Mobility Manager 9.0. Installation Guide

(1)

Mobility Manager 9.0

Installation Guide

(2)

Copyright © 2002-2012, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others.

LANDesk does not warrant that this document is error free and retains the right to make changes to this document or related product specifications and descriptions at any time without notice. LANDesk does not assume any obligation to update the information contained herein. This document is provided “AS IS”

and without any guaranty, warranty, or license, express or implied, including but not limited to: fitness for a particular purpose, merchantability, non infringement of intellectual property, or other rights of any third party. Any LANDesk products referenced in this document are not intended for use in medical, life saving, or life sustaining applications. Third parties may have intellectual property rights relevant to this document and the technologies discussed herein.

Last updated: 11/6/2012

2

(3)

Introduction to the LANDesk Mobility

Manager 9.0 installation

The LANDesk® Mobility Manager 9.5 setup process consists of several installation and configuration steps. It requires planning and preparation as well as technical proficiency and some familiarity with LANDesk Management Suite concepts and tools.

This Installation Guide provides detailed instructions on how to perform each of these steps (or links to separate documents that describe third-party configuration procedures, such as creating and integrating certificates for various OS platforms, hosted on the LANDesk User Community).

With the LANDesk Mobility Manager tool you can discover, enroll, and manage end user mobile devices from your LDMS console. After installation and configuration is complete, go to the LANDesk Mobility Manager Users Guide for information on how to use the tool's features.

Scope

The scope of this guide is to walk LANDesk Administrators through the setup of LANDesk Mobility Manager on the MDM server and LANDesk core server. After the setup of the servers the administrator will be able to begin enrolling and managing iOS and Android devices via the LANDesk Management Suite console.

Assumptions

This document assumes the LANDesk Administrator has a working knowledge of LANDesk Management Suite as well as an understanding of certificates and Certificate Authority technology.

It's also assumed that the MDM server is placed in the corporate DMZ, and that appropriate networking is in place in order for the LANDesk core server to communicate with the MDM server on the ports listed later in this document.

4

(5)

LANDesk Mobility Manager overview and

prerequisites

See the following topics for more information on LANDesk Mobility Manager features, components, architecture, and prerequisites for installation and configuration.

Mobility Manager components and architecture 5

Installation prerequisites 6

Configure DNS text records for agent enrollment 7

Mobility Manager components and architecture

The diagram below shows the components that need to be installed and configured in order to use LANDesk Mobility Manager.

Mobility Manager components and communication flow

A: Apple iOS devices, B: APNS (Apple Push Notification Service), C: Corporate DMZ, D: MDM server, E: LDMS 9.0 core server with LANDesk Mobility Manager 9.0, F: GCM (Google Cloud Messaging for Android), G: Android devices

(6)

Installation prerequisites

This section describes the hardware and software requirements for the servers, certificates, and firewall settings. You must comply with the following prerequisites in order to install, configure, and use LANDesk Mobility Manager.

MDM server prerequisites

l IMPORTANT: Windows Server 2008 R2 x64 as the server machine

l Dual processor

l 4 GB RAM

l 10 GB hard drive

l IIS role:

n Basic Authentication

n ASP.NET Role Service (in Server Manager > Roles > Web Server (IIS) > Role Services)

n IIS Management Tools

l MSMQ (Microsoft Message Queuing) feature

l .Net 3.5 feature

l LANDesk agent, which can be installed from:

\\<core server name or IP address>\ldlogon\wscfg32.exe (NOTE: Deselect all options)

l Google Chrome or Apple Safari Web browser (NOTE: Needed for APNS certificate creation)

Core server prerequisites

l Additional 1 MB on the database for every 100 managed mobile devices

l Server joined to the AD domain

l Windows PowerShell 2.0 enabled on the server (NOTE: Should already be enabled by default on Windows Server 2008)

l LDMS 9.0 core server with the SP3 release installed or

LDMS 9.5 core server installed

l Silverlight

6

(7)

General certificate prerequisites before installing Mobility Manager

l Apple APNS certificate:

n For instructions on obtaining an APNS certificate for Apple iOS mobile device support, go to:

https://apnsportal.landesk.com

l Google Cloud Messaging (GCM) account:

n For instructions on obtaining a GCM (Google Cloud Messaging) account ID and API key for Android mobile device support, go to:

http://developer.android.com/guide/google/gcm/gs.html

l Third-party signed certificate (VeriSign or some other Trusted Root vendor)

Firewall settings

l MDM server to Internet:

n APNS: 2195, 2196, 5223 (all TCP)

n GCM: 5228

n 443

l MDM server to LDMS core server:

n 80, 443

l LDMS core server to MDM server:

n 80, 443

l Internet to MDM server:

n 443 enrollment

Additional console prerequisites

l Windows PowerShell 2.0 enabled on the server

l .Net 3.5

l Silverlight

Configure DNS text records for agent enrollment

This procedure describes how to set up the Text Tag (TXT) record in DNS that maps the agent enrollment URL.

