Acronis Access Advanced Administrator's Guide

“Acronis” and “Acronis Secure Zone” are registered trademarks of Acronis International GmbH.

"Acronis Compute with Confidence", “Acronis Startup Recovery Manager”, “Acronis Active Restore”, “Acronis Instant Restore” and the Acronis logo are trademarks of Acronis International GmbH.

Linux is a registered trademark of Linus Torvalds.

VMware and VMware Ready are trademarks and/or registered trademarks of VMware, Inc. in the United States and/or other jurisdictions.

Windows and MS-DOS are registered trademarks of Microsoft Corporation.

All other trademarks and copyrights referred to are the property of their respective owners.

Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.

Distribution of this work or derivative work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.

DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Third party code may be provided with the Software and/or Service. The license terms for such third-parties are detailed in the license.txt file located in the root installation directory. You can always find the latest up-to-date list of the third party code and the associated license terms used with the Software and/or Service at http://kb.acronis.com/content/7696

Acronis patented technologies

Technologies, used in this product, are covered and protected by one or more U.S. Patent Numbers: 7,047,380; 7,275,139; 7,281,104; 7,318,135; 7,353,355; 7,366,859; 7,475,282; 7,603,533; 7,636,824; 7,650,473; 7,721,138; 7,779,221; 7,831,789; 7,886,120; 7,895,403; 7,934,064; 7,937,612; 7,949,635; 7,953,948; 7,979,690; 8,005,797; 8,051,044; 8,069,320; 8,073,815; 8,074,035; 8,145,607; 8,180,984; 8,225,133; 8,261,035; 8,296,264; 8,312,259; 8,347,137; 8,484,427; 8,645,748; 8,732,121 and patent pending applications.

Table of contents

1 Mobile Access ..................................................................................................................6

1.1 Concepts .................................................................................................................................... 6

1.2 Policies ....................................................................................................................................... 8

1.2.1 User & Group Policies ..................................................................................................................................... 8

1.2.2 Allowed Apps ................................................................................................................................................. 21

1.2.3 Default Access Restrictions ........................................................................................................................... 24

1.3 On-boarding Mobile Devices ...................................................................................................25

1.3.1 Server-side Management Enrollment Process ........................................................................................... 26

1.3.2 User-side Management Enrollment Process .............................................................................................. 29

1.4 Managing Gateway Servers .....................................................................................................33

1.4.1 Registering new Gateway Servers ............................................................................................................... 34

1.4.2 Server Details ................................................................................................................................................. 36

1.4.3 Editing Gateway Servers ............................................................................................................................... 37

1.4.4 Licensing Gateway Servers ........................................................................................................................... 44

1.4.5 Cluster Groups ............................................................................................................................................... 44

1.5 Managing Data Sources ...........................................................................................................46

1.5.1 Folders ............................................................................................................................................................ 47

1.5.2 Assigned Sources ........................................................................................................................................... 50

1.5.3 Gateway Servers Visible on Clients .............................................................................................................. 51

1.5.4 Legacy Data Sources...................................................................................................................................... 52

1.6 Settings ....................................................................................................................................53

2 Sync & Share .................................................................................................................. 55

2.1 Sharing Restrictions .................................................................................................................55

2.2 LDAP Provisioning ....................................................................................................................56

2.3 Quotas ......................................................................................................................................56

2.4 File Purging Policies .................................................................................................................57

2.5 User Expiration Policies ...........................................................................................................58

2.6 File Repository .........................................................................................................................59

2.7 Acronis Access Client ...............................................................................................................60

3 Server Administration .................................................................................................... 62

3.1 Administering a Server.............................................................................................................62

3.2 Administrators and Privileges ..................................................................................................63

3.3 Audit Log ..................................................................................................................................66

3.3.1 Log .................................................................................................................................................................. 66

3.3.2 Settings ........................................................................................................................................................... 67

3.4 Server .......................................................................................................................................67

3.5 SMTP ........................................................................................................................................69

3.6 LDAP .........................................................................................................................................70

3.7 Email Templates .......................................................................................................................71

3.8 Licensing ..................................................................................................................................74

3.9 Debug Logging .........................................................................................................................75

3.10 Monitoring ...............................................................................................................................76

4 Maintenance Tasks ........................................................................................................ 78

4.1 Disaster Recovery guidelines ...................................................................................................78

4.2 Backing up and Restoring Acronis Access ................................................................................80

4.3 Tomcat Log Management on Windows ...................................................................................83

4.4 Automated Database Backup ..................................................................................................87

4.5 Increasing the Acronis Access Tomcat Java Maximum Memory Pool .....................................88

5 Supplemental Material .................................................................................................. 90

5.1 Conflicting Software ................................................................................................................90

5.2 Load balancing Acronis Access ................................................................................................90

5.3 Third-party Software for Acronis Access .................................................................................96

5.3.1 PostgreSQL ..................................................................................................................................................... 96

5.3.2 Apache Tomcat .............................................................................................................................................. 97

5.3.3 New Relic ....................................................................................................................................................... 97

5.4 Using Acronis Access with Microsoft Forefront Threat Management Gateway (TMG) ..........97

5.4.1 Overview ........................................................................................................................................................ 97

5.4.2 Introduction ................................................................................................................................................... 98

5.4.3 Install the SSL Server Certificate ................................................................................................................. 101

5.4.4 Create a New Web Listener ........................................................................................................................ 102

5.4.5 Create a New Web Site Publishing Rule .................................................................................................... 107

5.4.6 Configure an External DNS Entry for the Acronis Access Gateway Server ............................................. 113

5.4.7 Using the Access Mobile Client with a TMG reverse proxy server .......................................................... 113

5.4.8 Using the Access Desktop Client with a TMG reverse proxy server. ....................................................... 113

5.5 Unattended desktop client configuration .............................................................................114

5.6 Monitoring Acronis Access with New Relic ...........................................................................115

5.7 Using trusted server certificates with Acronis Access ...........................................................116

5.8 Creating a Drop Folder ...........................................................................................................118

