Versions Compared

Old Version 97

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Let's take a look at the tasks that Tom, the EMM administrator of MobX, has to do from downloading WSO2 EMM to registering the iOS device of Kim, the device owner.

...

Tip
titleBefore you begin
  1. WSO2 EMM supports devices on iOS 7, 8, 9, and 10.
  2. Install Oracle Java SE Development Kit (JDK) version 1.7.* or 1.8.* and set the JAVA_HOME environment variable. For more information on setting up JAVA_HOME on your OS, see Installing the Product.
  3. Download WSO2 EMM.

  4. Start WSO2 EMM by navigating to the <EMM_HOME>/bin directory using the command-line and executing wso2server.bat --run (for Windows) or wso2server.sh (for Linux).
    Example: Starting WSO2 EMM on a Linux OS.

    Code Block
    cd <EMM_HOME>/bin
./wso2server.sh

    The server starts, and the command line displays the management console URL, which ends in /carbon/. Note the host and port in this URL, which you will use in the next step to access the EMM console.

  5. In your browser, access the EMM Console by navigating to https://<EMM_HOST>:<EMM_PORT>/emm and log in using admin as the username and password.

  6. Obtain a signed Certificate Signing Request (CSR) file in the .plst  format using any approach listed below:

    Note

    You need to have the signed CSR file in order to successfully configure WSO2 EMM with iOS. The CSR file you submit via the WSO2 site will be evaluated by the WSO2 Account Managers and then the required content to proceed with the iOS configurations will be sent within 3 to 4 working days. Therefore, we recommend you to obtain the signed CSR file before trying out this guide. 

    • Get your own certificate signed by Apple 

      You can use this method, if you were not successful in the WSO2 CSR evaluation process or if you wish to get your certificate directly signed by Apple. When following this approach, initially, register your organization with the Apple Developer Enterprise Program. Thereafter, follow the steps mentioned in MDM Vendor CSR Signing Overview

      Warning

      WSO2 only issues signed certificates to organizations who have successfully passed the evaluation process.

    • Make a request to WSO2, who is a registered EMM vendor with Apple, and get your certificate signed 
      When following this approach, carry out the steps mentioned below. After submitting the CSR file, a WSO2 Account Manager will contact you in due course to evaluate your request

      WSO2 only issues signed certificates to organizations who have successfully passed the evaluation process

      .


       

    1. Create a CSR file (e.g., customer.csr) from the EMM server using a private key.

      Info

      • Keep your private key and CSR file in a safe location.

      • You are prompted to provide a passphrase to secure the private key when generating it using the commands given below. Be sure to remember the passphrase, as you will need it again.

      Code Block
      openssl genrsa -des3 -out customerPrivateKey.pem 2048
openssl req -new -key customerPrivateKey.pem -out customer.csr

    2. Enter the requested information when prompted. This information is incorporated into the CSR with your organization’s official details. For example,

      Info

      Note that if you do not give the required information, your CSRs will be rejected in the signing process.

      Given below are the required fields:

      Field

      Usage/Purpose

      Organization Name

      Identifies the organization that the CSR belongs to. For this scenario, we entered MobX.

      Email

      When a certificate expires, the user has to renew the certificate. The email is used to identify the existing users. For this scenario, we entered tom@mobx.com as the email.

      Commonname

      Fully qualified domain name of your server.

    3. To get a signed CSR file in .plist format, submit the CSR file to WSO2 via the WSO2 site.

    4. Note that WSO2 account managers evaluate the CSR files and send you an email with the following information within 3 to 4 working days.

      • The signed CSR file in the .plst format
      • Agent source code
      • P2 repository, which contains the feature list

...

  1. Create an email account (e.g., tom-mobx@gmail.com) to send out emails to users who register with WSO2 EMM.

    Note

    If you are using a Google mail account, note that Google treats WSO2 EMM as a third-party application and restricts it from sending emails by default. Disable this restriction before sending sending emails to confirm user registrations or invite users.

