Unknown macro: {next_previous_link3}
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 41 Next »

WSO2 EMM Agent configurations to enroll and manage devices

Server configurations

Follow the instructions below to configure general server configurations:

  1. Configuring the monitoring frequency:

    • Configure the monitoring frequency via the EMM console. For more information, see General Platform Configurations.

      If you configure the monitoring frequency via the EMM console, it will overwrite the monitoring frequency configuration done by editing the cdm-config.xml file, as shown below.

    • Configure the DeviceMonitorFrequency parameter in the cdm-config.xmlfile, which is in the <EMM_HOME>/repository/conf directory. Specify this value in milliseconds. The EMM server uses this parameter to determine how often the devices enrolled with EMM need to be monitored. By default, this value has been configured to 60000ms (1min).

      Example:

      <DeviceMonitorFrequency>60000</DeviceMonitorFrequency>
  2. Configure the following fields that are under the <APIKeyValidator> tag in the <EMM_HOME>/repository/conf/api-manager.xml file.

    This step is only applicable in the production environment.

    • Configure the <serverURL> field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.

      <ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>

      Example:

      <ServerURL>https://45.67.89.100:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>
    • Configure the <RevokeAPIURL> field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.

      <RevokeAPIURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeAPIURL>

      Example:

      <RevokeAPIURL>https://45.67.89.100:${https.nio.port}/revoke</RevokeAPIURL>
  3. Enable HTTPS communication.  

    • This step is only required for the production environment. Once enabled, the HTTP requests will be redirected to use HTTPS automatically.
    • You will need to setup the BKS file in the android agent once HTTPS is enabled.
    1. To enable HTTPS redirection for a specific web application, uncomment the following code in the respective web application's web.xml.
      Example: Enable HTTPS redirection for the mdm-android-agent web app by navigating to the <EMM_HOME>/repository/deployment/server/webapps/mdm-android-agent/WEB-INF/web.xml file.

       <security-constraint>
         <web-resource-collection>
            <web-resource-name>MDM-Admin</web-resource-name>
            <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
      </security-constraint>
    2. To enable HTTPS redirection for the entire servlet container, configure the web.xml file, which is in the <EMM_HOME>/repository/conf/tomcat folder, by including the following:

      <security-constraint>
         <web-resource-collection>
            <web-resource-name>MDM-Admin</web-resource-name>
            <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
      </security-constraint>

WSO2 EMM email configurations

Configure the email settings to send out registration confirmation emails to new users and invite existing users to register their device with WSO2 EMM.

In EMM, user registration confirmation emails are disabled by default, and the admin needs to provide the required configuration details to enable it.

  1. Create an email account to send out emails to users that register with EMM (e.g., no-reply@gmail.com).

  2. Open the <EMM_HOME>/repository/conf/axis2/axis2.xml file, uncomment the mailto transportSender section, and configure the EMM email account.

    You may need to enable the "Allow less secure apps" option in the Gmail account security settings, to connect account to WSO2 products.

    <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
       <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
       <parameter name="mail.smtp.port">587</parameter>
       <parameter name="mail.smtp.starttls.enable">true</parameter>
       <parameter name="mail.smtp.auth">true</parameter>
       <parameter name="mail.smtp.user">synapse.demo.0</parameter>
       <parameter name="mail.smtp.password">mailpassword</parameter>
       <parameter name="mail.smtp.from">synapse.demo.0@gmail.com</parameter>
    </transportSender>

    For mail.smtp.frommail.smtp.user, and mail.smtp.password, use the email address, username, and password (respectively) from the mail account you set up.

    Example:

    <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
       <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
       <parameter name="mail.smtp.port">587</parameter>
       <parameter name="mail.smtp.starttls.enable">true</parameter>
       <parameter name="mail.smtp.auth">true</parameter>
       <parameter name="mail.smtp.user">no-reply</parameter>
       <parameter name="mail.smtp.password">$foo1234</parameter>
       <parameter name="mail.smtp.from">no-reply@gmail.com</parameter>
    </transportSender>
  3. Configure the email sender thread pool.
    Navigate to the email-sender-config.xml file, which is in the <EMM_HOME>/repository/conf/etc directory, and configure the following fields under <EmailSenderConfig>.

