Versions Compared

Old Version 41

changes.mady.by.user Former user

Saved on

compared with

New Version 42

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 EMM Agent configurations to enroll and manage devices

Table of Contents

...

  1. Configuring the monitoring frequency:

    • Configure the monitoring frequency via the EMM console. For more information, see General Platform Configurations.

      Info

      If you configure the monitoring frequency via the EMM console, it will overwrite the monitoring frequency configuration done by editing the cdm-config.xml file, as shown below.

    • Configure the DeviceMonitorFrequency MonitorFrequency parameter in the cdm-config.xml file, which is in the <EMM_HOME>/repository/conf directory. Specify this value in milliseconds. The EMM server uses this parameter to determine how often the devices enrolled with EMM need to be monitored. By default, this value has been configured to 60000ms (1min).

      Example:

      Code Block
      <DeviceMonitorFrequency>60000<<MonitorFrequency>60000</DeviceMonitorFrequency>MonitorFrequency>

  2. Anchor
    carbon.local.ip
    carbon.local.ip
    Configure the following fields that are under the <APIKeyValidator> tag in the <EMM_HOME>/repository/conf/api-manager.xml file.

    Info

    This step is only applicable in the production environment.

    • Configure the <serverURL> field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.

      Code Block
      <ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>

      Example:

      Code Block
      <ServerURL>https://45.67.89.100:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>

    • Configure the <RevokeAPIURL> field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.

      Code Block
      <RevokeAPIURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeAPIURL>

      Example:

      Code Block
      <RevokeAPIURL>https://45.67.89.100:${https.nio.port}/revoke</RevokeAPIURL>

  3. Anchor
    HTTPS
    HTTPS
    Enable HTTPS communication.  

    Info
    • This step is only required for the production environment. Once enabled, the HTTP requests will be redirected to use HTTPS automatically.
    • You will need to setup the BKS file in the android agent once HTTPS is enabled.

    1. To enable HTTPS redirection for a specific web application, uncomment the following code in the respective web application's web.xml.
      Example: Enable HTTPS redirection for the mdm-android-agent web app by navigating to the <EMM_HOME>/repository/deployment/server/webapps/mdm-android-agent/WEB-INF/web.xml file.

      Code Block
       <security-constraint>
   <web-resource-collection>
      <web-resource-name>MDM-Admin</web-resource-name>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

    2. To enable HTTPS redirection for the entire servlet container, configure the web.xml file, which is in the <EMM_HOME>/repository/conf/tomcat folder, by including the following:

      Code Block
      <security-constraint>
   <web-resource-collection>
      <web-resource-name>MDM-Admin</web-resource-name>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

...

The WSO2 EMM administrators can monitor devices by accessing the portal dashboard. Before accessing the dashboard you need to configure the dashboard server to communicate with external OAUTH protected APIs that will be accessed by its gadgets.

  1. Configure <ServerRoles> that is in the <EMM_HOME>/repository/conf/carbon.xml file by adding the CDMFPlatform role.

    Code Block
    <ServerRoles>
   <Role>EMMPlatform</Role>
   <Role>CDMFPlatform</Role>
</ServerRoles>

  2. Configure the designer.json file that is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/portal/configs directory as follows:

    1. If you have enabled SSO for WSO2 EMM, you need to define sso as the value for activeMethod under authorization else, you can define the activeMethod as basic.

      Info

      For more information on enabling sso, see the WSO2 Dashboard Server documentation on Enabling SSO in WSO2 DS.

      Example:

      Localtabgroup
      Localtab
      titleEnabling SSO authentication
      Panel
      bgColor#ffffff

      Configure the following fields:

      • Under authentication, define the activeMethod as sso.
      • Configure responseSigningEnabled as true.
      • Set the Assertion Consumer (ACS) URL as https://<JAGGERY_APP_HOST>:<JAGGERY_APP_PORT>/portal/acs. In WSO2 EMM the jaggery portal application is available in the product itself. Therefore, you can configure the <JAGGERY_APP_HOST> as localhost and <JAGGERY_APP_PORT> as 9443 if you have not port offset WSO2 EMM.

