile device. --------------------------------------------------------------------- This can happen if Android Mobile Device Agent is uninstalled or the iOS "MDM Enrollment Profile" is removed from the mobile device when it was not connected to the network. Therefore, the Mobile Security server keeps displaying the mobile device in the Device list even after the Mobile Security client is uninstalled on the mobile device. However, the mobile device status changes to "Out of Sync". 5.2 Unable to save Communication Server Settings if the password for BlackBerry Administration Service Credentials includes the dash (-) character. --------------------------------------------------------------------- The BlackBerry command tool does not support using the dash (-) character in the password for BlackBerry Administration Service Credentials. Therefore, if this happens, Mobile Security will be unable to save Communication Server Settings. 5.3 The Exchange ActiveSync provisioning policy does not contain user name and email address information. --------------------------------------------------------------------- This happens if the user name or email address are not configured for the iOS mobile device. To resolve this issue, configure the Active Directory from "Administrator" > "Active Directory Settings", and then add the user from the Active Directory again. 5.4 Mobile Security is unable to read the phone number from Android mobile devices. --------------------------------------------------------------------- Mobile Security requires the default Android API to read the phone number from the mobile device. If the mobile device does not use the default Android API, Mobile Security is unable to read the phone number. This can also happen if the phone number is not stored on the SIM card, but it is stored in the operator's database, instead. 5.5 Users are unable to upgrade from the non-customized application package to a customized application package. --------------------------------------------------------------------- Since the customized and non-customized application packages use different certificates for authentication, the non-customized application package cannot be upgraded to the customized one, or vice versa. To resolve this issue, manually remove Mobile Security from the mobile phone and then install the customized application package again. 5.6 Sometimes the Android or iOS mobile device agents do not receive the policy update and/or remote lock/wipe/locate instruction from the server. --------------------------------------------------------------------- If the network connection between the client and the server is not stable, this known issue may occur. 5.7 Sometimes an Android mobile device using Exchange ActiveSync does not display the correct status in Exchange ActiveSync Devices tab in Mobile Security. --------------------------------------------------------------------- This happens if the Mobile Security server is unable to get the correct mobile device identity from the Exchange Server. 5.8 The Mobile Device Agents are sometimes unable to connect to the Cloud Communication Server (CCS). --------------------------------------------------------------------- The Mobile Device Agents connect with the Cloud Communication Server through the Internet. This known issue may occur if the connection between the mobile device and the Cloud Communication Server is not stable. 5.9 Internet Explorer crases while using Trend Micro Mobile Security. --------------------------------------------------------------------- If the Mobile Security administration Web console is not closed in Internet Explorer for some time (depending on the memory size), the memory leak occours and causes the Internet Explorer to crash. For details, refer to the following link: http://support.microsoft.com/kb/982094/en-us 5.10 Management Server setup program is unable to install SQL Server 2005 Express. --------------------------------------------------------------------- Since Windows Server 2012 does not support SQL Server 2005 Express, this can happen if you are trying to install Management Server on Windows Server 2012. To resolve this issue, connect to the database on another computer, or install a supported version of SQL Server and connect to the existing database during the Management server installation. 5.11 Mobile Security displays the Exchange Connector status as Connected, even when the Exchange Connector is uninstalled from the computer. Moreover, the Exchange Connector is unable to install again because the setup program is unable to connect to the Mobile Security server. --------------------------------------------------------------------- This happens when the Exchange Connector is uninstalled when it is disconnected from the Mobile Security server. The Mobile Security server could not receive the uninstallation notification from the Exchange Connector, and therefore displays the wrong status. If the Mobile Security displays the Exchange Connector status as Connected, it will not connect to another Exchange Connector. To resolve this known issue, do the following: 1. Log on to the Mobile Security administration Web console. 2. Using the same Web brwoser, open the following URL: https://:/mdm/cgi/web_service.dll?tmms_action=mdm_register_new_connector 3. Replace and with the actual Mobile Security server and port number. 4. Press Enter. The following message should appear. { "error_code" : 1, "message" : "Success", "timestamp" : xxxxxxxxxx } Where, xxxxxxxxxx displays the current timestamp. After performing the above steps, Mobile Security will reset the Exchange Server Integration settings, and you should now be able to install the Exchange Connector. 5.12 Unable to access some external Web services when Trend Micro Mobile Security is deployed in pure IPv6 environment. --------------------------------------------------------------------- This happens when the external Web services do not support IPv6. 5.13 Unable to access SMTP server or Active Directory when Management Server connects these servers using IPv6. --------------------------------------------------------------------- This is a known issue in this release. 5.14 Sometimes, iOS Mobile Device Agents are unable to enrol with the Mobile Security server. --------------------------------------------------------------------- This happens when the SCEP server uses IPv6 numeric address to enrol iOS mobile devices. To resolve this known issue, configure SCEP using the domain name on Mobile Security Web console. The known issues for iOS mobile devices in this release are as follows: 5.15 Uninstalling the iOS Mobile Device Agent does not change the status on Mobile Security server to "Inactive". --------------------------------------------------------------------- Mobile Security server does not change the iOS mobile device status to "Inactive" until the "MDM Enrollment Profile" is removed from the mobile device. 