• No results found

ManageEngine Desktop Central. Mobile Device Management User Guide

N/A
N/A
Protected

Academic year: 2021

Share "ManageEngine Desktop Central. Mobile Device Management User Guide"

Copied!
16
0
0

Loading.... (view fulltext now)

Full text

(1)

ManageEngine Desktop

Central

(2)

1

Contents

1

Mobile Device Management ... 2

1.1 Supported Devices ... 2

1.2

What Management Operations you can Perform? ... 2

2

Setting Up MDM ... 3

3

Creating APNs Certificate ... 5

3.1

Creating a Certificate Signing Request (CSR) ... 5

3.2

Getting CSR Signed by Zoho Corporation ... 5

3.3

Uploading Signed Certificate to Apple Push Notification Portal ... 6

3.4

Completing the CSR and generating APNs Certificate ... 6

3.5

Upload the APNs Certificate in Desktop Central ... 6

4

MDM - Device Enrollment... 7

4.1

Enrolling Devices ... 7

4.2

Troubleshooting Tips ... 11

5

MDM - Device Management ... 12

5.1

Overview ... 12

5.2

Configuration Workflow ... 12

5.3

Supported Configurations ... 12

5.4

Creating Configuration Profiles ... 12

5.5

Modifying a Profile ... 13

5.6

Creating Device Group ... 13

5.7

Associating Profiles to Group ... 13

5.8

Associating Profiles to Devices ... 14

(3)

2

1 Mobile Device Management

Desktop Central MDM simplifies the work of administrators by using a single console to manage desktops, laptops, servers, and mobile devices. Desktop Central MDM can be used to deploy configuration settings, security commands and retrieve asset data over-the-air (OTA).

1.1

Supported Devices

The current version supports managing the following iOS devices running iOS versions 4.0 and above

 iPhone

 iPad

 ipod Touch.

1.2 What Management Operations you can Perform?

The first version will support Over-the-Air (OTA) device configuration tasks such as

 Enabling Passcode

 Imposing Restrictions

 Configuring Email

 Enabling Exchange ActiveSync

 Webclips

 VPN and Wifi Settings Executing Security Commands like,

 Erasing the device data

 Erasing Corporate Data

 Clearing the Passcode Asset Information that include,

(4)

3

2 Setting Up MDM

Before we setup Mobile Device Management, let us first understand the architecture behind managing mobile devices over-the-air (OTA). The diagram below depicts the MDM Architecture in Desktop Central

Desktop Central - Mobile Device Communication

 Any communication from Desktop Central to the device is routed through Apple Push Notification service (APNs) via TCP port 2195

 Devices maintain a dedicated TCP connection with APNs at TCP Port 5223. When there is a live connection, APNs wakes up the device. This is a default behavior of iOS devices

 Device communicates with Desktop Central Server for available instructions at port 8020/8383  Executes the instructions and reports back to Desktop Central Server with the status/data at

port 8020/8383

For the above setup to work, the following should be done

(5)

4

Server is installed. If all the devices managed are within the LAN, this requirement is not needed.

 Desktop Central Server should be able to reach the APNs via TCP port 2195. If you have a firewall running on the Desktop Central Server, make sure that you open up this port in addition to the default Desktop Central ports

 If the mobile devices connects to the internet via WiFi, you should allow them to maintain a dedicated TCP connection (outbound) with APNs at port 5223. For better security, you can restrict these connections on the IP range 17.0.0.0/8. If all the managed devices have access to cellular data network, this requirement is not needed.

When you are installing Desktop Central within the LAN and routing the requests using a public IP, you should also configure the NAT Settings in Desktop Central so that all requests from Desktop Central are sent using the public IP. To configure NAT Settings, follow the steps below:

1. Select the MDM tab and click NAT Settings link available under Settings from the left pane. 2. The details of the Desktop Central Server and the ports are pre-filled based on your current

setup.