      Example:

      Code Block
      "authentication":{  
   "activeMethod":"sso",
   "methods":{  
      "sso":{  
         "attributes":{  
            "issuer":"portal",
            "identityProviderURL":"https://localhost:9443/samlsso",
            "responseSigningEnabled":"true",
            "acs":"https://localhost:9443/portal/acs",
            "identityAlias":"wso2carbon",
            "useTenantKey":false
         }
      },
      "basic":{  
         "attributes":{  

         }
      }
   }
}
      Localtab
      titleEnabling basic authentication
      Panel
      bgColor#ffffff

      Under authentication, define the activeMethod as basic.

      Code Block
      "authentication":{  
   "activeMethod":"basic",
   "methods":{  
      "sso":{  
         "attributes":{  
            "issuer":"portal",
            "identityProviderURL":"https://localhost:9443/samlsso",
            "responseSigningEnabled":"false",
            "acs":"https://localhost:9444/portal/acs",
            "identityAlias":"wso2carbon",
            "useTenantKey":false
         }
      },
      "basic":{  
         "attributes":{  

         }
      }
   }
}

       

       

       

       

    2. Configure the authorization attributes.

      Code Block
        "authorization":{  
   "activeMethod":"oauth",
   "methods":{  
      "oauth":{  
         "attributes":{  
            "idPServer":"%https.ip%/oauth2/token",
            "dynamicClientProperties":{  
               "callbackUrl":"%https.ip%/portal",
               "clientName":"portal",
               "owner":"admin",
               "applicationType":"JaggeryApp",
               "grantType":"password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer",
               "saasApp":false,
               "dynamicClientRegistrationEndPoint":"%https.ip%/dynamic-client-web/register/",
               "tokenScope":"Production"
            }
         }
      }
   }
}
      PropertyDescriptionData
      Type       		Example
      activeMethodDefine the method that needs to be made active from the available authorization methods. In this case you need to define the active mode as OAuth.YesStringOAuth
      idPServer

      Define the Identity Provider URL by replacing %https.ip% with https://<EMM_HOST>:<EMM_PORT>.

      Info

      The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.

      		YesString
      localhost:9443/oauth2
      /token
      callbackURL

      Define the callback URL by replacing %https.ip% with the https://<EMM_HOST>:<EMM_PORT>.

      Info

      The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.

      		YesString
      localhost.9443/portal
      clientNameDefine the OAuth application name.YesString
      portal
      ownerDefine the username of the owner of the application. Inthisusecaseit is the administrator.YesString
      admin
      applicationTypeThe default application type is a jaggery application. If you wish to change it, you need to update this field with the respective application type.YesString
      JaggeryApp
      grantTypeIn this use case, out of the six OAuth 2.0 grant types WSO2 EMM uses the password refresh_token and the saml2-bearer grant types. You can add more grant types as space separated values. If you configured WSO2 EMM for SSO authentication, the saml2-bearer grant type will be used and if you configured WSO2 EMM for basic authentication, the password refresh_token grant type will be used.YesString
      password
      saasAppDefine if this application is a Software as a Service (SaaS) application or not, by defining true or false as the respective values.YesBooleanfalse

      dynamicClientRegistrationEndPoint

      Define the dynamic client registration endpoint by replacing %https.ip% with the https://<EMM_HOST>:<EMM_PORT>.

      Info

      The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.

      		YesString
      localhost:9443/dynamic-client
      -web/register/
      tokenScopeDefine the scope of the issued access token. It is used to limit the authorization granted to the client by the resource owner.YesString
      Production
  3. Optionally, if you configured the authentication method as sso, you need to register the portal application as a service provider. For more information, see the WSO2 Dashboard Server documentation on configuring SSO in DS.

...