5.9 Customizing the web interface ..............................................................................................120

5.10 How to support different Access Desktop Client versions ....................................................120

5.11 How to move the FileStore to a non-default location. ..........................................................121

5.12 Acronis Access for Good Dynamics ........................................................................................121

5.12.1 Introduction ................................................................................................................................................. 121

5.12.2 Testing a trial version of Acronis Access for Good Dynamics .................................................................. 122

5.12.3 Requesting and configuring Acronis Access within Good Control .......................................................... 123

5.12.4 Good Dynamics Policy Sets and Acronis Access........................................................................................ 127

5.12.5 Granting Acronis Access access to a Good Dynamics User or Group ...................................................... 128

5.12.6 Enrolling the Acronis Access client app in Good Dynamics ...................................................................... 130

5.13 MobileIron AppConnect support ...........................................................................................133

5.13.1 Introduction ................................................................................................................................................. 133

5.13.2 Testing a trial version of Acronis Access with AppConnect ..................................................................... 133

5.13.3 Creating an AppConnect configuration and policy for Acronis Access on your MobileIron VSP .......... 134

5.13.4 Activating the Acronis Access iOS client with AppConnect ...................................................................... 138

5.13.5 Ongoing AppConnect management of Access Mobile Clients ................................................................ 139

5.13.6 Using AppConnect with Kerberos Constrained Delegation ..................................................................... 139

6 Configuring an AppConnect tunnel between the Access Mobile client and the Access

server via username/password authentication........................................................................... 142

7 Adding Kerberos Constrained Delegation Authentication .............................................. 153

7.1.1 Advanced Delegation Configurations ........................................................................................................ 161

7.2 Installing Acronis Access on a Microsoft Failover Cluster .....................................................162

7.2.1 Installing Acronis Access on a Windows 2008 Microsoft Failover Cluster .............................................. 162

7.2.2 Installing Acronis Access on a Windows 2012 Microsoft Failover Cluster .............................................. 176

7.3 Upgrading from mobilEcho 4.5 on a Microsoft Failover Cluster ........................................189

7.3.1 Upgrading a mobilEcho server on a Windows 2008 Failover Cluster to Acronis Access ....................... 189

7.3.2 Upgrading a mobilEcho server on a Windows 2012 Failover Cluster to Acronis Access ....................... 200

7.4 Upgrading Acronis Access on a Microsoft Failover Cluster ...................................................212

7.5 Changing the Acronis Access Tomcat SSL Ciphers .................................................................214

8 What's New ................................................................................................................. 216

8.1 What's New in Acronis Access Server ....................................................................................216

8.2 What's New in the Acronis Access app ..................................................................................230

8.3 Previous Releases ..................................................................................................................231

8.3.1 activEcho ...................................................................................................................................................... 231

8.3.2 mobilEcho .................................................................................................................................................... 242

1 Mobile Access

In this section

Concepts ..................................................................................................... 6

Policies ....................................................................................................... 8

On-boarding Mobile Devices ................................................................... 25

Managing Gateway Servers ..................................................................... 33

Managing Data Sources ........................................................................... 46

Settings ..................................................................................................... 53

This section of the web interface covers all the settings and configurations affecting mobile device users.

1.1 Concepts

Access Mobile Clients connect directly to your server rather than utilizing a third-party service, leaving you in control. Acronis Access server can be installed on existing file servers, allowing iPads, iPhones and Android devices to access files located on that server. These are typically the same files already available to PCs using Windows file sharing and Macs using ExtremeZ-IP File Server.

Clients access Acronis Access servers using their Active Directory user account. No additional accounts need to be configured within Acronis Access. The Access Mobile Client also supports file access using local computer accounts configured on the Windows server Acronis Access is running on, in the event you need to give access to non-AD users. The client management features described below require AD user accounts.

A minimal deployment consists of a single Windows server running a default installation of Acronis Access. This default installation includes the Acronis Access Server component installed and the local Acronis Access Gateway Server with a license installed. This scenario allows devices running the Access Mobile Client application to connect to this single file server, and allows for client management. If client management is not needed, Data Sources can be setup on the local Gateway Server and the Access Mobile Clients will be able to access these Data Sources, but the users will be in control of their app settings.

Fig 1. Single Gateway server, many Access Mobile Clients

Any number of Gateway Servers can later be added to the network and configured for access from the client app.

Note: Details on installing Acronis Access are included in the Installing section of this guide. Configuration of Gateway Servers and Data Sources is explained in the Mobile Access (p. 6) section.

If you wish to remotely manage your Access Mobile Clients, Acronis Access Client Management allows you to create policies per Active Directory user or group. These policies can:

 Configure general application settings  Assign servers, folders, and home directories to be displayed in the client app  Restrict what can be done with files  Restrict the other third party apps that Access Mobile Client files can be opened into  Set security requirements (server login frequency, application lock password, etc.)  Disable the ability to store files on the device  Disable the ability to include Access Mobile Client files in iTunes backups  Remotely reset a user's application lock password  Perform a remote wipe of the Access Mobile Client app's local data and settings  And many additional configuration and security options

Only one Acronis Access Server is required.

A typical network employing client management includes one server with the Acronis Access Server and Acronis Access Gateway Server components installed and several additional Gateway Servers acting as file servers. In this scenario, all mobile clients are configured to be managed by the Acronis Access Server, and will contact this server each time the Access Mobile Client application is started, to check for any changed settings and to accept application lock password resets and remote wipe commands if necessary.

Access Mobile Client clients can be assigned a list of servers, specific folders within shared volumes, and home directories in their management policy. These resources will automatically appear in the Access Mobile Client app and the client app will contact these servers directly as needed for file access.

Note: Details on enabling and configuring the client management are included in the Policies (p. 8) and Managing Mobile Devices section of this guide.

