- Supported Devices
- Enabling 'PUT' on IIS
- Installing the MDM Plugins
- Mobile System Configuration
- Setting the History Retention
- Installing the Apple MDM Certificate
- Document Revision History
The purpose of this guide is to provide you with the requirements to successfully implement Mobile Device Management (MDM) in LabTech. Once you have met the prerequisites, you can begin adding and managing mobile devices. All instructions in this guide are in the order that they should be performed.
|IMPORTANT: It is very important that you complete the following prerequisites, as they are stated; otherwise your installation may fail.|
- Apple hand held devices (iPhone, iPad) using iOS 4.0 or higher
- Handheld devices using Android 2.2 or higher
MDM requires the following:
- The server hosting the LabTech solution must use SSL and a trusted certificate from a reliable provider (e.g. VeriSign, GoDaddy). Instructions for Verisign and GoDaddy can be found at the following links: Any support required for installing SSL certificates must be obtained from your SSL certificate provider.
- GoDaddy SSL Installation instructions
- VeriSign SSL Installation Instructions
- The FQDN that points to the server must match the certificate – MDM will not work using IP addresses.
- The following ports must be accessible:
- Server needs ports 2195 and 2196 (outgoing) for connection to the Apple Push Notification servers.
- Devices need ports 5223 (outgoing and incoming) for Apple devices.
- Devices need port 443 (outgoing) for general SSL setup/communication.
- IIS must be configured to accept 'PUT' commands if managing iOS devices.
- Requires having a valid MDM certificate signed by Apple or an approved MDM vendor. LabTech is an approved vendor, and provides a wizard to assist in the creation /procurement of the management certificate in the Installing the Apple MDM Certificate section of this document.
- Requires the use of Google Chrome or Firefox to create the MDM certificate.
- iOS location and data tracking requires installation of the iOS agent application. The device must be enrolled in the current iOS MDM (that uses Apple's MDM Service) before the iOS can sign up to the LabTech server. For more information on the iOS Agent, please refer to the iOS Agent Overview documentation.
|IMPORTANT: Some providers provide free trial SSL certificates for a limited time period. DO NOT use a free trial SSL certificate. When the certificate expires, mobile device management functions will fail.|
For configuration of entire system, you must be part of the 'super admin' or 'system configuration' user class. Mobile security is managed by assigning mobile devices to groups and classes. This means that it will not be possible to assign specific privileges directly to an individual user. You are free to create as many user classes and groups as you require.
|WARNING: It is important to note that the LabTech server should only be used for LabTech and should not be used for other purposes. However, if you are using the server for other purposes, it is possible that those websites may be affected enabling the 'PUT' verb. Additionally, WebDAV is incompatible with the use of 'PUT', so you
cannot have WebDAV installed on a LabTech server that is used for MDM
with iOS devices
To enable PUT on IIS 6.0, follow the instructions below:
- Open the IIS Manager (Start > Administrative Tools > IIS Manager).
- Expand server > Web Sites from the navigation tree on the left.
- Right-click on Default Web Site and select Properties.
Figure 1: Default Web Site Properties - Home Directory
- Click on the Home Directory tab.
- Click on Configuration.
Figure 2: Application Configuration—.ashx configuration
- Select the .ashx extention and click Edit.
Figure 3: Application Extension Mapping
- Select 'All Verbs' or add 'PUT' to the list of verbs in the Limit to: field and click OK. This will return you the Application Configuration window. Click OK to close the window.
- You may be prompted to select the nodes that should use the new values.
Figure 4: Inheritance Overrides
- Select 'LabTech' and click OK. Click OK again to close the Default Web Site Properties.
- Close IIS.
To enable PUT on IIS 7.0, follow the instructions below:
- Open the IIS Manager (Start > Administrative Tools > IIS Manager).
- Select the server, if necessary from the navigation tree on the left.
- Double-click on Handler Mappings.
Figure 5: IIS Manager - Handler Mappings
- Click on the Path field header to sort the extensions in alphabetical order.
- For each handler that has the .ashx extension, double-click on it or right-click and select Edit to go into edit mode.
Figure 6: Edit Managed Handler
- Click Request Restrictions.
Figure 7: Request Restrictions
- Click the Verbs tab. Select 'All Verbs' or add 'PUT' to the list of verbs and click OK. This will return you the Edit Managed Handler window. Click OK to close the window.