    • MinThreads: Defines the minimum number of threads that needs to be available in the underlying thread pool when the email sender functionality is initialized.

    • MaxThreads : Defines the maximum number of threads that should serve email sending at any given time.

    • KeepAliveDuration : Defines the duration a connection should be kept alive. If the thread pool has initialized more connections than what was defined in MinThreads, and they have been idle for more than the KeepAliveDuration, those idle connections will be terminated

    • ThreadQueueCapacity : Defines the maximum concurrent email sending tasks that can be queued up.

    Example:

    <EmailSenderConfig>
       <MinThreads>8</MinThreads>
       <MaxThreads>100</MaxThreads>
       <KeepAliveDuration>20</KeepAliveDuration>
       <ThreadQueueCapacity>1000</ThreadQueueCapacity>
    </EmailSenderConfig>
  4. Customize the email templates that are in the <EMM_HOME>/repository/resources/email-templates directory. 

    The email templating functionality of WSO2 EMM is implemented on top of Apache Velocity, which is a free and open-source template engine.

    1. Open the email template that you wish to edit based on the requirement, such as the user-invitation.vm or user-registration.vm file.
    2. Edit the <Subject> and <Body> to suit your requirement.
    3. Restart WSO2 EMM.

    If you need to access HTTP or HTTPS base URLs of the server within your custom template configs, use the $base-url-http and $base-url-https variables, respectively.

WSO2 EMM Jaggery apps configurations to enroll and manage devices

In WSO2 EMM, only Android and iOS platforms uses the agent to enroll devices with the EMM. The Windows platform uses the native workplace application to enroll devices with WSO2 EMM. Therefore, the following configurations steps are required only if you are registering or enrolling Android or iOS devices.

Follow the steps given below:

  1. Open the config.json file that is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/ emm-web-agent/config directory.

  2. Configure the host attribute that is under generalConfig by providing the entire server address. 

    You are required to configure this file as it is used to handle device enrollments.

    • To download the EMM Android agent in a testing environment configure the host attribute using a HTTP URL, because the Android browser does not trust hosts with self signed certificates. 
    • To download the EMM Android agent in a production environment configure the host attribute using a HTTPS URL as the production server has a Certificate Authority (CA) installed with a valid SSL certificate. For more information on enabling HTTPS communication, see here.

    Example:

    "generalConfig" : {
            "host" : "http://10.10.10.182:9763",
            "companyName" : "WSO2 Enterprise Mobility Manager",
            "browserTitle" : "WSO2 EMM",
            "copyrightText" : "\u00A9 %date-year%, WSO2 Inc. (http://www.wso2.org) All Rights Reserved."
    }
  3. Open the config.json file that is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory.
  4. Configure the host attribute that is under generalConfig by providing the entire server address.

    You are required to configure this file as it is used to manage the devices.

    In a clustered environment, configure the host attribute by providing the entire server address (by changing only the protocol to HTTPS and the port to the HTTPS port) that was given for the host attribute in the emm-web-agent's config.json file. This is required because the EMM configurations refer to the emm-web-agent app as it is used to handle device enrollments.

    Example:

    "generalConfig" : {
            "host" : "https://10.10.10.128:9443",
            "companyName" : "WSO2 Enterprise Mobility Manager",
            "browserTitle" : "WSO2 EMM",
            "copyrightText" : "\u00A9 %date-year%, WSO2 Inc. (http://www.wso2.org) All Rights Reserved."
    }

WSO2 App Manager configurations to mange applications in WSO2 EMM

Follow the steps given below to configure WSO2 App Manager for the EMM:

  1. Open the carbon.xml file that is in the <EMM_HOME>/repository/conf directory.
  2. Uncomment the HostName attribute and provide the server IP.
    Default: 

    <!--HostName>www.wso2.org</HostName-->

    An example of the configuration:

    <HostName>10.100.7.35</HostName>
  3. Uncomment the MgtHostName attribute and provide the server IP.
    Default: 

    <!--MgtHostName>mgt.wso2.org</MgtHostName-->

    An example of the configuration:

    <MgtHostName>10.100.7.35</MgtHostName>
  4. Comment the uncommented ServerURL and uncomment the ServerURL attribute that was commented by default.
    Configure the uncommented ServerURL as follows:
    1. Provide localhost as the value for {carbon.local.ip}.
    2. Provide the https port as the value for {carbon.management.port}.
      By default, the port is 9443.
    3. Remove ${carbon.context}.

    By default:

    <ServerURL>local:/${carbon.context}/services/</ServerURL>
    <!--
    <ServerURL>https://${carbon.local.ip}:${carbon.management.port}${carbon.context}/services/</ServerURL>
    -->

    An example of the configuration:

    <!--ServerURL>local:/${carbon.context}/services/</ServerURL-->
    <ServerURL>https://localhost:9443/services/</ServerURL>
  5. Restart the WSO2 EMM server.
  6. Login to the WSO2 App Manager publisher to publish application or WSO2 App Manager store to install apps on mobile devices.

    • Access the WSO2 App Manager publisher:
      • http://localhost:9763/publisher
      • https://localhost:9443/publisher
    • Access WSO2 App Manager store
      • http://localhost:9763/store/
      • https://localhost:9443/store

SSO configurations

Follow the steps given below to configure single sign-on (SSO) for EMM:

  1. Enable SSO in the following configuration files, under the ssoConfiguration section:

    • config.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory.

    • store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory.
    • publisher.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory.

      "enabled" : true,
  2. Configure the Identity Provider (IdP) in the following configuration files, under the ssoConfiguration section:

    For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP). For more information on configuring IS, see enabling SSO for WSO2 servers.

    • config.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory.

    • store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory.
    • publisher.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory. 

     Click here for IdP related property definitions.

    The IdP related property definitions are as follows:

    • IdentityProviderURL - Provide the URL that defines where the user should navigate when signing in.

    • keyStorePassword - Provide the Key Store password.

    • identityAlias - Provide the Key Store identity alias or username.

    • keyStoreName - Provide the Identity Providers (e.g., WSO2 IS) public key value.

      The keyStorePassword and identityAlias are defined under <KeyStore> in the carbon.xml file, which is in the <EMM_HOME>/repository/conf directory.

       Click here for to view the KeyStore attributes.
      <KeyStore>
         <!-- Keystore file location-->
         <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
         <!-- Keystore type (JKS/PKCS12 etc.)-->
         <Type>JKS</Type>
         <!-- Keystore password-->
         <Password>wso2carbon</Password>
         <!-- Private Key alias-->
         <KeyAlias>wso2carbon</KeyAlias>
         <!-- Private Key password-->
         <KeyPassword>wso2carbon</KeyPassword>
      </KeyStore>
    • storeAcs - Provide the Assertion Consumer URL, which is the redirecting URL, for the Store.

    • publisherAcs - Provide the Assertion Consumer URL, which is the redirecting URL, for the Publisher.

    By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the host/ip to the Server IP. If you wish to use your own IdP, modify the host/ip to your own IdP's host in the following files:

  3. Update the SSO related IDP configurations in the sso-idp-config.xml  file, which is in the  <EMM_HOME>/repository/conf/identity  directory, by updating all the entries that state localhost to your IDP's IP address or domain.

