A few months ago, IBM released a new component to it’s popular Endpoint Manager product (aka BigFix). IBM Endpoint Manager for Mobile Devices (IEM for MDM) now brings management capabilities to popular Apple iOS and Google Android mobile devices. So the same product you use to manage your traditional PCs (Windows and Apple OS X) workstations and servers (Windows, AIX, Linux, Solaris etc) can now also manage your mobile phones (whether they be organisation supplied or the increasingly popular BYOD).
I’ve installed and demo’ed IEMforMDM to a number of Australian customers. Whilst the product is easy to install and configure, the only delays are usually getting customer’s to include standard ports (443) defined on their Internet facing firewalls. Therefore, I decided I’d test out the product on both IBM’s SmartCloud Enterprise and Amazon Web Services (AWS) public clouds. All I need is two very small Windows VMs (each less than 2GB of memory and 30GB of storage). This provides me the flexability for demonstrating the product, but also provides an option for some clients who want to test the product in a non-production environment.
The architecture and setup for IEMforMDM is detailed on the following wiki. You can see if you’re managing both Android and iOS devices you need a minimum of two VMs.
Before I started though, I decided I’d use the No-IP service for my two VMs so that regardless of their location in both public clouds (and DNS/IP address changes) their public DNS name would remain the same. I setup No-IP on both VMs and configured No-IP to run as a Service. I found that even though I set No-IP to run as a Service, it didn’t want to update the IP address details of the hosts when they started. So I created a very small cmd file to restart the No-IP service 5 minutes after each VM started. This seemed to work just fine.
Installing IEMforMDM is relatively straightforward. I’ll repeat much of the excellent step by step instructions from IBM’s public wiki. However as the product does rely on you having some familiarity with the Endpoint Manager (BigFix), I’ve included some screen captures which the install instructions on the wiki don’t include.
Pre-requisite TEM install/Relay Setup
- Using the demonstration code from here, install the (Tivoli) Endpoint Manager product following these instructions on your first VM. Let’s call it IEMMDM1. Contact your nearest IBM software seller if you need something longer than the standard 30-day eval period.
- Once the TEM server is install the TEM agent on the second VM, let’s call it IEMMDM2. This is achieved via the Client Deploy utility available via the Start – All Programs – Tivoli Endpoint Manager – Tivoli Endpoint Manager Client Deploy
- Once the Agent is deployed, it will automatically register itself on the TEM Console. From there we want to also make this server a Relay (which are TEM clients with additional functionality). This can be achieved via the TEM console as shown in the following screen capture.
Installing the Management Extender for Apple iOS
Step 1: Deploy the Management Extender Fixlet
- Open the Task: Deploy Management Extender for Apple iOS ID# 70. The Task is found in the “Mobile Device Management” domain under the “Setup” node.
- Click the button in the Fixlet and select the target computer to deploy the Management Extender (if the target computers are not relevant, make sure the agent and a relay are installed first)
- When prompted, use a DNS name (or IP address) that the Apple iOS devices can reach. For example:
- Target the computers to install the Management Extender for Apple iOS. ie. Select the server name IEMMDM2.
- The installation will create a certificate request that must be signed by both IBM and Apple before you can manage your Apple iOS devices. Which we’ll cover in Step 2 below.
Step 2: Obtain certificate to manage Apple iOS devices
- Download the CSR file that was generated during the installation by using a browser and visiting https://<dns or IP address from step 1>/csr and save the file. For example, using the above naming convention, you would browse to https://yourpublicdns.org/ (as per Step 3), or on the IEMMDM2 server itself, browse to https://localhost/csr
- Send an email to firstname.lastname@example.org and attach the push.csr file. Please use the email subject of: “MDM APNS CSR <organization name>”
- IBM will respond in email with a signed certificate request (for me it was very quickly)
- Go to https://identity.apple.com/pushcert/ I found it was best to do this with Firefox, otherwise if you use IE the file you receive back from Apple might not be correctly saved. See here
- Log in with your Apple ID (consider using a non-personal ID so that other members of the organization can use the Apple ID in the future).
- Select Create Certificate.
- Read and agree to the Terms and Conditions.
- Follow the instructions to upload the certificate file that you received from IBM.
- Download the new signed push certificate “MDM_IBM Global Engineering Solutions_Certificate.pem”
- If you open the pem file in a text editor, you should see a base64 encoded certificate that starts with “—–BEGIN CERTIFICATE—–” and has a few dozen lines of seemingly random characters.
- Rename the file to “push.cer” and create a backup copy.
Step 3: Configure the Management Extender
NOTE: There will be a delay of a few minutes after deploying the management extender before it will report its configuration info and appear in this dashboard.
- Open the “Configure Management Extender” Dashboard from the Setup and Configuration section.
- Select the Management Extender for Apple iOS and click “Configure”
- Select the configuration options. It is not common to change the port numbers. The refresh interval controls how often the management extender will send a refresh command to the agents. Using a more frequent refresh interval will allow you to see updated information from your devices faster, but will potentially cause more data and battery usage on the device.
- Using the Browse function for ‘I have a push certificate from this extender’ select the push.cer certificate that you received from Apple in the instructions above, select ‘Configure iOS Managment Extender..’, Target the machine name of the Extender in the Action, and select OK to deploy.
- If you have a push_key.pem file (because you generated the csr and key pair manually), then use the section for ‘I have a push certificate from an existing extender’. However most customers will use ‘I have a push certificate from this extender’.
- If you have an HTTPS key and a signed certificate, you can setup via the option for, ‘I have SSL files to use in place of the default self-signed certificate’ (this will replace the self-signed HTTPS certificate and prevent the HTTPS warnings on the devices).
Your Managemt Extender for Apple iOS is now ready to manage iOS devices (listening on port 443). You can test it by opening your browser and visiting ‘https://<dns or IP address from step 1>’. You should then see the following screen in your web browser:
With the Management Extender for iOS running, I then performed a number of additional server configuration steps.
- I activated the Analysis for mobile devices. Basically clicking the one Activate button as shown here:
- Whilst a number of Anaysis were not applicable for my setup, I activated all of the mobile items in the console as shown below:
Registering the client for iOS devices is detailed here. It’s as simple as going to the Apple AppStore and searching for/installing the IBM Endpoint Manager application, then entering in the public DNS you detailed above. ie. our example yourpublicdns.org
As mobile endpoints are registered, they’ll start automatically appearing in the console.
You’ll then be able to perform a range of task management tasks such as device info, application inventory, send messages, recommend apps, blacklist/whitelist apps, partial/full wipe, location info ! The full list of functions and administration guide is provided on IBM’s InfoCenter here.
I’ve found the performance of IEM for MDM running on the public cloud (from Australia to the US) to be excellent. So it’s certainly a great way to try out the product. IBM’s released a number of software products available for trial on the IBM and AWS clouds, so maybe IEM for MDM will also be officially included over time.
Have you tried out IBM Endpoint Manager for Mobile Devices? I’d be interested in what you think of the product and any suggestions you might have.