- Repeat steps 5-7 for each handler that has the .ashx extension.
- When finished, close IIS.
There are two plugins required for MDM:
- MobileDeviceManager.dll: A plugin for the Control Center that allows users to manage mobile devices.
- MobileDeviceManagementBackEnd.dll: A plugin that snaps into the database agent that does mobile back-end processing.
Both plugins should be installed in the normal manner. The Mobile Device Management Back End Plugin is only loaded by the Database Agent. When the Mobile Device Manager plugin is loaded, a Mobile Dashboard button will be added to the toolbar in the Control Center.
- Download both MDM Plugins from the Marketplace.
- Select Help > Plugin Manager.
Figure 8: MDM Plugins
- Place a checkmark to the left of each. You will be prompted to reload the plugins and to tell all agents to update plugins. Click Yes through these messages. Close the Plugin Manager.
- Restart the Control Center.
- Select Help > Plugin Manager.
Figure 9: Plugins Loaded
- Verify that both 'Mobile Back Office' and 'Mobile Device Manager' have 'True' in Database Loaded and ASP Loaded as shown above.
- Close the Plugin Manager.
The first time you attempt to open the Mobile Device Manager, you will be instructed that you have not set up system configuration. Once you click OK through the message, you will be taken to the Configuration Editor.
|NOTE: You can access the Configuration Editor at any time by clicking on the Mobile Device Manager button on the Control Center toolbar and then selecting Mobile System > System Configuration.|
Figure 10: Configuration Editor
You must complete both the Sign in Code and iOS Melded Config tabs before closing this window.
- From the Configuration Editor, click on the Sign in Code tab (if not already selected).
Figure 11: Configuration Editor—Sign In Code
- Enter a Sign-In Code Start. The Sign-In Code Start is required for installing mobile management on devices. It acts as a simple form of authentication and mapping, both preventing random people from signing up for mobile management (and depleting license counts), as well as allowing mobile devices to be assigned to locations at signup.
- Select the Show "Manage My Mobile Device" link on Home Page checkbox if you want a link to display on the Web Portal that leads to mobile sign up. This allows you to allow your clients to sign up their own devices. Otherwise, there are several other methods available (these are explained in detail in the Deploymentdocumentation):
- Running Market (Google Play) from your Android device and searching for the app by name (rmm mobile agent).
- Following a link in an email. Must have email configured on the LabTech server to use this option.
- Following a link in a text message. Must have the CDyne SMS Alerting plugin to use this option.
- Using a QR code provided by the MSP. This is most useful if the manufacturer provides the device with a barcode app pre-installed; otherwise this requires installing a barcode app.
- Click on the iOS Melded Config tab.
Figure 13: Configuration Editor - iOS Melded Config
For iOS (Apple) devices, every profile must have an Organization and Identifier. This tab allows you to set the Organization name and the Identifier of the melded profile (automatically created profile based on group membership).
- Enter your organization in the Organization field. This can be set to anything but it is recommended that you use your company name (e.g., XYZ Computers).
- The Identifier field is set once and is never changed. This marks a profile as a unique profile. Provided it remains the same, it allows for overwriting of the existing profile that is created. It is HIGHLY recommended that the Identifier field be set to: com.YourFQDN.meldedprofile.
WARNING: Once the Identifier has been set, if you change the Identifier at a later time, you will be unable to update existing profiles and the original profile will still be viewable by the user. It would need to be manually removed by the user.
- Click OK to accept the configuration.
- Run the MDM Configuration Check Utility to verify your configuration. From the Mobile Device Manager, select Help > MDM Check. Click Start and check for errors. Refer to the MDM Configuration Check Utility documentation for information.
- Proceed to the next section of this document.
The History Config tab allows you to set history retention settings for mobile commands, command retention, device data and device location history. The default values are as follows:
|Mobile Command History||32 days||The length of time a command will remain in the mobile commands history table, regardless of status.|
|Command Retention Period||24 hours||The length of time a command will stay in the commands table with a status that is not 'success' or 'fail'.|
|Device Data History||45 days||The length of time the device data will remain in the database before being purged.|
|Device Location History||31 days||The length of time location data will remain in the database before being purged.|
- From the Configuration Editor (Mobile System > System Configuration), click on the History Config tab.
Figure 14: History Configuration
- Make any desired changes to the default retention history settings and click OK.