In this section

User & Group Policies ................................................................................ 8

Allowed Apps ........................................................................................... 21

Default Access Restrictions ...................................................................... 24

Fig 2. One Gateway Server, one Gateway Server + Acronis Access Server, many clients

1.2 Policies

1.2.1 User & Group Policies

Acronis Access Client Management allows policies to be assigned to Active Directory groups. Group policies will usually address most or all of your client management requirements. The group policies list is displayed in order of precedence, with the first group in the list having the highest priority. When a user contacts the Acronis Access server, their settings are determined by the single highest priority group policy they are a member of.

User policies are used when you want to enforce specific settings on a user regardless of the groups he is in, as User policies have a higher priority than Group policies. User policies will override all Group policies.

Group Management Tips

If you would like all or most of your users to receive the same policy settings, you can enable the Default group

In this section

Adding a New Policy ................................................................................... 9

Exceptions for policy settings .................................................................. 11

Modifying Policies .................................................................................... 11

Creating a Blocked Path list ..................................................................... 11

Security Policy .......................................................................................... 13

Application Policy ..................................................................................... 15

Sync Policy ................................................................................................ 18

Home Folders ........................................................................................... 19

Server Policy ............................................................................................. 20

policy. If it' s enabled all users which are not members of a group policy and do not have an explicit user policy, will become members of the Default group. The Default group is disabled by default. If you would like to deny a group of users access to Acronis Access management, ensure that they are not members of any configured group policies. As long as a user account does not match any group policies, they will be denied the ability to enroll in Acronis Access client management.

1.2.1.1 Adding a New Policy

To add a new group policy:

1. Open the Group Policies tab.

2. Click the Add new policy button to add a new group policy. This will open the Add a new group

policy page.

3. In the Find group field, enter the partial or complete Active Directory group name for which

you'd like to create a policy. You can perform 'begins with' or 'contains' searches for Active Directory groups. Begins with search will complete much faster than contains searches.

4. Click Search and then find and click the group name in the listed results.

5. Make the necessary configurations in each of the tabs (Security (p. 13), Application (p. 15), Sync

(p. 18), Home Folders (p. 19) and Server (p. 20)) and press Save.

To add a new user policy:

1. Open the User policies tab.

2. Click the Add new policy button to add a new user policy. This will open the Add a new user

policy page.

3. In the Find user field, enter the partial or complete Active Directory user name for which you'd

like to create a policy. You can perform 'begins with' or 'contains' searches for Active Directory users. Begins with search will complete much faster than contains searches.

4. Click Search and then find and click the user name in the listed results.

5. Make the necessary configurations in each of the tabs (Security (p. 13), Application (p. 15), Sync

(p. 18), Home Folders (p. 19) and Server (p. 20)) and press Save.

1.2.1.2 Exceptions for policy settings

For users running the Access Mobile Client for Android, Access Mobile Client for Good Dynamics (iOS) and Access Mobile Client with Mobile Iron AppConenct apps, there are some exceptions to the way Acronis Access management policies are applied to the Access Mobile Client app. In the case of Android, a few of the features of the iOS client are not yet supported, so the related policies do not apply. In the case of Good Dynamics, a few of the standard Access Mobile Client policy features are deferred to the Good Dynamics system and the Good Dynamics policy set that you have configured on your Good Control server. With MobileIron, a few of the standard Acronis Access policy features are deferred to the MobileIron AppConnect platform. These exceptions are noted on the Acronis Access policy configuration pages. Hover over the Good, Android and MobileIron logos for more details on the individual policy exceptions.

1.2.1.3 Modifying Policies

Existing policies can be modified at any time. Changes to policies will be applied to the relevant Access Mobile Client users the next time they launch the mobile app.

Connectivity requirements

Acronis Access clients must have network access to the Acronis Access server in order to receive profile updates, remote password resets, and remote wipes. If your client is required to connect to a VPN before they can access Acronis Access, they will also need to connect to the VPN before management commands will be accepted.

To modify a group policy

1. Click the Groups Policies option in top menu bar.

2. Click on the group you would like to modify.

3. Make any changes necessary on the Edit Group Policy page and press Save.

4. To temporarily disable a policy, uncheck the check box in the Enabled column for the desired

group. This change takes effect immediately.

5. To change a group's priority, click the up or down arrow in the Manage Groups Profiles list. This

will move the profile up or down one level.

To modify a user policy:

1. Open the User Policies tab.

2. Click on the user you would like to modify.

3. Make any changes necessary on the Edit User Policy page and press Save.

4. To temporarily disable a policy, uncheck the check box in the Enabled column for the desired

user.This change takes effect immediately.

1.2.1.4 Creating a Blocked Path list

You can create blacklists for paths you do not want your users to be able to self-provision from mobile devices. These lists must be assigned to a User or Group policy and are valid only for self-provisioned paths. When the list has been created and assigned to the proper Users and/or

Groups, you need to enable the Block access to specific network paths for every User/Group policy that you want it to affect.

To create a list:

1. Open the web interface as an administrator.

2. Open the Policies (p. 8) page.

3. Click on the desired User policy or Group policy.

4. Open the Server Policy (p. 20) tab.

5. Select the Block access to specific network paths check box.

Note: You must perform this step for each User/Group policy that you want to assign the blacklist to.

6. Press Add/Edit lists.

7. On the Blocked Path Lists page press Add List.

8. Enter a name for the list.

9. Enter a path or list of paths that will be blacklisted. Each entry should be on a new line.

10. Open the Apply to User or Group tab.

11. Assign the list to the desired user(s)/group(s).

12. Press Save.

To enable the blacklist for a User or Group policy:

1. Open the web interface as an administrator.

2. Open the Policies (p. 8) page.

3. Click on the desired User policy or Group policy.

4. Open the Server Policy (p. 20) tab.

5. Select the Block access to specific network paths check box.

Note: You must perform this step for each User/Group policy that you want to assign the blacklist to.

6. Select the desired list from the drop-down menu.

Note: Pressing Refresh lists will refresh the options in the drop-down menu.

