Page Comparison

WSO2 EMM Agent configurations to enroll and manage devices

...

1. Configuring the monitoring frequency:

   • Configure the monitoring frequency via the EMM console. For more information, see General Platform Configurations.

     Info
     If you configure the monitoring frequency via the EMM console, it will overwrite the monitoring frequency configuration done by editing the cdm-config.xml file, as shown below.

   • Configure the DeviceMonitorFrequency parameter in the cdm-config.xmlfile, which is in the <EMM_HOME>/repository/conf directory. Specify this value in milliseconds. The EMM server uses this parameter to determine how often the devices enrolled with EMM need to be monitored. By default, this value has been configured to 60000ms (1min).

     Example:

     Code Block
     <DeviceMonitorFrequency>60000</DeviceMonitorFrequency>

2. Anchor
   carbon.local.ip carbon.local.ip

   Configure the following fields that are under the <APIKeyValidator> tag in the <EMM_HOME>/repository/conf/api-manager.xml file.

   Info
   This step is only applicable in the production environment.

   • Configure the <serverURL> field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.

     Code Block
     <ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>

     Example:

     Code Block
     <ServerURL>https://45.67.89.100:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>

   • Configure the <RevokeAPIURL> field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.

     Code Block
     <RevokeAPIURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeAPIURL>

     Example:

     Code Block
     <RevokeAPIURL>https://45.67.89.100:${https.nio.port}/revoke</RevokeAPIURL>

3. Anchor
   HTTPS HTTPS

   Enable HTTPS communication.  

   Info
   This step is only required for the production environment. Once enabled, the HTTP requests will be redirected to use HTTPS automatically. You will need to setup the BKS file in the android agent once HTTPS is enabled.

   1. To enable HTTPS redirection for a specific web application, uncomment the following code in the respective web application's web.xml.
      Example: Enable HTTPS redirection for the mdm-android-agent web app by navigating to the <EMM_HOME>/repository/deployment/server/webapps/mdm-android-agent/WEB-INF/web.xml file.

      Code Block
      <security-constraint> <web-resource-collection> <web-resource-name>MDM-Admin</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

   2. To enable HTTPS redirection for the entire servlet container, configure the web.xml file, which is in the <EMM_HOME>/repository/conf/tomcat folder, by including the following:

      Code Block
      <security-constraint> <web-resource-collection> <web-resource-name>MDM-Admin</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

...

1. Enable SSO in the following configuration files, under the ssoConfiguration section:

   • config.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory.

   • store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory.

   • publisher.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory.

     Code Block
     "enabled" : true,

2. Configure the Identity Provider (IdP) in the following configuration files, under the ssoConfiguration section:

   Tip
   For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP). For more information on configuring IS, see enabling SSO for WSO2 servers.

   • config.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory.

   • store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory.

   • publisher.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory. 

   Localtabgroup

   Localtab active true title config.json Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", "responseSigningEnabled" : "true", "keyStorePassword" : "wso2carbon", "identityAlias" : "wso2carbon", "keyStoreName" : "/repository/resources/security/wso2carbon.jks" Localtab title store.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "storeAcs" : "%https.host%/store/acs", "keyStoreName": "/repository/resources/security/wso2carbon.jks" Localtab title publisher.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "publisherAcs": "%https.host%/publisher/sso", "keyStoreName": "/repository/resources/security/wso2carbon.jks"

   Expand
   title Click here for IdP related property definitions.
   The IdP related property definitions are as follows: IdentityProviderURL - Provide the URL that defines where the user should navigate when signing in. keyStorePassword - Provide the Key Store password. identityAlias - Provide the Key Store identity alias or username. keyStoreName - Provide the Identity Providers (e.g., WSO2 IS) public key value. Info The keyStorePassword and identityAlias are defined under <KeyStore> in the carbon.xml file, which is in the <EMM_HOME>/repository/conf directory. Expand title Click here for to view the KeyStore attributes. Code Block <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore> storeAcs - Provide the Assertion Consumer URL, which is the redirecting URL, for the Store. publisherAcs - Provide the Assertion Consumer URL, which is the redirecting URL, for the Publisher.

   Note

   By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the host/ip to the Server IP. If you wish to use your own IdP, modify the host/ip to your own IdP's host in the following files: Localtabgroup Localtab active true title config.json Update the config.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory. Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", Localtab title store.json Update the store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory. Code Block "identityProviderURL": "%https.host%/samlsso", Localtab title publisher.json Update the publisher.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory. Code Block "identityProviderURL": "%https.host%/samlsso",

3. Update the SSO related IDP configurations in the sso-idp-config.xml  file, which is in the  <EMM_HOME>/repository/conf/identity  directory, by updating all the entries that state localhost to your IDP's IP address or domain.