     <ServiceProvider>
          <Issuer>mdm</Issuer>
          <AssertionConsumerServiceURLs>
             <AssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</AssertionConsumerServiceURL>
          </AssertionConsumerServiceURLs>
          <DefaultAssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</DefaultAssertionConsumerServiceURL>
          <SignAssertion>true</SignAssertion>
          <SignResponse>true</SignResponse>
          <EnableAttributeProfile>false</EnableAttributeProfile>
          <IncludeAttributeByDefault>false</IncludeAttributeByDefault>
          <Claims>
             <Claim>http://wso2.org/claims/role</Claim>
             <Claim>http://wso2.org/claims/emailaddress</Claim>
          </Claims>
          <EnableSingleLogout>false</EnableSingleLogout>
          <SingleLogoutUrl />
          <EnableAudienceRestriction>true</EnableAudienceRestriction>
          <EnableRecipients>true</EnableRecipients>
          <AudiencesList>
             <Audience>https://localhost:9443/oauth2/token</Audience>
          </AudiencesList>
          <RecipientList>
             <Recipient>https://localhost:9443/oauth2/token</Recipient>
          </RecipientList>
          <ConsumingServiceIndex />
       </ServiceProvider>
       <ServiceProvider>
          <Issuer>store</Issuer>
          <AssertionConsumerServiceURLs>
             <AssertionConsumerServiceURL>https://localhost:9443/store/acs</AssertionConsumerServiceURL>
          </AssertionConsumerServiceURLs>
          <DefaultAssertionConsumerServiceURL>https://localhost:9443/store/acs</DefaultAssertionConsumerServiceURL>
          <SignResponse>true</SignResponse>
          <CustomLoginPage>/store/login.jag</CustomLoginPage>
       </ServiceProvider>
       <ServiceProvider>
          <Issuer>social</Issuer>
          <AssertionConsumerServiceURLs>
             <AssertionConsumerServiceURL>https://localhost:9443/social/acs</AssertionConsumerServiceURL>
          </AssertionConsumerServiceURLs>
          <DefaultAssertionConsumerServiceURL>https://localhost:9443/social/acs</DefaultAssertionConsumerServiceURL>
          <SignResponse>true</SignResponse>
          <CustomLoginPage>/social/login</CustomLoginPage>
       </ServiceProvider>
       <ServiceProvider>
          <Issuer>publisher</Issuer>
          <AssertionConsumerServiceURLs>
             <AssertionConsumerServiceURL>https://localhost:9443/publisher/acs</AssertionConsumerServiceURL>
          </AssertionConsumerServiceURLs>
          <DefaultAssertionConsumerServiceURL>https://localhost:9443/publisher/acs</DefaultAssertionConsumerServiceURL>
          <SignResponse>true</SignResponse>
          <CustomLoginPage>/publisher/controllers/login.jag</CustomLoginPage>
       </ServiceProvider>
  4. Enable authentication session persistence by uncommenting the following configuration in the <EMM_HOME>/repository/conf/identity.xml file, under the Server and JDBCPersistenceManager elements.

    <SessionDataPersist>
        <Enable>true</Enable>
        <RememberMePeriod>20160</RememberMePeriod>
        <CleanUp>
            <Enable>true</Enable>
            <Period>1440</Period>
            <TimeOut>20160</TimeOut>
        </CleanUp>
        <Temporary>false</Temporary>
    </SessionDataPersist>
     Click here for more information on the configurations.
    Configuration elementDescription

    Enable

    This enables the persistence of session data. Therefore, this must be configured to true if you wish to enable session persistence.

    RememberMePeriod

    This is the time period (in minutes) that the remember me option should be valid. After this time period, the users are logged out even if they enable the remember me option. The default value for this configuration element is 2 weeks.

    CleanUp

    This section of the configuration is related to the cleaning up of session data. The cleanup task runs on a daily basis (once a day) by default unless otherwise configured in the Period tag. When this cleanup task is executed, it removes session data that is older than 2 weeks, unless otherwise specified in the TimeOut tag. 

    Enable

    Selecting true here enables the cleanup task and ensures that it starts running.

    Period

    This is the time period (in minutes) that the cleanup task would run. The default value is 1 day.

    TimeOut

    This is the timeout value (in minutes) of the session data that is removed by the cleanup task. The default value is 2 weeks.

    Temporary

    Setting this to true enables persistence of temporary caches that are created within an authentication request.