7. Press Save to save and exit the policy.

1.2.1.5 Security Policy

 App password creation - The Access Mobile Client application can be set with a lock password

that must be first entered when launching the application.

 Optional - This setting will not force the user to configure an application lock password, but

they will be able to set one from the Settings menu within the app if they desire.

 Disabled - This setting will disable the ability to configure an application lock password from

the Settings menu within the app. This might be useful in the case of shared mobile devices where you prefer that a user cannot set an app password and will lock other users out of the Access Mobile Client.

 Required - This setting will force the user to configure an application lock password if they do

not already have one. The optional application password complexity requirements and failed password attempt wipe setting only apply when App password creation is set to Required.

 App will lock - This setting configures the application password grace period. When a

user switches from the Access Mobile Client to another application on their device, if they return to the Access Mobile Client before this grace period has elapsed, they will not be required to enter their application lock password. To require that the password is entered every time, choose Immediately upon exit. If you would like the user to be able

to modify their App will lock setting from within the Access Mobile Client settings, select Allow user to change this setting.

 Minimum password length - The minimum allowed length of the application lock

password.

 Minimum number of complex characters - The minimum number of non-letter,

non-number characters required in the application lock password.

 Require one or more letter characters - Ensures that there is at least one letter character

in the application password.

 Mobile Client app will be wiped after X failed app password attempts - When this

option is enabled, the settings and data in the Access Mobile Client app will be wiped after the specified number of consecutive failed app password attempts.

 Wipe or lock after loss of contact- Enable this setting if you would like the Access Mobile Client

app to automatically wipe or lock in the case that it has not made contact with this Acronis Access server in a certain number of days. Locked clients will automatically unlock in the event that they later contact the server successfully. Wiped clients immediately have all the local files stored in the Mobile Client app deleted, their client management policy removed, and all settings reset to defaults. Wiped clients will have to be re-enrolled in management to gain access to gateway servers.

 Mobile Client app will be locked/wiped after X days of failing to contact this client's

Acronis Access server - Set the default action after the client fails to contact this Acronis Access server for a number of days.

 Warn user starting [ ] days beforehand - The Access Mobile Client app can optionally warn

the user when a 'loss of contact' wipe or lock is going to happen in the near future. This gives them the opportunity to reestablish a network connection that allows the Access Mobile Client app to contact it's Acronis Access Server and prevent the lock or wipe.

 User can remove Mobile Client from management- Enable this setting if you would like your

Acronis Access users to be able to uninstall their management policy from within Acronis Access. Doing so will return the application to full functionality and restore any configuration that was changed by their policy.

 Wipe all Acronis Access data on removal - When user removal of policies is enabled, this

option can be selected. If enabled, all data stored locally within the Access Mobile Client application will be erased if it is removed from management, ensuring that corporate data does not exist on a client not under management controls.

 Allow iTunes to back up locally stored Acronis Access files - When this setting is disabled, the

Access Mobile Client will not allow iTunes to back up its files. This will ensure that no files within Acronis Access' secure on-device storage are copied into iTunes backups.

1.2.1.6 Application Policy

 Require Confirmation When Deleting Files - When enabled, the user will be asked for

confirmation each time they delete a file. If you would like the user to be able to later modify this setting, select Allow user to change this setting.

 Set the Default File Action - This option determines what will happen when a user taps a file in

the Access Mobile Client application. If this is not set, the client application defaults to Action

Menu. If you would like the user to be able to later modify this setting, select Allow user to change this setting.

 Allow Files to be Stored on the Device - This setting is enabled by default. When enabled, files

will be permitted to remain on the device, within Acronis Access' sandboxed storage. Individual features that store files locally (My Filesfolder, sync folders, recently accessed file caching) can be enabled or disabled using additional policy settings. If this option is disabled, no files will be stored on the device, ensuring that no corporate data is on the device if it is lost or stolen. If this setting is disabled, the user will not be able to save or sync files for offline use, cache files for improved performance, or send files from other applications to the Access Mobile Client using the "Open In" function.

 Allow User to Store Files in the 'My Files' On-Device Folder - If enabled, files can be copied

into the 'My Files' folder for offline access and editing. This is a general purpose storage area within Acronis Access' on-device storage sandbox.

 Cache Recently Accessed Files on the Device - If enabled, server-based files that have been

recently access will be saved in a local cache on the device, for use if they are accessed again and have not changed, providing performance and bandwidth conservation benefits. Maximum Cache Size can be specified and the user can optionally be allowed to change this setting.

 Display Thumbnail Previews for Server-Side Files - When enabled, thumbnail previews will be

displayed instead of filetype icons when browsing Data Sources and Gateway Servers.

 Thumbnail Cache Size: - Sets how much space will be reserved for thumbnails.  Only Download Thumbnail Previews on WiFi Networks - When enabled, thumbnails will be

available only if the user is connected to a WiFi network.

 Content in My Files and File Inbox Expires after X days - If this option is enabled, files in the File

Inbox and in My Files will be deleted from the device after the set number of days.

Allow

These settings can be used to disable certain Access Mobile Client application features and capabilities. All copy, create, move, rename, and delete settings apply to files or folders located on Gateway servers. Files in the mobile client's local My Files folder are stored on the device and are not affected. All other settings apply to any files in Acronis Access, both server-based and locally stored on the client.

File Operations

 File Copies / Creation - If this option is disabled, the user will not be able to save files from other

applications or from the iPad Photos library to a Gateway Server. They will also be unable to copy or create new files or folders on the Gateway Server server Gateway Server. This setting supersedes any NTFS permissions that client may have that allow file creation.

 File Deletes - If this option is disabled, the user will not be able to delete files from the Gateway

Server. This setting supersedes any NTFS permissions that client may have that allow file deletion.

 File Moves - If this option is disabled, the user will not be able to move files from one location to

another on the Gateway Server, or from the server to the Access Mobile Client application's local My Files storage. This setting supersedes any NTFS permissions that client may have that allow file or folder moves.