    Expand
    titleExpand this to enable Google to provide access to third-party applications...
    1. Navigate to https://myaccount.google.com/security.
    2. Click Signing in to Google on the left menu and make sure that the 2-Step Verification is disabled or off.
    3. Click Connected apps and sites on the left menu and enable Allow less secure apps.

  2. Open the <EMM_HOME>/repository/conf/axis2/axis2.xml file, uncomment the mailto transportSender section, and configure the EMM email account.
    Before the configuration:

    Code Block
    <!-- Uncomment and configure the SMTP server information check com.sun.mail.smtp package documentation for descriptions of properties
    <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
        <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
        <parameter name="mail.smtp.port">587</parameter>
        <parameter name="mail.smtp.starttls.enable">true</parameter>
        <parameter name="mail.smtp.auth">true</parameter>
        <parameter name="mail.smtp.user">synapse.demo.0</parameter>
        <parameter name="mail.smtp.password">mailpassword</parameter>
        <parameter name="mail.smtp.from">synapse.demo.0@gmail.com</parameter>
    </transportSender>
-->
    Tip

    Tip: For mail.smtp.frommail.smtp.user, and mail.smtp.password, use the email address, username, and password (respectively) from the mail account you set up.

    Example, after the configuration:

    Code Block
    <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
   <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
   <parameter name="mail.smtp.port">587</parameter>
   <parameter name="mail.smtp.starttls.enable">true</parameter>
   <parameter name="mail.smtp.auth">true</parameter>
   <parameter name="mail.smtp.user">tom-mobx</parameter>
   <parameter name="mail.smtp.password">$mobx1234</parameter>
   <parameter name="mail.smtp.from">tom-mobx@gmail.com</parameter>
</transportSender>

...

Generating an MDM APNS certificate

Except for a few operations (ring, message and get location) that are performed by the WSO2 EMM agent, all the other device operations, and policies are applied on an iOS device via it's operating system. Therefore, for the WSO2 EMM server to communicate with the operating system of the device, you need to generate the MDM APNS certificate.

The MDM APNS certificate will be referred to as the MDM certificate in the EMM Console.

  1. Go to https://appleid.apple.com/account#!&page=create and get an Apple ID, if you do not have one already. 
  2. Go to the Apple Push Certificate Portal at https://identity.apple.com/pushcert/ and log in with your customer account details.   You do not need an enterprise account for this. Your Apple ID is sufficient.
  3. Click Create Certificate and agree to the terms and conditions.
  4. Upload the encoded .plist file you received via email from WSO2 earlier in this guide.

  5. Download the generated MDM signing certificate, which is a certificate for third-party servers provided by Apple, and rename it to MDM_Certificate.pem.

  6. Get the USERID (TOPIC ID) from the MDM signing certificate (MDM_Certificate.pem), as it will be used later in the configuration. 
    You can decode the MDM signing certificate to obtain the USERID by executing the following command:

    Anchor
    MDM_APNS_TopicID
    MDM_APNS_TopicID

    Code Block
    openssl x509 -in MDM_Certificate.pem -text -noout

  7. Remove the password/pass phrase from your private key file (e.g.,customerPrivateKey.pem).

    Code Block
    openssl rsa -in customerPrivateKey.pem -out customerKey.pem

  8. Merge the customer key file that was derived in the latter step with the MDM signing certificate to generate the MDM Apple Push Notification Service (APNS) Certificate. In this example, Tom merges the customerKey.pem file with the MDM_Certificate.pem file to generate the MDM_APNSCert.pem file.

    Tip

    Tip: Before you merge the customerKey.pem file and the MDM_Certificate.pem file, make sure both files are in the same directory.

    Code Block
    cat MDM_Certificate.pem customerKey.pem > MDM_APNSCert.pem

  9. Open the APNS Certificate (MDM_APNSCert.pem) and add a line break between the content of the two files. For example, if your content looks as "-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----", add a line break after 5 dashes so that the content looks as follows:

    Code Block
    -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----

  10. Convert the MDM_APNSCert.pem file to MDM_APNSCert.pfx file. You need a password for this, which you will need again when configuring the iOS platform configurations.