This record allows users to enroll Android or iOS mobile devices using their individual email addresses.

(8)

To configure DNS text records 1. Log in to the DNS server.

2. Click Start > Administrative Tools > DNS to run the DNS Manager utility.

8

(9)

3. From the DNS tree, navigate to the domain folder.

(10)

4. Right-click the folder and click Other New Records.

10

(11)

5. On the Resource Record Type dialog, select Text (TXT) from the list.

(12)

6. Click Create Record to open the New Resource Record dialog.

7. Leave the Record name field blank.

8. Create a DNS text record for Android by adding the following in the Text field:

android-mdm-enroll=https://<MDMserver>/mobileenrollment/ld-androidenroll.aspx

Example: https://mdm.domain.com/mobileenrollment/ld-androidenroll.aspx 9. Click OK to create the record.

10. Repeat steps 6-9 to create a DNS text record for iOS, but instead adding the following in the Text field:

OSIAGENTREGURL=https://<MDMserver>/MobileEnrollment/ld-iosEnroll.aspx

11. Repeat steps 6-9 to create a DNS text record for LD Portal, but instead adding the following in the Text field:

LDLAUNCHPAD=https://<MDMserver>/launchpad.cloud

12

(13)

Setting up and configuring the MDM server

See the following topics for more information on setting up the MDM server for LANDesk Mobility Manager.

Set up and configure the MDM server 13

MDM server prerequisites 13

Install the server agent 14

Install the IIS role 14

Install the .NET Framework 3.5.1 feature 17

Install the MSMQ feature 19

Set Up HTTPS 23

Submit the certificate request for CA approval 31

Complete the certificate request and bind to SSL 34

Set up and configure the MDM server

This section provides detailed instructions you can use to set up and configure the MDM (Mobile Device Management) server, including the following:

l "MDM server prerequisites" on page 13

l "Install the server agent" on page 14

l "Install the IIS role" on page 14

l "Install the .NET Framework 3.5.1 feature" on page 17

l "Install the MSMQ feature" on page 19

l "Set Up HTTPS" on page 23

MDM server prerequisites

The following prerequisites must be met before you can install and configure LANDesk Mobility Manager on the MDM server. The following sections walk you through this entire process.

l Dual processor

l 4 GB RAM

l 10 GB hard drive

l IIS role

l .Net 3.5 feature

l Google Chrome or Apple Safari Web browser (NOTE: Needed for APNS certificate creation)

(14)

l The MSMQ (Microsoft Message Queuing) feature must be installed. (NOTE: For step-by-step instructions, see "Install the MSMQ feature" on page 19)

l The LANDesk server agent must be installed on the MDM server

l Also, Mobility Manager requires setup of HTTPS/443 on the MDM server with the proper certificate

Install the server agent

Follow these steps to install the server agent on the MDM server.

To install the server agent

1. From the MDM server, go to: http://<core server name or IP address>/LDLogon/

2. Run the wscfg32.exe file.

3. Clear any options you don't want to install on the server.

4. Click Install.

5. Follow the prompts until the installation has completed.

Install the IIS role

Follow these steps to install the IIS role required for the LANDesk Mobility Manager components.

IMPORTANT: Windows Server Requirement

You MUST install these features and Mobility Manager on a Windows Server 2008 R2 x64 machine.

To install the IIS role

1. At the Windows Server 2008 desktop, click Start > Administrative Tools > Server Manager (or right-click Computer, and then click Manager).

2. In Server Manager, click Roles.

3. On the Before You Being page, click Next.

14

(15)

4. Check Web Server (IIS).

5. Click Next.

6. Click Next.

7. Check ASP.NET.

(16)

8. On the Add role services required dialog, click Add Required Role Services.

9. On the Select Role Services page, select Basic Authentication and IIS Management Console.

(NOTE: You can choose additional options as desired.)