3. Provide the public IP and the ports that you wish to use and Save

(6)

5

3 Creating APNs Certificate

Creating APNs certificate involves the following sequence of steps: 1. Creating a Certificate Signing Request (CSR)

2. Getting CSR Signed by Zoho Corporation

3. Uploading Signed Certificate to Apple Push Notification Portal 4. Completing the CSR and generating APNs Certificate

5. Upload the APNs Certificate in Desktop Central

3.1

Creating a Certificate Signing Request (CSR)

1. Open a command prompt as an administrator on the computer where Desktop Central is installed and change directory to

<Product-Install-Dir>/ManageEngine/DesktopCentral_Server/bin directory

2. Execute the bat file MdmCreateCSR.bat to create a CSR. A new window pops out, answer the following questions to create a CSR.

1. Country Name (2 letter Code): Enter a 2 letter code of your country ( for example US for United States)

2. State or Province Name (full name): Enter the name of the state or province (for example Texas)

3. Locality Name : Name of the locality (for example Dallas)

4. Organizational Name : Name of your company (for example Zoho Corp.) 5. Organizational Unit Name : Name of your department (for example Finance

Department)

6. Common Name : A unique name to identify your company (for example ManageEngine) 7. Email Address : Enter the company Email address (for example contact@zohocorp.com) 8. A Challenge Password: do not enter any password; skip this step by pressing enter. Now, the CSR has been created successfully. Two

files, customer.csr & CustomerPrivateKey.key will be available in your <Product-Install-Dir>/ManageEngine/DesktopCentral_Server/bin directory.

3.2

Getting CSR Signed by Zoho Corporation

(7)

6

3.3 Uploading Signed Certificate to Apple Push Notification

Portal

Warning: DO NOT use internet explorer browser to upload the signed certificate.

1. Go to https://identity.apple.com/pushcert/ (Apple Push Certificate Portal website) to create the APNs

2. Sign in using your Apple ID and password. An Apple Developer Account or Enterprise Account is not mandatory, any Apple ID or Apple Account can be used. If you do not have an Apple ID, create one from https://appleid.apple.com

3. Once logged in, choose "Create Certificate"

4. After reading terms and conditions Click Accept to proceed.

5. Upload the signed certificate that you received from Desktop Central Support. 6. A new certificate for managing the iOS devices will appear in the portal.

7. Select to download the Apple signed certificate. Ensure that the correct apple signed certificate will be downloaded as MDM_Zoho Corpation_Certificate.pem.

3.4

Completing the CSR and generating APNs Certificate

1. Open a command prompt on the computer where Desktop Central is installed and change directory to

<Product-Install-Dir>/ManageEngine/DesktopCentral_Server/bin directory

2. Copy the downloaded MDM_Zoho Corpation_Certificate.pem to directory

<Product-Install-Dir>/ManageEngine/DesktopCentral_Server/bin

3. Execute the command to export the APNs certificate:

"..\apache\bin\openssl" pkcs12 -export -out APNSCertificate.p12 -inkey customerPrivateKey.key -in "MDM_ Zoho Corporation_Certificate.pem"

4. It would prompt for password. This password should be used when you import the APNs Certificate in the Desktop Central Console.

Now, APNSCertificate.p12 has been successfully generated. The certificate is available under <Product-Install-Dir>/ManageEngine/DesktopCentral_Server/bin.

3.5

Upload the APNs Certificate in Desktop Central

1. Login to Manage Engine Desktop Central Web Console. 2. Go to MDM-> Settings -> APNs Certificate

3. Upload the exported APNSCertificate.p12 Certificate from

<Product-Install-Dir>/ManageEngine/DesktopCentral_Server/bin

and provide the password that you provided while exporting the certificate. 4. Select Save

(8)

7

4 MDM - Device Enrollment

Now that you have the set up ready and have uploaded the APNs certificate, you can now enroll the devices that have to be managed using Desktop Central. To enroll a device, a profile has to be manually installed on every managed device. The administrator can generate an enrollment request from Desktop Central, which will send an email notification to the user to install the profile on their devices. The users will be authenticated while installing the profile. The authentication can either be a unique passcode, or the users domain credentials or a combination of both. The authentication level can be configured from MDM --> Authentication and the default authentication is Unique Passcode

4.1 Enrolling Devices

To enroll the mobile device, follow the steps below: 1. Click on MDM tab on the Desktop Central Console 2. Under Settings, click Enrollment

3. Click Enroll Device and specify the following:

1. Device Name - Name of the device that needs to be enrolled.

2. UDID - Unique Device Identifier. This is optional and can be left blank, if not known 3. Email address - Email address of the user who will receive the enrollment request.