   Code Block

   <ServiceProvider> <Issuer>mdm</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</DefaultAssertionConsumerServiceURL> <SignAssertion>true</SignAssertion> <SignResponse>true</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <Claims> <Claim>http://wso2.org/claims/role</Claim> <Claim>http://wso2.org/claims/emailaddress</Claim> </Claims> <EnableSingleLogout>false</EnableSingleLogout> <SingleLogoutUrl /> <EnableAudienceRestriction>true</EnableAudienceRestriction> <EnableRecipients>true</EnableRecipients> <AudiencesList> <Audience>https://localhost:9443/oauth2/token</Audience> </AudiencesList> <RecipientList> <Recipient>https://localhost:9443/oauth2/token</Recipient> </RecipientList> <ConsumingServiceIndex /> </ServiceProvider> <ServiceProvider> <Issuer>store</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/store/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/store/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/store/login.jag</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>social</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/social/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/social/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/social/login</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>publisher</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/publisher/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/publisher/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/publisher/controllers/login.jag</CustomLoginPage> </ServiceProvider>

4. Enable authentication session persistence by uncommenting the following configuration in the <EMM_HOME>/repository/conf/identity.xml file, under the the Server and JDBCPersistenceManager elements.

   Code Block
   <SessionDataPersist> <Enable>true</Enable> <RememberMePeriod>20160</RememberMePeriod> <CleanUp> <Enable>true</Enable> <Period>1440</Period> <TimeOut>20160</TimeOut> </CleanUp> <Temporary>false</Temporary> </SessionDataPersist>

   Expand
   title Click here for more information on the configurations.
   Configuration element Description Enable This enables the persistence of session data. Therefore, this must be configured to true if you wish to enable session persistence. RememberMePeriod This is the time period (in minutes) that the remember me option should be valid. After this time period, the users are logged out even if they enable the remember me option. The default value for this configuration element is 2 weeks. CleanUp This section of the configuration is related to the cleaning up of session data. The cleanup task runs on a daily basis (once a day) by default unless otherwise configured in the Period tag. When this cleanup task is executed, it removes session data that is older than 2 weeks, unless otherwise specified in the TimeOut tag.  Enable Selecting true here enables the cleanup task and ensures that it starts running. Period This is the time period (in minutes) that the cleanup task would run. The default value is 1 day. TimeOut This is the timeout value (in minutes) of the session data that is removed by the cleanup task. The default value is 2 weeks. Temporary Setting this to true enables persistence of temporary caches that are created within an authentication request.

Dashboard Server Configurations

The WSO2 EMM administrators can monitor devices by accessing the portal dashboard. Before accessing the dashboard you need to do the following configuration as the Dynamic Client Registration (DCR) approach is used to create an OAuth application. This is a one-time process that needs to be done despite configuring SSO in WSO2 EMM.

Configure the designer.json file that is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/portal/configs directory by adding the following.

  "authorization":{  
   "activeMethod":"oauth",
   "methods":{  
      "oauth":{  
         "attributes":{  
            "idPServer":"%https.ip%/oauth2/token",
            "dynamicClientProperties":{  
               "callbackUrl":"%https.ip%/portal",
               "clientName":"portal",
               "owner":"admin",
               "applicationType":"JaggeryApp",
               "grantType":"password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer",
               "saasApp":false,
               "dynamicClientRegistrationEndPoint":"%https.ip%/dynamic-client-web/register/",
               "tokenScope":"Production"
            }
         }
      }
   }
}

Info

Expand title Click here for more information on the attributes. Property Description Image Added Data Type  Example activeMethod Define the active mode. In this case you need to define the active mode as OAuth. Yes String OAuth idPServer Define the Identity Provider URL. Yes String %https.ip%/oauth2/token callbackURL Define the call back URL. Yes String https.ip%/portal clientName Define the OAuth application name. Yes String portal owner Define the username of the owner of the application. In this use case it is the administrator. Yes String admin applicationType The default application type is a jaggery application. If you wish to change it, you need to update this field with the respective application type. Yes String JaggeryApp grantType In this use case, out of the six OAuth 2.0 grant types WSO2 EMM uses the password and refresh_token grant types You can add more grant types as space separated values. Yes String password saasApp Define if this application is a Software as a Service (SaaS) application or not, by defining true or false as the respective values. Yes Boolean false dynamicClientRegistrationEndPoint Define the dynamic client registration endpoint. Yes String %https.ip%/dynamic-client-web/register/ tokenScope Define the scope of the issued access token. It is used to limit the authorization granted to the client by the resource owner. Yes String Production