10. Click Next.

16

(17)

12. Once the Installation succeeded message appears, click Close.

NOTE: MSDN Library resource

These instructions, and more detailed information about IIS, are found in the MSDN Library at:

http://learn.iis.net/page.aspx/29/installing-iis-7-and-above-on-windows-server-2008-or-windows-server- 2008-r2/

Install the .NET Framework 3.5.1 feature

Follow these steps to install the .Net Framework 3.5.1 feature required for the LANDesk Mobility Manager components.

To install .Net Framework 3.5

1. At the Windows Server 2008 desktop, click Start > Administrative Tools > Server Manager (or right-click Computer, and then click Manager).

2. In Server Manager, click Features.

3. In the right-hand pane of the Features Summary page, click Add Features.

4. On the Select Features page, select .NET Framework 3.5.1.

(18)

5. On the Add features required dialog, click Add Required Features.

6. Click Next.

18

(19)

Install the MSMQ feature

Follow these steps to install the MSMQ (Microsoft Message Queuing) feature required for the LANDesk Mobility Manager components.

To install Message Queuing 4.0

1. At the Windows Server 2008 desktop, click Start > Administrative Tools > Server Manager (or right-click Computer and then click Manager).

(20)

2. In Server Manager, click Features.

3. In the right-hand pane of the Features Summary page, click Add Features.

20

(21)

4. On the Select Features page, expand Message Queuing, and then expand Message Queuing Services.

5. Check Directory Services Integration, and then click Add Required Features. (NOTE: This is for computers joined to a domain).

(22)

6. Check HTTP Support, and then click Add Required Role Services.

7. Click Next three times, and then click Install.

22

(23)

NOTE: MSDN Library resource

These instructions, and more detailed information about MSMQ, are found in the MSDN Library (MS Tech Center) at:

http://msdn.microsoft.com/en-us/library/aa967729.aspx

Set Up HTTPS

To have secure communication between the MDM server and mobile devices for enrollment, an SSL certificate is required. A third-party signed certificate (VeriSign or some other Trusted Root vendor) is required.

This section will guide through importing or creating an SSL certificate request for use on the MDM server.

CAUTION: Self-signed SSL certificates are not currently supported by LANDesk While a self-signed SSL certificate will work, it is not supported by LANDesk at this time.

NOTE: Wildcards are supported in certificate requests

Wildcards are supported when entering the Common name during the certificate request creation procedure so that only the Complete Certificate Request procedure needs to be done on each web server.

To import an existing certificate

NOTE: If you are using a third-party signed certificate (VeriSign or some other Trusted Root vendor) that has a wildcard value in it, for example *.domain.com, simply import it into IIS. Then go directly to "Install Mobility Manager on the MDM server" on page 51.

1. At the MDM server, click Start > Administrative Tools > Internet Information Services (IIS) Manager.

(24)

2. In the Connections pane, select the MDM server from the tree, and then double-click Server Certificates.

24

(25)

3. Under the Actions menu, click Import.

4. Import the .PFX file provided by the third-party vendor.

To create a certificate

If you need to create a secondary or child certificate for the third-party CA, the following steps will guide you through this process.

However, if you imported the certificate, this procedure does not need to be completed. Instead, go directly to "Install Mobility Manager on the MDM server" on page 51.

(26)

2. In the Connections pane, select the MDM server from the tree, and then double-click Server Certificates.

26

(27)

3. Under the Actions menu, click Create Certificate Request.

4. Enter values on the Distinguished Name Properties page. The Common Name field is required, which is the IP or DNS name that the device will use to connect to the server.

IMPORTANT: Make sure the CN of the certificate matches the URL used by the enrollment below.

In other words, if you used an IP address for the certificate, then use the same IP address when enrolling. If you used a server name for the certificate, then use the server name when enrolling.

NOTE: Wildcards are supported, for example 192.168.*.*

(28)

5. When finished click Next.

28

(29)

6. At the Cryptographic Service Provider Properties page, accept the default values, and then click Next.

IMPORTANT: Your third-party SSL provider might require an encryption key with a 2048 bit length. Make sure you select a bit-length value that meets the requirements of your provider.

(30)

7. Specify a file name and path for the text file that will contain the certificate request.

8. Click Finish to save the request file.

Sample request text file

The following graphic shows a sample request text file named request.txt opened in Notepad:

30

(31)

Submit the certificate request for CA approval

This procedure submits the certificate request to the CA server using the web interface that is available for requesting certificates.