Enabling Dashboard Server Communication

The WSO2 EMM administrators can monitor devices by accessing the portal dashboard. Before accessing the dashboard you need to configure the dashboard server to communicate with external OAUTH protected APIs that will be accessed by its gadgets.

  1. Configure <ServerRoles> that is in the <EMM_HOME>/repository/conf/carbon.xml file by adding the CDMFPlatform role.

    <ServerRoles>
       <Role>EMMPlatform</Role>
       <Role>CDMFPlatform</Role>
    </ServerRoles>
  2. Configure the designer.json file that is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/portal/configs directory as follows:

    1. If you have enabled SSO for WSO2 EMM, you need to define sso as the value for activeMethod under authorization else, you can define the activeMethod as basic.

      For more information on enabling sso, see the WSO2 Dashboard Server documentation on Enabling SSO in WSO2 DS.

      Example:

       


       

       

       

    2. Configure the authorization attributes.

        "authorization":{  
         "activeMethod":"oauth",
         "methods":{  
            "oauth":{  
               "attributes":{  
                  "idPServer":"%https.ip%/oauth2/token",
                  "dynamicClientProperties":{  
                     "callbackUrl":"%https.ip%/portal",
                     "clientName":"portal",
                     "owner":"admin",
                     "applicationType":"JaggeryApp",
                     "grantType":"password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer",
                     "saasApp":false,
                     "dynamicClientRegistrationEndPoint":"%https.ip%/dynamic-client-web/register/",
                     "tokenScope":"Production"
                  }
               }
            }
         }
      }
      PropertyDescriptionData
      Type 
      Example
      activeMethodDefine the method that needs to be made active from the available authorization methods. In this case you need to define the active mode as OAuth.YesStringOAuth
      idPServer

      Define the Identity Provider URL by replacing %https.ip% with https://<EMM_HOST>:<EMM_PORT>.

      The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.

      YesString
      localhost:9443/oauth2
      /token
      callbackURL

      Define the callback URL by replacing %https.ip% with the https://<EMM_HOST>:<EMM_PORT>.

      The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.

      YesString
      localhost.9443/portal
      clientNameDefine the OAuth application name.YesString
      portal
      ownerDefine the username of the owner of the application. Inthisusecaseit is the administrator.YesString
      admin
      applicationTypeThe default application type is a jaggery application. If you wish to change it, you need to update this field with the respective application type.YesString
      JaggeryApp
      grantTypeIn this use case, out of the six OAuth 2.0 grant types WSO2 EMM uses the password refresh_token and the saml2-bearer grant types. You can add more grant types as space separated values. If you configured WSO2 EMM for SSO authentication, the saml2-bearer grant type will be used and if you configured WSO2 EMM for basic authentication, the password refresh_token grant type will be used.YesString
      password
      saasAppDefine if this application is a Software as a Service (SaaS) application or not, by defining true or false as the respective values.YesBooleanfalse

      dynamicClientRegistrationEndPoint

      Define the dynamic client registration endpoint by replacing %https.ip% with the https://<EMM_HOST>:<EMM_PORT>.

      The default value for <EMM_HOST> is localhost and if you have not port offset WSO2 EMM, the default <EMM_PORT> is 9443.

      YesString
      localhost:9443/dynamic-client
      -web/register/
      tokenScopeDefine the scope of the issued access token. It is used to limit the authorization granted to the client by the resource owner.YesString
      Production
  3. Optionally, if you configured the authentication method as sso, you need to register the portal application as a service provider. For more information, see the WSO2 Dashboard Server documentation on configuring SSO in DS.

Once you have configured WSO2 EMM to enable communication with dashboard server, you can access the WSO2 EMM device monitoring dashboard.

What's next

  • Do you want to register Android devices with WSO2 EMM? If yes, configure WSO2 EMM as explained in the Android Configurations guide.
  • Do you want to register iOS devices with WSO2 EMM? If yes, configure WSO2 EMM as explained in the iOS Configurations guide.
  • Do you want to register Windows devices with WSO2 EMM? If yes, configure WSO2 EMM as explained in the Windows Configurations guide.
  • No labels