Enabling Authenticated Enrollment with IBM Endpoint Manager for Mobile Devices

The update of IBM Endpoint Manager for Mobile Devices last month included the new Authenticated Enrollment feature.   In the article below,  I’ll detail how you can easily enable this and configure user enrollment questions too.

MDM Architecture

Before you do, it’s a good idea to recap the overall MDM architecture once more.  You’ll already have your Endpoint Manager server running on your internal network and the Management Extender for iOS on a server in your DMZ (servers shown below in grey).   You’ll then want to have a very small server to run the Trusted Service Provider/Self-Service Portal components as highlighted in green below  (I’ll cover the Self-Service Portal in a future post).  Whilst I don’t see any reason why these new services couldn’t also run on your TEM server, you’d need to ensure you don’t have a possible clash with Web Reports running on port 80.   For larger environments a dedicated server would be preferable.   Ensure you’ve made any DMZ firewall rules as required.

Enabling Authenticated Enrollment

By default, devices can be managed by MDM without any authentication.  You can now restrict access to your MDM deployment to only authenticated users who log in with a username and password from an LDAP/Active Directory service.

Start with the Setup and Configuration Wizard, and open Install Additional MDM Features.  The Enrollment Server comes installed automatically on the Management Extender for iOS.   So Step 1) and 2) will already be completed from your updated you completed here.

Next, click on Deploy Trusted Service Provider,  which will present you with the following window:

Select the server which will host the Trusted Service Provider service (in my case IEMMDMSP1)

The IEM Server will then automatically download the required files from the Internet as shown below.

In about five minutes in my test environment, the installation was complete and the server was in a Pending Restart status.   The install seemed to have completed just fine, so just to be sure all was ok,  I restarted my server.  Maybe I should have been more patient and waited, but all was ok.  After the server restarted the status updated to Completed.

Next I configured the enrollment as shown below.   Note for my Active Directory server (dc1.home.int)  I deselected SSL and entered the Login Attribute of userPrincipalName.   Ensure you test your settings.   When you click on Configure Authenticated Enrollment, it took a minute or two for this to be all setup on the Management Extender for iOS server.

So, once all this has been setup when you enroll your iOS device you’ll now be asked to authenticate as shown below  (where I’m entering in my Active Directory user account and password)

Custom Enrollment Questions

Finally, you can also present the user with a range of Custom Enrollment Questions, such as where they work, department ID, accepting an End User License Agreement (EULA).   Questions can be presented with links, checkboxes, radio buttons etc.  An example list of questions are shown below:

This is then presented to the user as shown below:

This information is then visible to the administrator in the console as follows:

So all done!  You now have authenticated enrollment up and running.   If you have any queries or feedback, please post them on the developerWorks forum here.



Upgrading IBM Endpoint Manager for Mobile Devices (June 2012 release)

Last week, IBM announced the next release of IBM Endpoint Manager for Mobile Devices (see the announcement here).   This update included a bunch of new goodies such as Self Service portal, Enhanced Enrollment Options, Location Services for iOS and Office 365 support.   I’ll include further information on these updates on this blog in the coming weeks.

So just how easy is it to upgrade your current IEM for MDM to this latest release?    I’d say it took me less than ten minutes, and I’ve included some screen captures of the process below.   OK, let’s get started…

On my server, I first went to the Health Checks window as shown below.   Instead of the Status being all green,  it showed two items with a red Fail status.

I proceeded to the Upgrade Management Extender for Apple iOS and clicked on the link.   IEM automatically detected the component that needed upgrading and I then clicked on Take Action.

IBM Endpoint Manager then automatically downloaded the updated software components from our cloud based content servers as shown:

Approximately five minutes later, the update was applied, yay !

You’ll remember in the Health Check window,  I had to also activate two new analysis.  So again, I clicked on the link to do these too.


The Heath Checks dashboard will now have a green Pass status.

All done.

Easy hey!  It’s expected that in the new few days the endpoint applications will be automatically available too on the Apple AppStore and Google Play.   If you have any queries on this release, feel free to post them on our developerWorks forum.