NOTE: Change the URL to your CA server

The following screen shots show the CA as being on localhost. You need to change the URL to the name of the CA server that you are using.

To submit a certificate request

1. Open a browser and enter the following URL: http://certservername/certsrv.

2. At the Welcome page, click Request a certificate.

(32)

3. Click advanced certificate request.

4. Click Submit a certificate request by using....

32

(33)

5. Paste the entire content of the text file into the Base-64-encoded certificate request text field.

This is the certificate request text file created in "Submit the certificate request for CA approval" on page 31.

6. From the Certificate Template drop-down list, click Web server. (NOTE: This dialog may not be visible/applicable depending on your environment.)

7. Click Submit. Follow the instructions on the Certificate Pending page.

(34)

8. Once your certificate has been issued, from the Certificate issued page, click Download certificate and save the certificate.

Complete the certificate request and bind to SSL

This section describes the procedure to secure a specific website by editing or adding an SSL binding.

A binding consists of a website listening on a specific port AND a certificate to bind to the port.

To secure a website with a certificate and bind to SSL

2. Select the website server from the tree in the Connections pane.

34

(35)

3. Double-click Server Certificates.

4. From the Actions menu at the right-hand side, click Complete Certificate Request.

5. Click the Browse button and locate the certificate file (.cer) that was issued by the CA request.

(36)

6. Enter a Friendly name, which can be any desired name.

7. When finished, click OK. Once the certificate request is completed, it is listed in IIS.

36

(37)

8. Next, to bind to SLL, right-click the website server, and then select Edit Bindings.

9. The available site bindings that are listed will vary depending on what was previously configured.

Select either Add to add a new binding or Edit to modify an existing binding.

10. From the Type list, select https and enter the appropriate values for the site.

11. In the Port field, enter: 443.

12. From the SSL certificate list, select your certificate.

13. When finished, click OK.

(38)

Obtaining certificates and keys for supported

mobile devices

See the following topics for more information about obtaining certificates and keys for the mobile devices that you want to manage with LANDesk Mobility Manager.

l APNS (Apple Push Notification Service) certificates are needed for Apple iOS mobile devices

l GCM (Google Cloud Messaging) API keys are needed for Android mobile devices

Obtain a APNS certificate to support Apple iOS mobile devices 38

Obtain a GCM key to support Android mobile devices 49

Obtain a APNS certificate to support Apple iOS mobile

devices

An APNS (Apple Push Notification Service) certificate is needed in order to manage your Apple iOS mobile devices.

The APNS certificate enables communication between the LANDesk core server and the iOS mobile device by utilizing the Apple Push Notification Service and the LANDesk agent on the device.

Follow the procedures below to configure the MDM server to use the APNS certificate.

l "Step 1: Generate a certificate request" on page 38

l "Step 2: Upload the certificate request with the Apple Push Certificate Portal" on page 40

l "Step 3: Complete the certificate request" on page 41

l "Step 4: Export the certificate" on page 44

l "Step 5: Import the APNS certificate into the Personal Certificate Store" on page 45

l "Step 6: Copy the APNS thumbprint and push the subject" on page 47

NOTE: Using the MDM server is recommended

These procedures can be performed from any machine running IIS. However, using the MDM server is recommend but not required. Also, keep in mind that Step 1 and Step 3 must be done from the same machine.

Step 1: Generate a certificate request

To generate a certificate request

1. At the server, open a web browser.

2. Go to:https://apnsportal.landesk.com

38

(39)

3. Sign in using your LANDesk licensing credentials.

4. Click Sign In.

5. Click Start.

6. Enter your common name. (NOTE: This name needs to be unique on the Apple server so do not use your first name etc. It's recommended to use your domain name. For example: LANDesk.com)

7. Click Download.

(40)

8. Click Start > Run.

a. In the Run dialog box, enter:

certreq –new

b. Select the .INF file downloaded in the previous step c. Save the certificate signing request.

9. Click Select Request.

10. Browse to .REQ file saved in the previous step.

11. Click Open.

12. You will be prompted to save the signed request.

Step 2: Upload the certificate request with the Apple Push Certificate Portal

NOTE: Use a non-IE browser

Testing showed that these steps work best in a non IE browser. Google Chrome is recommended, or some other browser. IE sometimes will not display the pages correctly.