This is mandatory.

4. Owned By - Specify who owns the device as Corporate or Personal (BYOD) 5. Click Enroll

4. Repeat the above steps for enrolling more devices.

After enrollment the User will receive an email with the authentication passcode, enrollment instructions and the link to download the profile. Users need to manually install the enrollment request, Once the device is enrolled it will be reflected in the Devices Tab in the Desktop Central MDM console under Manage Devices and Profiles.

Note: You should have configured the Mail Server Settings to enable Desktop Central send

enrollment requests to users via Email

(9)

8

2. Clicking the link in the email will open a window to accept the passcode

3. User should specify the passcode received in the email and click Continue. It will validate the passcode and present a confirmation screen. Click Continue

(10)

9

5. It will display a warning message. Read and click Install

(11)

10

7. Click Done to view the enrollment status

(12)

11

4.2 Troubleshooting Tips

Users did not receive the Enrollment Request via Email

Check whether you have configured the Mail Server settings

Users are unable to access the URL sent via Email

 Desktop Central server is not running or not accessible by the users.

 Check if firewall running in Desktop Central Server is blocking the communication (at port 8020/8383)

 If the users are outside LAN, they should be able to reach the Desktop Central Server via public IP. Check whether the NAT Settings is configured in Desktop Central (MDM --> NAT

Settings)

Users have installed the profile, but their devices are not seen the Desktop Central

 The device is not able to reach APNs. Check whether your WiFi allows communication at port 5223

(13)

12

5 MDM - Device Management

5.1 Overview

After you enroll the devices to be managed, you can then manage them by pushing configuration from Desktop Central. Every configuration to the device is sent via a configuration profile that you create in Desktop Central

5.2 Configuration Workflow

Before we get on with the steps to configure a device, it is better to understand the workflow of MDM configurations:

 Every configuration is sent as a profile; a single profile can include multiple configurations. Refer below for the details of configurations that you can perform using Desktop Central.

 The profile is then associated to a device to which the configurations have to be applied.

 You can create a group that contains multiple devices and can associate a profile. When you associate a profile to a group, all the devices in the group will receive the configuration. This will facilitate you to push configurations based on the user profiles/departments.

5.3 Supported Configurations

With Desktop Central, you will be able to perform the following configurations to your mobile devices:

 Passcode - Set simple or alpha-numeric passcode to devices

 Restrictions - Impose restrictions on a device such as allow/restrict installing apps, use of camera, voice dialling, use of applications such as youtube, itunes, etc., backup data to iCloud, etc.

 Wi-Fi - Configure wifi settings for devices to connect to internet/intranet

 VPN - Configure VPN settings to connect to the LAN from remote

 Email - Configure email settings to access corporate email accounts

 Exchange ActiveSync - Access email accounts using Microsoft Exchange

 LDAP - Configure LDAP settings

 CalDAV - To create an calDAV account

 Subscribed Calenders - To add subscribed calenders

 CardDAV - To create an CardDAV account

 Web Clips - To create shortcuts for Web applications or Websites.

5.4 Creating Configuration Profiles

1. Select MDM tab and click Devices and Profiles from the left panel

2. Select the Profiles tab. This will list all the profiles that have been created already. 3. Click Create Profile and provide the basic information of the profile as below:

1. Name of the Profile - Unique name to identify a profile 2. Description: A brief description of a profile

3. Profile Type: Different profiles have to be created for different mobile OS-es. Select the mobile OS to which you create a profile.

(14)

13

4. Click Continue

5. Select the configurations list from the left pane and specify the details. You will have

to save the individual configurations before you move on to the next configuration within the same profile.