 File Renames - If this option is disabled, the user will not be able to rename files from the

Gateway Server. This setting supersedes any NTFS permissions that client may have that allow file renames.

Folder Operations

 Folder Copies - If this option is disabled, the user will not be able to copy folders on or to the

Gateway Server. This setting supersedes any NTFS permissions that client may have that allow folder creation. File copies / creation must be enabled for this setting to be enabled.

 Folder Deletes - If this option is disabled, the user will not be able to delete folders from the

Gateway Server. This setting supersedes any NTFS permissions that client may have that allow folder deletion.

 Folder Moves - If this option is disabled, the user will not be able to move folders from one

location to another on the Gateway Server, or from the server to the Access Mobile Client application's local My Files storage. This setting supersedes any NTFS permissions that client may have that allow file or folder moves. Folder copies must be enabled for this setting to be enabled.

 Folder Renames - If this option is disabled, the user will not be able to rename or folders from

the Gateway Server. This setting supersedes any NTFS permissions that client may have that allow folder renames.

 Adding New Folders - If this option is disabled, the user will not be able to create new, empty

folders on the Gateway Server.

 Allow Bookmarking Folders - If this option is disabled, the user will not be able to bookmark

on-device or on-server Acronis Access folders for quick shortcut access.

'mobilEcho' File Links

 Emailing 'mobilEcho' File Links - If this option is disabled, users will not be able to send

mobilEcho:// URLs to Acronis Access files or folders to other Acronis Access users. These links are only functional if opened from a device where the recipient has the Access Mobile Client installed and configured with a server or assigned folder that has access to the link location. The user must also have file/folder-level permission to read the item.

 Opening 'mobilEcho' File Links - If this option is disabled, users will not be allowed to open

mobilEcho:// URLs to Acronis Access files or folders.

Data Leakage Protection

 Opening Acronis Access Files in Other Applications - If this option is disabled, the Access Mobile

Client application will omit the Open In button and not allow files in Acronis Access to be opened in other applications. Opening a file in another application results in the file being copied to that application's data storage area and outside of Acronis Access control.

 App Whitelist/Blacklist - Select a predefined whitelist or blacklist that restricts that third

party apps that Acronis Access files can be opened into on the device. To create a whitelist or blacklist, click Allowed Apps in the top menu bar.

 Sending Files to Acronis Access from Other Apps - If this option is disabled, the Access Mobile

Client application will not accept files sent to it from other applications' Open In feature.

 Sending Files to Acronis Access Using Quickoffice 'Save Back' - If this option is disabled, the

Acronis Access application will not accept files sent to it from the Quickoffice app's Save Back feature.

 Emailing Files from Acronis Access - If this option is disabled, the Access Mobile Client

application will omit the Email File button and not allow files in Acronis Access to be emailed from the application.

Note: The Android platform does not have a built-in email app or function that can be disabled. To block users from moving files into emails, you must instead disable Opening Acronis Access files into Other Applications.

 Printing Files from Acronis Access - If this option is disabled, the Access Mobile Client application

will omit the Print button and not allow files in Acronis Access to be printed.

 Copying text From Opened Files - If this option is disabled, the Access Mobile Client will not

allow the user to select text in opened documents for copy/paste operations. This will prevent data from being copied into other applications.

Annotation and Editing

 Allow PDF annotation - If this option is disabled, the Access Mobile Client will not be allowed to

annotate PDFs.

 Editing & Creation of Office files - If this option is disabled, users will not be allowed to edit

documents using the integrated SmartOffice editor.

 Editing & Creation of Text files - If this option is disabled, users will not be allowed to edit .txt

files using the built-in text editor.

1.2.1.7 Sync Policy

 Allow User to Create Sync Folders - Allows the user to create their own sync folders.  Client is Prompted to Confirm Before Synced Files are Downloaded - Select the conditions under

which the user must confirm before files in synced folders are downloaded. Options are: Always, While on cellular networks only, and Never. If Allow User to Change This Setting is enabled,

clients will be able to change the confirmation options.

 Only Allow File Syncing While Device is on WiFi Networks - When this option is enabled, Acronis

Access will not allow files to be synced over cellular connections. If Allow User to Change This Setting is enabled, clients will be able to enable or disable automatic file syncing while on WiFi networks.

 Auto-Sync Interval - When this option is enabled, Acronis Access will automatically sync never,

on app launch only or on several time intervals.

 Allow User to Change This Setting - When this option is enabled, the users will be able to

change the time interval from the Access Mobile Client app.

 Only Allow File Auto-Syncing While Device is on WiFi Networks - When this option is

enabled the auto-sync will not occur unless the user is connected via WiFi.

1.2.1.8 Home Folders

 Display the user's home folder- This option causes a user's personal home directory to appear in

the Access Mobile Client app.

 Display name shown on client - Sets the display name of the home folder item in the Access

Mobile Client app.

 Active Directory assigned home folder - The home folder shown in the Access Mobile Client

app will connect the user to the server/folder path defined in their AD account profile. The Home Folder will be accessible via the selected Gateway.

 Custom home directory path - The home folder shown in the Access Mobile Client app will

connect the user to the server and path defined in this setting. The %USERNAME% wildcard can be used to include the user's username in the home folder path. %USERNAME% must be capitalized.

 Sync – This option selects the type of sync of your Home Directory.

1.2.1.9 Server Policy

 Required login frequency for resources assigned by this policy- sets the frequency that a user

must log into the servers that are assigned to them by their policy.

 Once only, then save for future sessions - The user enters their password when they are

initially enrolled in management. This password is then saved and used for any file server connections they later initiate.

 Once per session - After launching the Access Mobile Client, the user is required to enter

their password at the time they connect to the first server. Until they leave the Access Mobile Client application, they can then connect to additional servers without having to reenter their password. If they leave the Access Mobile Client for any period of time and then return, they will be required to enter their password again to connect to the first server.

 For every connection - The user is required to enter their password each time they connect

to a server.