To upload the certificate request

1. Go to the Apple Push Certificate Portal to upload your request at:

https://identity.apple.com/pushcert/

2. Sign in to the Apple Push Certificates Portal with your Apple ID.

3. Click Create a Certificate.

4. Read and agree to the terms of use.

5. Click Choose file.

6. Browse to the file saved above.

7. Click Open.

40

(41)

8. Click Upload.

9. Click Download.

Step 3: Complete the certificate request

NOTE: This step must be completed on the same computer where you created your certificate request in "Step 1: Generate a certificate request" on page 38 above.

To complete the certificate request

1. At the server, click Start> Control Panel > Administrative Tools.

2. Click Internet Information Services (IIS) Manager.

(42)

3. Select the server, and then double-click Server Certificates.

42

(43)

4. In the Actions pane, click Complete Certificate Request.

5. Click the ellipsis button and browse to the Apple Push Notification Service SSL Certificate downloaded in the previous procedure.

6. Enter a friendly name. The friendly name can be any name, so enter something that you will remember.

7. Click OK.

(44)

Step 4: Export the certificate

To export the certificate

1. With the new certificate highlighted, in the Actions page, click Export.

2. Enter a file path to save your exported certificate file, and a password which will encrypt the certificate's private key.

3. Click OK.

44

(45)

Step 5: Import the APNS certificate into the Personal Certificate Store

To import the APNS certificate 1. Click Start > Run.

2. At the prompt, enter:

mmc

and then click OK to open the Microsoft Management Console.

3. Click File, and then click Add/Remove Snap-in.

(46)

4. From this list of available snap-ins, click Certificates, and then click Add.

5. Click Computer account.

6. Click Next, and then click Finish.

7. Click OK.

46

(47)

8. Right-click the Personal tree node, and then click All Tasks >Import.

9. Follow the Wizard prompts, pointing to the .PFX file created in Step 2 above, and providing the password.

Step 6: Copy the APNS thumbprint and push the subject

NOTE: The APNS thumbprint and Push Subject are used during installation.

To copy the APNS thumbprint and Push Subject

1. With the Certificates snap-in installed in a Microsoft Management Console, double-click the newly- imported APNS certificate.

(48)

2. Note the MDM certificate thumbprint. This will be used during installation of the MDM server.

48

(49)

3. Select the Subject line and copy the highlighted section below. This will be used during initial configuration.

Obtain a GCM key to support Android mobile devices

This section provides information on obtaining a GCM (Google Cloud Messaging) API key in order to manage your Android mobile devices.

The GCM API key enables communication between the LANDesk core server and the Android mobile device by utilizing the GCM key and the LANDesk agent on the device.

Refer to the official Google instructions

LANDesk recommends that you refer to the current documentation provided by Google on obtaining a GCM key.

(50)

Click the link below for the most up-to-date official Google procedures that describe how to create a GCM project and obtain a GCM API key:

http://developer.android.com/guide/google/gcm/gs.html

50

(51)

Installing Mobility Manager on the servers

See the following topics for more information on installing LANDesk Mobility Manager on the MDM server you've set up, and your LANDesk core server, and activating the product license to be able to access the Mobility Manager tool in the LANDesk console.

Install Mobility Manager on the MDM server 51

Install Mobility Manager on the core server 52

Mobility Manager installation prerequisites 52

Install Mobility Manager 52

Reactivate your core server 53

Understand and ensure installation of all required certificates 53

MDM server certificates 53

Core server certificates 54

Install Mobility Manager on the MDM server

This section describes how to install Mobility Manager on the MDM server.

To install Mobility Manager on the MDM server

1. Import the LDMS core SSL certificate (created during the LDMS installation) into the Trusted Root CA.

2. Download the Mobility Manager Installation media.

3. Run the Mobility.exe file.

4. Go to where you unzipped the Mobility files.

5. Change to mobility-cloud.

6. Run the Mobility-cloud.exe self-contained ZIP file.

7. Change to the MobilityCloud directory that was in the ZIP file.

8. Run Cloud\Setup.exe, and follow the prompts to enter the following:

n MDM server name or IP address. (NOTE: This name must match the SSL certificate name used in the HTTPS binding.)

n MDM certificate password. (NOTE: This password is user-defined, and you will need to use it later.)

n APNS thumbprint. (For information, see "Step 6: Copy the APNS thumbprint and push the subject" on page 47 in the "Obtain a APNS certificate to support Apple iOS mobile devices"

on page 38 topic.)

n GCM (Google Cloud Messaging) Project ID and API Key (Android). (NOTE: The GCM Project ID should be acquired from the URL.)