5.16 Uninstalling the iOS MDM Enrollment Profile does not change the status on Mobile Device Agent to "Inactive". --------------------------------------------------------------------- This can happen if the iOS "MDM Enrollment Profile" is removed from the mobile device when it is not connected to the network. Therefore, the Mobile Device Agent keeps displaying the old status. To resolve this issue, delete the iOS mobile device record on the Mobile Security server or reinstall the iOS Mobile Device Agent on the mobile device. The known issues for Android devices in this release are as follows: 5.17 Incoming calls rejected within three (3) seconds are recorded as annoying calls. --------------------------------------------------------------------- Trend Micro Mobile Security is currently unable to differentiate incoming calls rejected by the user within three (3) seconds from callers who hang up within three (3) seconds of making a call. Therefore, these calls are recorded as annoying calls. 5.18 On android mobile device, if the JavaScript is disabled in the Web browser, a blocked page can be accessed by pressing the back button. --------------------------------------------------------------------- Trend Micro Mobile Security requires JavaScript to detect and block an inappropriate Web page. Enable JavaScript in your default Web browser for complete protection while surfing Internet. 5.19 Remote lock does not take effect immediately. --------------------------------------------------------------------- On some mobile devices, "Security lock timer" setting is available to lock the mobile device after the specified time period of inactivity. If the "Security lock timer" is enabled on the mobile device, the remote lock takes effect after the specified inactivity time period has elapsed. Otherwise, the remote lock immediately locks the mobile device. 5.20 User can stop Mobile Security services from the list of running applications on Android mobile devices. --------------------------------------------------------------------- This is a known issue on Android mobile devices. However, even if the Mobile Security service is stopped, the Real-time scan and uninstall protection still function as normal. 5.21 Mobile Security is unable to block the Iframe tags in HTML Web pages or the URLs saved in the WebView Android SDK Component. --------------------------------------------------------------------- Mobile Security currently requires the Android default browser to function properly, and cannot block the Iframe tags in HTML Web pages or the URLs that are saved on a third-party application. 5.22 On HTC mobile devices, performing the selective wipe does not delete the Exchange account information on the mobile device. --------------------------------------------------------------------- The email client on HTC mobile devices is modified by the manufacturer. Therefore, Mobile Security is currently unable to delete the account information on HTC mobile devices. 5.23 The LG P-500, KDDI au IS04, or Xiaomi mobile devices ring and/or vibrate even if the Call Blocking feature is enabled. --------------------------------------------------------------------- This known issue allows LG P-500, KDDI au IS04, or Xiaomi mobile devices to ring and/or vibrate one time even if Call Blocking feature is enabled. However, the incoming call will still be recorded in Blocked Call History as blocked. 5.24 On KDDI IS11CA mobile device, Trend Micro Mobile Security does not filter text messages even if the Text Blocking feature is enabled. --------------------------------------------------------------------- Trend Micro Mobile Security requires the default Android text messaging application to function properly. If the mobile device manufacturer has modified the text messaging application, this known issue may occur on such mobile devices. 5.25 The battery consumption on Softbank 003SH and KDDI IS11CA mobile devices is very high. --------------------------------------------------------------------- This happens when the administrator has disabled the camera on Softbank 003SH or KDDI IS11CA mobile device. When the camera is disabled, the firmware of the mobile device continuously checks the temperature of the mobile device, resulting in the excessive battery consumption. 5.26 Unable to get the location information of some mobile devices remotely from the Mobile Security server. --------------------------------------------------------------------- Mobile Security requires the default Android Application Programming Interface (API) for location detection to function properly. This happens if the API for location detection is modified by the mobile device manufacturer. This is a known issue for the following mobile devices: - Motorola MB526 - HTC Explorer A310e - Motorola MB525+ - Samsung i9100(Galaxy SII) - Amazon kindle fire 5.27 The SD card lock feature does not work on Android 4.2 and higher versions. --------------------------------------------------------------------- Andriod 4.2 and higher versions change the protection level for unmounting SD cards which prevents any third-party application from unmounting SD cards. 5.28 Unable to block text messages on Android 4.4 or above. --------------------------------------------------------------------- Android 4.4 or above limits any third-party application from modifying the text messages on mobile devices. 5.29 Unable to upgrade Mobile Security by tapping the upgrade notification. --------------------------------------------------------------------- This is a known issue for Mobile Security 9.0, which is not compatible with Android 4.4. To resolve this known issue, navigate to the following IP address and download and install the latest Mobile Security Mobile Device Agent manually: http://:/mobile where, replace "" with the actual server IP address, and "" with the actual server port number. 6. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content- filtering security products and services. Trend Micro allows companies worldwide to stop viruses and other malicious code from a central point before they can reach the desktop. Copyright 2014, Trend Micro Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 7. Contact Information ======================================================================== You can contact Trend Micro via fax, phone, and email. Or visit us at http://www.trendmicro.com.