 Allow user to add individual servers - If this option is enabled, users will be able to manually add

servers from within the Access Mobile Client application, as long as they have the server's DNS name or IP address. If you want the user to only have their policy Assigned Servers available, leave this option disabled.

 Allow saved passwords for user configured servers - If a user is allowed to add individual

servers, this sub-option determines whether they are allowed to save their password for those server.

 Allow File Server, NAS and Sharepoint Access From the Web Client - When enabled, Web Client

users will be able to see and access mobile Data Sources as well.

 Allow User to Add Network Folders by UNC path or URL - When enabled, the mobile client users

will be able to add and access network folders and SharePoint sites not assigned to them or not accessible through the existing Data Sources. The selected Gateway Server must have access to those SMB shares or SharePoint sites.

 Block access to specific network paths - When enabled, allows the administrator to create

and use blacklists of network paths which the users shouldn't be allowed to self-provision.

 Only allow this Mobile Client to connect to servers with third-party signed SSL certificates - If

this option is enabled, the Access Mobile Client will only be permitted to connect to servers with third-party signed SSL certificates.

Note: If the management server does not have a third-party certificate, the client will be unable to reach the management server after it's initial configuration. If you enable this option, ensure you have third-party certificates on all your Gateway Servers.

 Warn client when connecting to servers with untrusted SSL certificates - If your users are

routinely connecting to servers that will be using self-signed certificates, you may choose to disable the client-side warning dialog message they will receive when connecting to these servers.

 Client timeout for unresponsive servers - This option sets the client login connection timeout for

unresponsive servers. If your clients are on especially slow data connections, or if they rely on a VPN-on-demand solution to first establish a connection before a Gateway Server is reachable, this timeout can be set to a value greater than the 30 second default. If you want the client to be able to change this through the Access Mobile Client app, check Allow user to change this setting.

1.2.2 Allowed Apps

Acronis Access Client Management allows you to create whitelists or blacklists that restrict the Access Mobile Client's ability to open files into other apps on a mobile device. These can be used to ensure that any files accessible through the Access Mobile Client can only be opened into secure, trusted apps.

In this section

Adding Apps Available for Lists ................................................................ 22

Finding an app's bundle identifier by browsing the files on your device 23

Finding an app's bundle identifier in an iTunes Library ........................... 23

Whitelists - allow you to specify a list of apps that Acronis Access files are allowed to be opened into. All other apps are denied access.

Blacklists - allow you to specify a list of apps that Acronis Access files are not allowed to be opened into. All other apps are allowed access.

In order for Acronis Access to identify a particular app, it needs to know the app's Bundle Identifier. A list of common apps, and their bundle identifiers, are included in the Acronis Access Web Interface by default. If the app you need to whilelist or blacklist is not included, you will need to add it to the list.

Note: App whitelisting and blacklisting are not currently supported by the Access Mobile Client for Android.

Lists

Add whitelists and blacklists. Once created, whitelists and blacklists can be assigned to any Acronis Access user or group policy. They will only apply to the user or group policies you specify.

 Name - Shows the name of the list set by the administrator.  Type - Shows the type of the list (whitelist/blacklist)  Add List - Opens the Add a New Whitelist or Blacklist menu.

1.2.2.1 Adding Apps Available for Lists

To add an app to be included on a whitelist or blacklist:

1. Click Allowed Apps in the top menu bar.

2. Click Add app in the Apps Available for Lists section.

3. Enter the App name. This can be the name of the app as it appears in the App Store, or an

alternate name of your choosing.

4. Enter the app's Bundle identifier. This must match the intended apps bundle identifier exactly, or

it will not white or blacklisted.

5. Click Save.

You can find the bundle identifier either by browsing the files on your device (p. 23) or you can view it in an iTunes Library (p. 23).

1.2.2.2 Finding an app's bundle identifier by browsing the files on your

device

If you use software that allows browsing the contents of your device's storage, you can locate a app on the device and determine its bundle identifier . One app that can be used for this is iExplorer .

1. Connect your device to your computer with USB and open iExplorer or a similar utility.

2. Open the Apps folder on the device and locate the app you require.

3. Open that app's folder and locate its iTunesMetadata.plist file.

4. Open this PLIST file in a text editor.

5. Find the softwareVersionBundleId key in the list.

6. The string value below it is the bundle identifier value that you will need to enter for the app in

Acronis Access. These are commonly formatted as: com.companyname.appname

1.2.2.3 Finding an app's bundle identifier in an iTunes Library

If you sync your device with iTunes and the app you desire is either on your device, or was downloaded through iTunes, it will exist on your computer's hard drive. You can locate it on your hard drive and look inside the app to find the bundle identifier.

1. Navigate to your iTunes Library and open the Mobile Applications folder.

2. On a Mac, this is typically in your home directory, in ~/Music/iTunes/Mobile Applications/

3. On a Windows 7 PC, this is typically in C:\Users\username\My Music\iTunes\Mobile

Applications/

4. If you have recently installed the app on your device, make sure you have performed an iTunes

sync before you continue.

5. Locate the app that you require in the Mobile Applications folder.

6. Duplicate the file and rename the extension to .ZIP

7. Unzip this newly created ZIP file and you'll end up with a folder with the application name.

8. Inside that folder is a file called iTunesMetadata.plist

9. Open this PLIST file in a text editor.

10. Find the softwareVersionBundleId key in the list.

11. The string value below it is the bundle identifier value that you will need to enter for the app in

Acronis Access. These are commonly formatted as: com.companyname.appname

1.2.3 Default Access Restrictions

This section allows you to set restrictions for clients contacting the management server and these restrictions are also the default restrictions for Gateway Servers.

Note: For information on setting custom access restrictions for your Gateway Servers visit the Editing Gateway Servers (p. 37) article in the Managing Gateway Servers section.

Configure the client enrollment status, client app types and authentication methods that can be used to connect to this Acronis Access server and any Gateway Servers configured to use the default access restrictions.