(52)

9. Export the Personal certificate named MDMSecure_xxxxxxxxxxx.cer from the MMC > certificates plug-in into the Trusted Root CA/certificates. You must export the certificate twice:

a. For the first export: Include the private key, and use defaults for the rest of the settings.

This export is used for the first-time configuration of the payloads below.

b. For the second export: Don’t include the private key, and use defaults for the rest of the settings. This export is used in step 1 of installing Mobility Manager on the LDMS core server.

10. Install any necessary Mobility Manager patches that have been posted since the release of version 9.0. (NOTE: For the latest information about LDMO patches, go to the LANDesk Support User Community at:http://community.landesk.com/support/docs/DOC-24586)

The Mobility Manager software is now installed on the MDM server. You can now proceed to ensure your LDMS core server is set up and configured in preparation to installing Mobility Manager on the core server.

Install Mobility Manager on the core server

If the core server is not already installed, refer to the installation section of the following document on the LANDesk User Community:

Community Document 7423

If the core server is already set up and running, you must perform the following prerequisites prior to installing LANDesk Mobility Manager.

Mobility Manager installation prerequisites

l MSMQ (Microsoft Message Queuing) feature. (For installation steps, see "Install the MSMQ feature" on page 19.)

l Silverlight plug-in. (For installation steps, go to:http://www.microsoft.com/getsilverlight/Get- Started/Install/Default.aspx)

Install Mobility Manager

Once you've completed the prerequisites (core server, MDM server, certificates and tokens for mobile devices), you can install the LANDesk Mobility Manager software on your LANDesk core server and start using the tool to manage mobile devices.

To install LANDesk Mobility Manager

1. Import the MDMSecure_xxxxxxxxx.cer file without the private key into the Trusted Root

CA/certificates. (For more information, see step 9b in "Install Mobility Manager on the MDM server"

on page 51.)

52

(53)

2. On the core server, go to theLANDesk User Community, and download the LANDesk Mobility Manager software package.

a. Run Setup.exe.

b. Go to where you unzipped the Mobility files.

c. Change to mobility.

d. Run the Mobility.exe self-contained ZIP.

3. Change to the Mobility directory from the ZIP file.

4. Run Setup.exe.

5. Click Run.

6. Click Next.

7. On the End User License Agreement page, click I Accept.

8. Click Next.

9. Click Install. The Setup wizard shows the installation progress and status.

10. At the Completed page, click Finish. The setup program installs additional Mobility Management components.

11. When the Completed / Installation Successful message displays, click Close.

12. Install any necessary Mobility Manager patches that have been posted since the initial release of your Mobility Manager version. (NOTE: For the latest information about LDMO patches, go to the LANDesk Support User Community at:http://community.landesk.com/support/docs/DOC-25100)

Reactivate your core server

IMPORTANT: Reactivate the core server

You must reactivate your LANDesk core server in order to initialize the license for your Mobility Manager product, and to see and use the Mobility tool in the console.

Understand and ensure installation of all required

certificates

There are a number of certificates which are used by both the core server and MDM server.

Reference the tables below to make sure they are all installed.

MDM server certificates

Certificate Store Purpose Instal-

lation

Core Trusted Root

CAs

Validation of core when secure client calls are made. This certificate is not imported to the store by wscfg32.exe and must be manually imported. This certificate was created during the LDMS

Step 3 (of

"Install Mobility

(54)

Certificate Store Purpose Instal- lation

installation. Manager

on the MDM server" on page 51)

APNS Personal Used in communicating with APNS service. Step 2

HTTPS Cert Personal (and Trusted Root CAs)

Bound to the HTTPS server. This certificate must have been requested by IIS on the MDM server, which request must have been fulfilled by the CA.

NOTE: We have seen (for no explicable reason) that enrollment may fail if the public key HTTPS certificate is not in the Trusted Root CAs store. The private key certificate should be inserted into the Personal store when it is added to the server certificates in IIS (see Odyssey's documentation on creating the SSL certificate.) If enrollment is failing, you may wish to try adding the public key cert as well.

Step 1

MDM Secure_

xxxxxx

Personal Used by the MDM server to authenticate itself to the core. Auto- matically installed

Core server certificates

lation

Core Personal (and

Trusted Root CAs)

Server validation to managed nodes, including the MDM server.

Calls to the core from MDMSecureClient will use this certificate to validate the core.