6. After specifying the required configurations, click Publish

Note: A published profile is not applied to any of the devices until they are associated with

the devices or groups.

5.5 Modifying a Profile

To modify a profile,

1. Select MDM tab and click Devices and Profiles from the left panel

2. Select the Profiles tab. This will list all the profiles that have been created already.

3. Click the Modify Profile icon from the actions column of the profile that you wish to modify and change the required configurations. You can add or remove configurations from the profile. 4. After making the required changes, click Publish

Note: When a profile is modified and published, it is not applied to the devices to which

they were applied before. You would need to associate the profile to the devices/groups again to apply the configurations.

When the modified profile is applied to a device to which the previous version of the profile was applied, the configurations are overwritten with the new changes. If you have removed any configuration, the previous ones will be reverted from the devices.

5.6 Creating Device Group

A group is a logical grouping of managed devices to which a configuration can be applied. A device can belong to multiple groups. Groups facilitate applying same configuration profiles to multiple devices. To create a group,

1. Select MDM tab and click Devices and Profiles from the left panel

2. Select the Groups tab. This will list the groups that have been created already. 3. Click Create Group and provide a name for the group.

4. Select the Group Type as iOS or Android. A group cannot have devices from different OS-es. 5. From the list of available devices, select the devices you wish to add them to the group and

move them to the Added Devices. 6. Click Create Group

5.7 Associating Profiles to Group

1. Select MDM tab and click Devices and Profiles from the left panel 2. Select the Groups tab

3. Select the Groups that you wish to associate to a profile and click Associate Profile

4. The Available Profiles will list all the profiles that have been published. If you have modified a profile and published, the latest version of the profile will only be listed here. Select the profiles that you wish to associate and move them to Added Profiles and Click Save

(15)

14

5.8 Associating Profiles to Devices

1. Select MDM tab and click Devices and Profiles from the left panel

2. Select the Devices tab. This will list all the devices that have been enrolled.

3. Select the devices to which you wish to associate a profile and click Associate Profile 4. The Available Profiles will list all the profiles that have been published. If you have modified

a profile and published, the latest version of the profile will only be listed here. Select the profiles that you wish to associate and move them to Added Profiles and Click Save

(16)

15

6 MDM - Reports

Desktop Central MDM facilitates with a wide range of reports which are listed below

Apps by Devices - All the managed devices are listed by the Apps installed in it.

Device With/ Without Specific Apps - devices can be sorted by verifying the availability of

Apps installed in it.

Devices by Model - Devices are listed by their models

Devices by Passcode Type - Devices are listed by their authentication level / passcode type.

Devices by Enrollment Time - Devices are listed by their time line from Enrollment

Inactive Devices - All inactive devices that are enrolled will be listed.

To view the reports follow the steps mentioned below

1. Click on MDM Tab

2. select Inventory section

3. By hovering the mouse over MDM Reports you will find the list of Reports available 4. Choose the report that you wanted to view

References

Related documents

• Successful deployment of Laptops, tablets, iPads and other devices requires a Mobile Device Management solution. • Mobile device management (MDM) refers to any routine or

The following steps guide you through creating an Mobile Device Management (MDM) profile, setting up Apple Configurator, how to prepare devices and enroll devices in bulk, and how

11.35am – 1.00pm Hand On: Managing Mobile Devices using Configuration Manager • Configure the Client deployment files. • Install the mobile device management client • Manage

To permit users to update the BlackBerry Device Software using the BlackBerry Web Desktop Manager instead of the BlackBerry Desktop Software, you can install the BlackBerry

Mobile Device Management (MDM) software provides IT organizations with security-relevant capabilities that support the integration of mobile devices into enterprise

A Mobile Device Management (MDM) solution is an application suite that allows entry of BYOD devices in a corporate network by simple management and authorization based on

• Investigate Mobile Device Management (MDM) Solutions: MDM solutions can help organizations to establish and maintain configuration control over mobile devices, allow or

You can manage all of your Windows 10 devices alongside your mobile devices with whatever mobile device management (MDM) solution you already have in place. Windows 10 allows