 Require that client is enrolled with an Acronis Access server - If you select this option, all Access

Mobile Clients connecting to this server are required to be managed by a Acronis Access server that is listed under Allowable Acronis Access servers. This option ensures that all clients accessing the server have the settings and security options you require. The server name entered must match the management server name configured in the Access Mobile Client app. Partial names

may also be used to allow multiple client management servers in a domain, for instance. Partial names do not need wildcard symbols.

 Allow Client Certificate Authentication - If you uncheck this option, users will not be able to

connect via certificate and will be able to connect via client username and password or smart card.

 Allow Username/Password Authentication - If you uncheck this option, users will not be able to

connect via username and password and will be able to connect via client certificate or smart card.

 Allow Smart Card Authentication - If you uncheck this option, users will not be able to connect

via smart card and will be able to connect via client username and password or certificate.

 Allow Acronis Access Android clients to access this server – If you uncheck this option, Android

devices will not be able to connect to the Acronis Access server and you won't be able to access management as well. If you select this option, you can further set which clients can connect by the options below.

 Allow standard Acronis Access Android client - If you select this option, this Acronis Access

server will allow users running the standard Android Acronis Access client app to connect. If you do not want to allow Android users to access this Acronis Access server, you can uncheck this setting.

 Allow AppConnect managed Acronis Access Android client - If you select this option, this

Acronis Access server will allow Android users with Acronis Access clients enrolled in MobileIron. If you do not want to allow Android users enrolled in MobileIron to access this Acronis Access server, you can uncheck this setting.

 Allow Acronis Access iOS clients to access this server – If you uncheck this option, iOS devices

will not be able to connect to the Acronis Access server and you won't be able to access management as well. If you select this option, you can further set which clients can connect by the options below.

 Allow Standard Acronis Access iOS Client – If you select this option, this Acronis Access

server will allow users running the standard iOS Access Mobile Client app to connect. If you do not want to allow iOS users to access this Acronis Access server, you can uncheck this setting.

 Allow Good Dynamics managed Acronis Access iOS clients – If you select this option, this

Acronis Access server will allow users using the iOS Access Mobile Client Good Dynamics managed client to connect. If you do not want to allow users with the iOS Access Mobile Client Good Dynamics client to access this Acronis Access server, you can uncheck this setting.

 Allow AppConnect managed Acronis Access iOS clients – If you select this option, this

Acronis Access server will allow iOS users with Access Mobile Client enrolled in MobileIron. If you do not want to allow iOS users enrolled in MobileIron to access this Acronis Accessserver, you can uncheck this setting.

1.3 On-boarding Mobile Devices

To get started with the Acronis Access mobile client, users need to install the Access Mobile Client application through the Apple App Store. If your company is using client management, the users also need to enroll the Access Mobile Client app on their device with the Acronis Access Server. Once enrolled, their mobile client configuration, security settings, and capabilities are controlled by their Acronis Access user or group policy.

In this section

Server-side Management Enrollment Process ......................................... 26

User-side Management Enrollment Process ........................................... 29

The Access Mobile Client application settings and features controlled by the management policy include:

 Requiring a Access Mobile Client application lock password  App password complexity requirements  Ability to remove the Access Mobile Client app from management  Allow emailing and printing files from the Access Mobile Client  Allow storing files on the device  Allow Access Mobile Client on-device files to be included in iTunes backups  Allow sending files to the Access Mobile Client from other applications  Allow opening Access Mobile Client files in other applications  Restrict the other applications that Access Mobile Client files are allowed to be opened into  Allow PDF annotation  Allow file and folder creation, renames and deletes  Allow moving files  Require confirmation when deleting  Servers, folders, and home directories can be assigned so they automatically appear in the

Access Mobile Client app

 Assigned folders can be configured to perform 1-way to 2-way syncing with the server

1.3.1 Server-side Management Enrollment Process

Selecting an enrollment mode

1. Open the Acronis Access web interface.

2. Log in as an administrator.

3. Open the Mobile Access tab.

4. Open the Settings tab.

5. Select the desired device enrollment requirements

Acronis Access includes two device enrollment mode options. This mode is used for all client enrollments. You will need to select the option that fits your requirements:

 PIN number + Active Directory username and password - In order to activate their Acronis

Access app and gain access to Acronis Access servers, a user is required to enter an expiring, one-time use PIN number and a valid Active Directory username and password. This option ensures that a user can only enroll one device, and only after receiving a PIN number issued by their IT administrator. This option is recommended when the enhanced security of two-factor device enrollment is required.

 Active Directory username and password only - A user can activate their Acronis Access app

using only their Active Directory username and password. This option allows a user to enroll one or more devices at any point in the future. Users just need to be given the name of their Acronis Access Client Management server, or a URL pointing to their Acronis Access Client Management server, which can be posted on a web site or emailed, simplifying the rollout of Acronis Access to large numbers of users. This option is preferred in environments where two-factor enrollment is not required and many users may need access to Acronis Access at any time, such as student deployments.

Inviting a user to enroll

Users are typically invited to enroll with the Acronis Access Server with an email that is sent from an Acronis Access Administrator. If required by the server, this email contains a one-time use PIN number that is valid for a configurable number of days. The PIN number can be used to enroll the Access Mobile Client app on one device only. If a user has multiple devices, they will need to be sent one invitation email for each device that needs access. This email includes a link to the Access Mobile Client app in the Apple App Store, in the case the app first needs to be installed. It also includes a second link that, when tapped while on the device, will open the Access Mobile Client and auto-complete the client enrollment form with the Acronis Access Server's name, the unique enrollment PIN number, and the user's username. By using this link, a user simply enters their account password to complete client enrollment.

 Once an enrollment invitation is generated, the invited users are displayed on the Enrollment

Invitations page. Each user's PIN number is listed, in the case that you need to communicate it by

a means other than the automatic email.

 Once a user successfully enrolls their Access Mobile Client using their one-time use PIN number,

they will no longer appear in this list.