Auto- matically installed with core server MDM

Secure_

xxxxxx

Trusted Root CAs

Used to validate the MDM server for calls made to the Mobile.MDMSecure web service on the core.

Step 1 (of

"Install Mobility Manager on the core server" on page 52)

54

(55)

Accessing and using Mobility Manager

See the following topics for more information about accessing the Mobility Manager tool in the console, enrolling users, and other basic tasks.

Access the Mobility tool in the console 55

Configure enrollment profiles 55

Enable users to see content in the LANDesk Portal 58

Access the Mobility tool in the console

Now you can log in to the LANDesk Management Suite console and access the Mobility tool.

The Mobility tool appears in the Tools menu and in the Toolbox.

NOTE: Using the LANDesk Mobility Manager tool

For information about specific features and how to enroll and manage mobile devices with the LANDesk Mobility Manager tool, see Welcome to LANDesk Mobility Manager.

Configure enrollment profiles

(56)

IMPORTANT: Enroll mobile devices and accessing the LANDesk Portal app

Once you've configured enrollment profiles, you can enroll mobile devices so that your end users can access and use the LANDesk Portal app. This procedure is described in detail in the Mobility Manager User's Guide.

For more information, seeEnroll mobile devicesin the User's Guide.

To configure enrollment profiles

1. Launch the LANDesk Management Suite console.

2. Click Open the Mobility tool > Mobile Policy Management.

3. Click the Configure toolbar button to open the Mobility options dialog.

4. Click iOS enrollment profile to open the iOS enrollment profile page.

5. Enter a user-defined Profile name.

6. Enter a user-defined Description.

7. Enter a user-defined Organization.

8. In the Push certificate subject field, change the APNS certificate subject name to match the certificate used.

NOTE: If this is a development certificate, make sure to select the Use development APNS server checkbox, and change the APNS server to the "sandbox" in the config file.

56

(57)

9. Click Apply.

NOTE: If you're using a trusted third-party CA, you do not need to create the Root Certificate credentials. Nor will anything appear in the Payloads list.

10. Click the Payloads button to open the General payload settings dialog.

11. Click Credentials > MDMSecure.

12. Click the Add New icon at the top left corner of the Credentials panel, and then click Cert file.

13. Browse to the MDMSecure certificate exported with the private key that you saved above.

14. Enter the password.

15. Click Save changes.

(58)

16. Click Close to return to the Mobility options dialog.

17. From the Cryptography credentials for authentication drop-down list, select MDMSecure.

18. Click OK.

NOTE: About the MDM Secure certificate

The certificate we are calling "MDM Secure" does not need to be the encryption certificate described in the iOS enrollment profile settings. Any PKCS#12 will work fine as an encryption certificate.

However, since there are already multiple certificates that LDMS deals with, the certificate used to authenticate between the MDM server and the core server will work fine as the encryption certificate. The fact that the same certificate is used for two purposes simply reduces the complexity of your installation.

Enable users to see content in the LANDesk Portal

In order for your mobile device end users to see content in the LANDesk Portal, an administrator must add the user's Active Directory account or a group containing them to a mobile catalog. (This procedure is described in detail in the Mobility Manager User's Guide. For information, seeAdd mobile device users to a catalogin the User's Guide.)

In addition, LANDesk Portal users need to be granted default rights (Read & Execute, List Folder

Contents, and Read) to the Launchpad folder on the core server. In a default installation, the Launchpad folder is located at:

C:\Program Files (x86)\LANDesk\ManagementSuite\landesk\Launchpad

58

(59)

Appendix: About self-signed certificates NOT

supported by LANDesk

See the following topics for information about using self-signed certificates.

IMPORTANT: You can use self-signed certificates, but they are NOT officially recommended nor supported by LANDesk Support.

Self-signed certificates NOT supported by LANDesk 59

Step 1: Create a certificate request 60

Step 2: Submit a certificate request 64

Step 3: Complete the certificate request 67

Step 4: Add the signed authority for self-signed certificates 70

Additional MDM server certificate required 71

Self-signed certificates NOT supported by LANDesk

Self-signed certificates CAN be used with LANDesk Mobility Manager, but they are NOT recommended nor supported by LANDesk Support or the User Community. LANDesk is not responsible for any problems incurred when using self-signed certificates instead of the recommended processes and configuration of Mobility Manager.

CAUTION: This appendix is provided as an instructional source ONLY, and is not intended to be used in a production environment.