    Anchor
    pem_pfx
    pem_pfx

    Code Block
    openssl pkcs12 -export -out MDM_APNSCert.pfx -inkey customerPrivateKey.pem -in MDM_APNSCert.pem

...

  1. Log in to the EMM Console at https://<EMM_HOST>:<EMM_PORT>/emm  using admin as the username and password if you haven't previously logged in.

  2. Click Menu > CONFIGURATION MANAGEMENT > PLATFORM CONFIGURATIONS > iOS Configurations and fill in the form.

    • MDM Certificate Password: Give the same password you gave when converting the MDM_APNS certificate from the pem to the pfx format. 
    • MDM Certificate Topic ID: Give the topic ID of the certificate.

    Tip

    Tip: To learn more about each platform setting, hover your mouse pointer over the help tip.

Configuring WSO2 EMM to install iOS applications

...

  1. Open the <EMM_HOME>/repository/conf/app-manager.xml file.

  2. Add %https% as the value for the AppDownloadURLHost property.

    Code Block
    <Config name="AppDownloadURLHost">%https%</Config>
    Tip

    Tip: To test WSO2 EMM App management features on Android devices, please use one of the following options:

    • Change the value of the AppDownloadURLHost property back to HTTP 
    • Continue using HTTPS to install applications on Android devices by Generating a BKS File for Android.

Tom has now done the configurations needed to allow users to register and monitor their devices with WSO2 EMM. Tom then proceeds to configure iOS support in EMM.

Creating users and a sample policy

...

  1. Download the WSO2 EMM sample pack.

  2. Copy the file to a preferred location, navigate to the file via the command prompt, and run the script.

    Code Block
    cd <EMM_QSG_SAMPLE-PACK>
./emm-qsg.ssh

  3. Enter your email address when prompted. 

    Info
    titleWhy?

    The device owner Kim will be registered with your email address. Therefore, you will be notified via email on how to register your device with WSO2 EMM while following the EMM quick start guide.

    Example:

    Code Block
    Enter your email address and press enter : kim@wso2.com
Tip

Check out the WSO2 EMM dashboard by signing in to the WSO2 EMM console using tom as the username and tomemm as the password: https://<EMM_HOST>:<EMM_PORT>/emm  
You will then see the new emm-user role, three new policies, and the two new users that were added using this script.

Updating the passcode policy

...

  1. Anchor
    Step1
    Step1
    The Safari browser will display the EMM iOS Enrollment screen. iOS devices need the root certificate to be downloaded to trust the server certificate. Tap Install EMM Certificate.
  2. The Install Profile screen appears. Tap Install
  3. Tap the Skip Agent Installer link at the bottom of the screen.
  4. On the EMM Registration screen, enter your details:
    • Username - Enter kim as the username.
    • Password - Enter kimemm as the password. 
    • Domain - You don't need to enter the domain details for this scenario.
    Info

    By default WSO2 EMM only supports the "bring your own device" (BYOD) registration process for the iOS platform.

  5. Tap Log In. 

  6. After reading the End User License Agreement (EULA), tap I accept the terms

  7. Tap Install when prompted to install the WSO2 Profile Service. 

  8. A warning message appears to indicate that by installing the profile the EMM will remotely manage the iOS device. Tap Install.

  9. Tap Trust to confirm that you are aware of the device being remotely managed by installing the profile.

  10. After the profile is installed, click Done.

  11. Upon the successful registration, the following confirmation appears.

Note

Since you are not installing the WSO2 EMM iOS agent in this guide, you will get a Cannot Open Page warning message after the enrollment is complete.

...

Note
titleNote from Tom

Remember to change change the AppDownloadURLHost property value that is in the <EMM_HOME>/repository/conf/app-manager.xml file back to HTTP if you are trying out the EMM quick start guide for Android or testing WSO2 EMM with Android devices.  
If you wish to continue continue using HTTPS to install applications on Android devices, generate a BKS file for Android.