 To revoke a user's invitation PIN number, press delete to remove them from the list.  Filter by - The invitations list can be filtered by Username, Display Name, or Email Address.

 Download enrollment invitations as CSV - The entire or filtered invitations list can be exported to

a CSV file and opened in Excel or imported into a custom process.

Using basic URL enrollment links when PIN numbers are not required:

If your server is configured to not require PIN numbers for client enrollment, you can give your users a standard URL that will automatically start the enrollment process when tapped from the mobile device.

To determine the enrollment URL for your management server, open the Mobile Access tab and open the Enroll Users tab. The URL is displayed on this page.

Note: For more information on the two modes, visit the Settings (p. 53) section.

To generate a Acronis Access enrollment invitation:

1. Open the Mobile Access tab and open the Enroll Users tab

2. Press the Send Enrollment Invitation button.

3. Enter an Active Directory user name or group name and click Search. If a group is chosen, you can

press Add to show each email address in that group in the Users to invite list. This will allow you to batch invite all members in a group. You can optionally remove one or more of those group members before sending the invitations. You can perform 'begins with' or 'contains' searches for Active Directory groups. Begins with search will complete much faster than contains searches.

4. Once you've added your first user or group, you can issue a new search and continue to add

additional users or groups to the list.

5. Review the list of Users to invite. You can Delete any users you would like to remove them from

the list.

6. If a user does not have an email address associated with their account, you will see No email

address assigned - click here to edit in the Email Address column. You can click any of these entries to manually enter an alternate email address for that user. If a user is left with No email address assigned, a PIN number will still be generated for them, and will be visible on the Enroll Users page. You will need to convey this PIN number to the user by another means before they can enroll their Access Mobile Client.

Note: If you prefer to manually communicate enrollment PIN numbers to the users, you can uncheck the Send an enrollment invitation email to each user with a specified address option. Each PIN number will be visible on the Enrollment Invitations page.

7. Choose the number of days you'd like the invitation to be valid for in the Number of days until

invitation expires field.

8. Choose the number of PINs you'd like to send to each user on the invitations list. This can be

used in cases where a user may 2 or 3 devices. They will receive individual emails containing each unique one-time-use PIN.

Note: Acronis Access licensing allows each licensed user to activate up to 3 devices, each additional device beyond 3 is counted as a new user for licensing purposes.

9. Choose the version or versions of the Access Mobile Client that you would like your users to

download and install on their device. You may choose iOS, Android, or Both. If you are using Acronis Access for Good Dynamics, you can select that option and your users will only be directed to download the Good Dynamics version of the Access Mobile Client.

10. Press Send.

Note: If you get an error message when sending, confirm that the SMTP settings in the SMTP tab under General Settings are correct. Also, if you're using Secure connection, verify that the certificate you are using matches the host name of your SMTP server.

Inviting users previously enrolled by mobilEcho 4.5 or earlier

mobilEcho 2.X did not require a PIN number to enroll a client in the Client Management system. There are two options for migrating mobilEcho 2.X clients to the Acronis Access management system. By default, mobilEcho servers that are upgraded from 2.X allow clients previously managed by the

2.X server to auto-enroll and appear in the Acronis Access Devices list without having to enter a PIN number. If you would like to ensure that all devices accessing the system have enrolled with a PIN number, you can disable this setting. In that case, if the user doesn't have User can remove Mobile Client from management privileges, the user will need to delete Acronis Access from their device and reinstall a new copy from the App Store before they can enroll using a PIN number.

Also note that when this auto-enroll setting is enabled, it will be possible to do an iTunes backup of a device running a managed version of mobilEcho 2.X or 3.0, restore that backup to a new device, and as long as the user has the active directory username and password for the associated account, that new device can be automatically enrolled in client management without a PIN number.

It is recommended that you disable the auto-enroll setting after your previously managed clients have all accessed the management server for the first time. They will appear in the Devices list when this happens.

To allow mobilEcho clients that were already enrolled in mobilEcho 2.X Client Management to automatically enroll after your mobilEcho Client Management server is upgraded to the Acronis Access Server, enable the Allow mobilEcho clients previously managed by 2.X servers and managed mobilEcho clients restored to new devices to auto-enroll without PIN setting.

1.3.2 User-side Management Enrollment Process

Each user sent a management enrollment invitation will receive an email that contains:

 A link to install the Access Mobile Client from the Apple App Store.  A link used to launch the Access Mobile Client app and automate the enrollment process.  A one-time use PIN number.  Their management server address.

 The email guides them through the process of installing the Access Mobile Client and entering

their enrollment information.

If the Access Mobile Client app has already been installed, and the user taps the "Tap this link to automatically begin enrollment..." option while viewing this email on their device, Acronis Access will automatically launch and the enrollment form will be displayed. The user's server address, PIN number, and username are also encoded in this URL, so these fields are auto-completed in the enrollment form. At this point, the user simply has enters their password to complete the enrollment process.

The username and password required are the user's Active Directory username and password. These credentials are used to match them to the proper user or group management policy, for access to Gateway servers and if their management policy allows it, the saving of their credentials for Acronis Access server logins.

+ 229 hidden pages

Acronis Access Advanced Administrator's Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

1 Mobile Access

1.1 Concepts

1.2 Policies

1.2.1 User & Group Policies

1.2.1.1 Adding a New Policy

1.2.1.2 Exceptions for policy settings

1.2.1.3 Modifying Policies

1.2.1.4 Creating a Blocked Path list

1.2.1.5 Security Policy

1.2.1.6 Application Policy

1.2.1.7 Sync Policy

1.2.1.8 Home Folders

1.2.1.9 Server Policy

1.2.2 Allowed Apps

1.2.2.1 Adding Apps Available for Lists

1.2.2.3 Finding an app's bundle identifier in an iTunes Library

1.2.3 Default Access Restrictions

1.3 On-boarding Mobile Devices

1.3.1 Server-side Management Enrollment Process

1.3.2 User-side Management Enrollment Process