Follow the procedures below to configure a self-signed certificate.

l "Step 1: Create a certificate request" on page 60

l "Step 2: Submit a certificate request" on page 64

l "Step 3: Complete the certificate request" on page 67

l "Step 4: Add the signed authority for self-signed certificates" on page 70

l "Additional MDM server certificate required" on page 71

NOTE: Wildcards are supported in certificate requests

Wildcards are supported when entering the Common name during the certificate request creation procedure so that only the Complete Certificate Request procedure needs to be done on each web server.

(60)

Step 1: Create a certificate request

1. At the MDM server, click Start> Control Panel.> Administrative Tools > Internet Information Services (IIS) Manager.

2. Select the MDM server in the Connections list, then double-click Server Certificates.

60

(61)

3. From the Actions menu, click Create Certificate Request, and enter the following information:

l Common Name: This field is required, which is the IP or DNS name that the device will use to connect to the server.

IMPORTANT: Make sure the CN of the certificate matches the URL used by the enrollment below. In other words, if you used an IP address for the certificate, then use the same IP address when enrolling. If you used a server name for the certificate, then use the server name when enrolling.

NOTE: Wildcards are allowed for the certificate CN, for example 192.168.*.*

l Organization: Name of your organization.

l Organizational unit: Name of the group/department within your organization.

l City/locality: City or locality in which your organization resides.

l State/province: State or province in which your organization resides.

l Country/region: Country or region in which your organization resides.

4. When finished, click Next.

(62)

5. At the Cryptographic Service Provider Properties page, accept the default values, and then click Next.

62

(63)

6. Specify a file name and path for the text file that will contain the certificate request.

7. Click Finish to save the request file.

Sample request text file

The following graphic shows a sample request text file named request.txt opened in Notepad:

(64)

Step 2: Submit a certificate request

1. Open a browser and enter the following URL: http://certservername/certsrv.

2. At the Welcome page, click Request a certificate.

64

(65)

3. Click advanced certificate request.

4. Click Submit a certificate request by using....

(66)

5. Paste the entire content of the text file into the Base-64-encoded certificate request text field.

This is the certificate request text file created in "Self-signed certificates NOT supported by LANDesk" on page 59.

6. From the Certificate Template drop-down list, click Web server. (NOTE: This dialog may not be visible/applicable depending on your environment.)

7. Click Submit. Follow the instructions on the Certificate Pending page.

66

(67)

8. Once your certificate has been issued, from the Certificate issued page, click Download certificate and save the certificate.

Step 3: Complete the certificate request

2. Select the server from the tree in the Connections pane.

(68)

3. Double-click Server Certificates.

4. From the Actions menu at the right-hand side, click Complete Certificate Request.

5. Click the Browse button and locate the certificate file (.cer) that was issued by the CA request.

68

(69)

6. Enter a Friendly name, which can be any desired name.

7. When finished, click OK. Once the certificate request is completed, it is listed in IIS.

(70)

Sample certificate listed in IIS

The following graphic shows a sample certificate displayed in the Server Certificates pane in IIS:

Step 4: Add the signed authority for self-signed certificates

Finally, if you are using a self-signed certificate, you MUST add the authority chain.

1. In the LDMS console, open the Mobility Policy Management tool.

2. Click the Configure toolbar button to open the Mobility options dialog.

3. Click iOS enrollment profile to open the iOS enrollment profile page.

4. Click the Payloads button to open the General payload settings dialog.

5. From the iOS Configuration types list, click Credentials.

6. Click the Add New icon at the top left corner of the Credentials panel.

7. Browse to Root Certificate to use as the signing authority.

8. Click Save.

9. Click Close to return to the Mobility options dialog 10. In the certificates list, check the cert from the step above.

70

(71)

11. Click Save.

Additional MDM server certificate required

Note that in addition to the certificates listed in the "Understand and ensure installation of all required certificates" on page 53 section, if you're using a self-signed certificate the following also needs to be included with the MDM server certificates.

lation Root CA

Cert

Trusted Root CAs

Root certificate of the CA which issued the request for the HTTPS certificate bound on the MDM server. It is also used in the iOS Enrollment Profile to establish a certificate chain on the iOS device.

If this certificate is not part of the enrollment profile settings, iOS will not allow the device to check-in to the HTTPS server.

This certificate is not required if the root CA is already a trusted third-party (i.e. Verisign).

Only if NOT using third- party certificate