Windows Configurations
Overview
The EMM client sends requests to the EMM server through a Proxy Server. The Windows EMM protocol constructs a URI that uses the host name by appending the domain of the email address to the subdomain enterpriseenrollment
, for the each device request. Therefore you can either purchase a domain name or create a DNS entry in the
http://enterpriseenrollment.<EMAIL_DOMAIN>
format.
Example: Discover the EMM server by sending a request through: http://enterpriseenrollment.<EMAIL_DOMAIN>/EnrollmentServer/Discovery.svc
.
As the EMM server can not create Windows service endpoints it is advisable to use a proxy server between the device and the EMM server.
When using a proxy server, it redirects the device requests to the EMM server endpoints. As the proxy directly contacts the EMM server you need to configure the SSL Configuration to maintain a secure message flow.
Please refer the Windows Device Enrolment Process Message Flow to identify the message flow from a Windows mobile device to the WSO2 EMM Server through the Proxy Server.
Configure the Proxy server
Any preferred server can be used as a proxy server between the device and the EMM server. The steps documented below is only an example to configure the proxy server by using the Apache2 HTTP Server. The Apache Server can be configured using the forward or reverse proxy (also known as gateway) mode. The reverse proxy mode is used to configure Apache2. You can download the Apache2 HTTP Server from here.
Follow the steps given below to configure the proxy Server:
Step 1: Configure reverse proxy
A reverse proxy (or gateway) appears to the client like an ordinary web server with no special configuration required for the client. Ordinary requests for content is made by the client through the name-space
. The reverse proxy redirects the requests, and returns the required output.
The following modules are required to configure the reverse proxy:
mod_proxy.so
This module deals with proxying in Apache.mod_proxy_http.so
This module handles connections with both the HTTP and HTTPS protocols.
Navigate to the
etc/apache2
directory and use the following command to enable the above modules:cd /etc/apache2 a2enmod proxy_http
Configure the
proxy.conf
file that is in the/etc/apache2/mods-available
directory by including the configurations given below to the end of the file.ServerName localhost ProxyRequests off ProxyPreserveHost off <Proxy *> Order deny,allow #Deny from all Allow from all </Proxy> ProxyPass /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/certificatepolicy/xcep ProxyPassReverse /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/certificatepolicy/xcep ProxyPass /ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/deviceenrolment/wstep ProxyPassReverse /ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/deviceenrolment/wstep ProxyPass /Syncml/initialquery http://<server-ip>:<server-port>/mdm-windows-agent/services/syncml/devicemanagement/request /Syncml/initialquery ProxyPassReverse http://<server-ip>:<server-port>/mdm-windows-agent/services/syncml/devicemanagement/request ProxyPass /ENROLLMENTSERVER/ONPREMISE/PolicyEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/certificatepolicy/xcep/onpremise ProxyPassReverse /ENROLLMENTSERVER/ONPREMISE/PolicyEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/certificatepolicy/xcep/onpremise ProxyPass /ENROLLMENTSERVER/ONPREMISE/DeviceEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/deviceenrolment/wstep/onpremise ProxyPassReverse /ENROLLMENTSERVER/ONPREMISE/DeviceEnrollmentWebservice.svc http://<server-ip>:<server-port>/mdm-windows-agent/services/deviceenrolment/wstep/onpremise ProxyPass /emm http://<server-ip>:<server-port>/emm ProxyPassReverse /emm http://<server-ip>:<server-port>/emm
The default
<server-ip>:<server-port>
islocalhost:9443.
Step 2: Configure the Rewrite engine
The first GET
and POST
HTTP requests are received by the same MDM endpoint and the rewrite conditions filter the device requests. By default the Apache Rewrite engine is disabled.
Follow the steps given below to enable the Rewrite engine when running on Ubuntu:
- Invoke the rewrite rules:
- Create a
.htaccess
file in the/var/www/
directory with the specific rewrite rules.
See the example given below for the rewrite rules. Enable the
mod_rewrite
module.sudo a2enmod rewrite
- Create a
Configure the
000-default
file, which is in the/etc/apache2/sites-enabled
directory.This step is required to replicate the configuration changes required in the Apache versions on a few files.In the older Apache versions, all virtual host directory directives were managed in the
apache2.conf
file, which is in the/etc/apache2
directory. In the Apache 2.4.7 version this has changed and the alterations are handled within the/etc/apache2/sites-enabled
directory.Configure the value assigned to
AllowOveride
fromNone
toAll
under<Directory/>
.AllowOverride All
Configure the content under
<Directory /var/www/>
.If the
000-default
file does not contain theDirectory
tag you need to add it to the file as shown below:<Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all </Directory>
Restart the Apache server.
server.sudo service apache2 restart
Step 3: SSL configurations for Apache2
An SSL certificate is used to encrypt the information of a site and create a secure connection.
Follow the steps given below to configure SSL for Apache2:
SSL support is available as a standard on the Ubuntu 14.04 Apache package.
Enable the SSL Module.
sudo a2enmod ssl
Create a subdirectory named
ssl
within the Apache server configuration hierarchy to place the certificate files.sudo mkdir /etc/apache2/ssl
The EMM certificate must be generated from a trusted authority.
Once you have the EMM certificate and key available, configure the Apache server to use these files in a virtual host file. For more information, see how to set up Apache virtual hosts.
Configure the
default-ssl.conf
file, which is in the/etc/apache2
directory contains the default SSL configurations.SSLEngine on SSLCertificateFile /etc/apache2/ssl/<COMAPNY_CERTIFICATE> SSLCertificateKeyFile /etc/apache2/ssl/<COMPANY_PUBLIC_KEY> SSLCACertificateFile /etc/apache2/ssl/<COMPANY_ROOT_CERTIFICATE>
Example:
SSLEngine on SSLCertificateFile /etc/apache2/ssl/star_wso2_com.crt SSLCertificateKeyFile /etc/apache2/ssl/star_wso2_com.key SSLCACertificateFile /etc/apache2/ssl/DigiCertCA.crt
Enable the SSL-enabled virtual host that you configured in the above step.
sudo a2ensite default-ssl.conf
Restart the Apache server to load the new virtual host file.
sudo service apache2 restart
You are not required to perform any additional steps to configure the Windows client.
What's next
Configure the Windows Platform settings. For more information, see Windows Platform Configurations.
- Register Windows devices with EMM. For more information, see Registering a Windows Device Using the QR Code.