Enabling iOS control requires having a valid MDM management certificate signed by Apple or an approved MDM vendor. LabTech is an approved vendor and provides a wizard to assist in the creation/procurement of the management certificate. The certificate is only required if you plan on managing iOS (Apple) devices (e.g., iPhone, iPad).
|NOTE: This process requires checking into the LabTech server, which requires your CD-Key. If you do not run this process on your LabTech serer, you will be prompted for your LabTech CD-Key.|
- To generate the certificate, select Mobile System > Install Apple MDM Certificate.
Figure 15: Install Apple MDM Certificate
- The MDM Sign Up Wizard will walk you through installing the Apple MDM certificate. You must have an Apple ID to complete the wizard. If you already have an Apple ID, proceed to step XXX. Otherwise, click on the Apple ID link to create one. It is not recommended to use your iTunes ID. Complete all of the fields to create your ID. Once submitted, Apple will send an email to the email address you used for verification.
Figure 16: Apple Email Verfication
- Click on Verify Now in the email and then sign in to verify the account.
- Navigate back to the LabTech MDM Sign Up Wizard and click Next.
Figure 17: Custom Certification Generation
- All of the fields will be pre-populated with data from your server. It is imperative that you check the information for accuracy. Please note that your certificate will use your FQDN. The Common Name should be identical.
- Click Generate Certificate…
- If you are not on your LabTech server, you will be prompted for the LabTech CD Key. Enter your CD key, if applicable.
- You will then be instructed to enter a passphrase to encrypt the private key. Enter a passphrase (this can be anything) and click Create. It may take a few moments to generate the certificate. Once the certificate has been generated, you will see the following:
Figure 18: Finished Generating Certificate
NOTE: The certificate generated will be saved in %systemdrive%\LabTech\Sandbox\LabTechSignedCertificate.out.
- Click OK to close this window and return to the wizard and click Next.
Figure 19: Upload Certificate
IMPORTANT: DO NOT USE Internet Explorer for the next step. It will not work. It will generate a certificate error instructing you to restart the wizard. You must use Google Chrome or Firefox.
- The next step is to open the link to download the final certificate. Do not use Internet Explorer. If IE is your default browser, copy and paste this link into Firefox or Google Chrome. Otherwise, if Firefox or Google Chrome is your default browser, you can just click on the link.
- You will be prompted to sign in. Enter your Apple ID and password and click Sign In.
NOTE: The Apple Certificate portal may be slow to load and may require you to refresh your browser.
Figure 20: Apple Push Certificates Portal
- Click on Create a Certificate.
Figure 21: Create a New Push Certificate
NOTE: Your screen and button labels may be different depending on what browser you are using.
- Click the Choose File button if using Google Chrome or Browse if using Firefox.
- Navigate to the LabTechSignedCertificate.out file located at: %systemdrive%\LabTech\Sandbox\LabTechSignedCertificate.out.
Figure 22: Select LabTechSignedCertificate.out File
- Select file and click Open.
- Now, click Upload. You will receive confirmation that a push certificate (MDM_LabTechSoftwareLLC._Certificate.pem) has been successfully created as shown by the following example.
Figure 23: Confirmation
- Click Download. If using Firefox, you will be prompted to open or save the file. Click Save. Google will automatically start the download. Whether you are using Google Chrome or Firefox, the certificate will be saved to the user's Downloads folder.
- When download is complete, close the browser.
- Return to the wizard and click Next.
Figure 24: Install Certificate
- Click on Load.
Figure 25: Load Certificate
- Navigate to the push certificate that was created and downloaded in steps 17 and 18 (MDM_LabTechSoftwareLLC._Certificate.pem) file and click on Open. This should be in the user's Downloads folder if you are using the browser's default download location.
The wizard will attempt to load the certificate and if the above instructions were followed, 'Finished' will display in the wizard as shown by the following example.
Figure 26: Certificate Loaded Successfully
- Click Finish. You will now be able to send MDM commands to any iOS devices in your system.
- Refer to the Mobile Device Management: Configuration Classes documentation for information on additional configuration (e.g., passcode security, Wifi access, device restrictions, creating groups, etc.)
|03/27/2012||New Document for MDM|
|05/07/2012||Updated requirements and plugin names.|
|05/30/2012||Modified steps associated with the push certificate for better clarity.|
|09/17/2012||Updated for 2012 SP1 release.