Archive for category IEM for MDM
Apple’s latest and greatest mobile operating system iOS 7, is now available. From all reports, over 30% of all iOS devices were updated in just 16 hours! I’m still making the adjustment to doing things a little differently than before. I found it ironic that I needed to call on Google to find the answers I needed. For example, like how do I search in iOS 7 or kill running apps. Overall, I do like the new look and feel.
For organisations, Apple has released a range of new Mobile Device Management (MDM) features too. MaaS360 and IBM Endpoint Manager provided same day support for iOS 7 as per previous iOS releases. Since IEM leverages a cloud service to distribute updates for Windows, Mac, Linux and Unix, it can update the product itself to leverage these new services immediately.
There has been a lot of great coverage on iOS 7 MDM from experts such as Jack Madden who has explained the key features and benefits. I noticed that Apple has just updated it’s iPhone in Business web page to reflect iOS 7 too.
The key MDM features of iOS 7 are:
- Open In management – Protect corporate data by controlling which apps and accounts are used to open documents and attachments
- Per app VPN – Configure apps to connect to a VPN when launched
- App Store License management – Companies can assign apps to their users while keeping full ownership and control over app licenses
- New MDM configuration options – see below
- Streamlined MDM enrolment – Devices can be automatically enrolled in MDM during activation
- Enterprise Single Sign-on – Authentication can be done once to a number of applications
I haven’t yet found the ‘definitive list’ of iOS 7 MDM features, so I decided to put one together like I had for Samsung SAFE. So companies and their staff then clearly know what features can be configured and controlled with iOS 7. So here it is, if you have any omissions or corrections please let me know.
There are five new Apple iOS 7 configuration profiles:
- AirPlay – Add Airplay devices and their passwords
- AirPrint – Add Airprint printers
- Font – adding Fonts. Maybe if you have corporate Fonts on devices?
- Single Sign-On Account – Define the SSO account and Kerberos rhelm name
- Web Content Filter – Enable AutoFilter, whitelist bookmarks and blacklist web sites. This article provided more details.
Then there is a range of detailed configuration items listed here:
- Allow fingerprint to unlock device
- Allow Account Modification (Supervised Only)
- Allow Cellular data usage for Apps (Supervised Only)
- Allow Host Pairing (Supervised Only)
- Allow Wifi and Airplane Mode on Locked Screen
- Allow Open Documents from managed to unmanaged apps
- Allow Open Documents from unmanaged to managed apps
- Allow over the air PKI Updates
- Allow Airdrop (Supervised Only)
- Allow Find My Friends (Supervised Only)
- Limit ad tracking (Supervised Only)
- Allow apps to autonomously enter Single App Mode (Supervised Only)
- Allow Find my Friends (Supervised Only)
- Allow Cloud Keychain Sync
- Additional AppLock configuration settings
- Lock Screen
- Allow Access to Control Center
- Allow Notification View in Notification Center
- Allow Today View in Notification Center
As I do more testing with iOS 7, I’ll share my experiences and other applicable news on this blog.
Divide is a container solution for Apple iOS and Android devices. Divide is an app that acts as a workspace, or container, that mimics device capabilities while isolated from the rest of the device. This container solution allows information within Divide to be secured and managed separately from the rest of the device.
The latest release of IBM Endpoint Manager for Mobile Devices can also manage endpoints with Divide containers. So you can have the best of both worlds, managing mobile devices with their native management features or users with corporate services within a container.
You will want to have installed the Divide client on your mobile devices and you can request a trial of their enterprise console here.
I’ve documented the steps to integrate IEM with Divide below:
- Select the Setup and Configuration Wizard and open Setup Enterproid Divide Management Extender. Note that you’ll need to obtain an access token by clicking on the link provided. Enterproid sent me an access token for our companies domain name.
- Select Deploy Management Extender for Enterproid Divide and then select Take Action
- Select the server where this will be installed. I chose the same server as my MDM Management Extender. Ensure this server has TCP port 443 access to api.divide.com
- It takes a number of minutes for the appropriate software to be downloaded automatically from IBM’s cloud service and installed. If you specifically define which computers are members of the MDM site, ensure the Divide plugin is included too (see device type plugin explained here)You’re then ready to select Configure Extenders
- Select the Divide Container as shown. Then enter your Divide domain name and access token. I copied the access token into Notepad just to ensure there wasn’t any incorrect spaces or extra characters.
- Finally select Configure Enterproid Divide Management Extender, then the applicable container device and click OK. It will take a few minutes for the configuration to complete.
Once the configuration was complete all containers from the Divide cloud were displayed in the IEM console as shown (along side other Android and iOS devices which are managed too)
If I selected my iPad with the Divide container installed, I was able to perform a number of container controls:
What was nice, is that I can also define Divide polices from with the IEM console too:
I really like the user interface of the Divide client, which is the most critical factor with any container solution. Some container solutions have the reputation for not being that user friendly, so users end up trying to work their way around how they access their corporate email and applications. Which of course defeats the purpose of providing a container in the first place!
This new capability allows clients to both manage devices via traditional MDM (iOS, Android, Windows, Blackberry) and now a powerful container capability. This is on top of managing Windows, Mac, Linux and Unix from the one console.
If you have any queries, feel free to contact me or post a question to our developerWorks forum.
P.S. Article renamed to reflect Enterproid name change to ‘Divide’ (Oct 2013)
IBM Endpoint Manager for Mobile Devices requires a certificate to manage iOS devices – through Apple’s Push Notification Service (APNS). This APNS certificate allows the Management Extender to establish a secure, trusted channel of communication with the iOS devices. This setup is straightforward and is detailed here. Our MDM evaluators guide provides step by step instructions with screen captures. Contact me if you don’t have a copy.
If you’ve installed IEM to manage some devices, you’ll note that for iOS devices you have to install a self signed certificate first. You can remove the requirement for this by installing a well known or trusted certificate from Verisign, Godaddy, Gotrust etc.
The steps to install IEM with a trusted certificate below. I want to acknowledge the great article by Orb Data which provided me some great info, and explained certificates in PEM format.
- Complete Step 1: Deploy the Management Extender Fixlet and Step 2: Obtain certificate to manage Apple iOS devices to install the Management Extender. Save the final APNS certificate as push.cer and place it in a directory on your IEM server, say D:\ManagementExtender\APNS\push.cer. Now this has the certificate covered for IEM communicating with Apple’s APNS service.
- Now for the certificate for device to IEM server communication, we need to create a certificate request that a certificate authority can process. I was using Godaddy to define a certificate for the domain name mdm.darrylmiles.me. On a Mac I used OpenSSL I would run this command:openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
For my domain name, I entered: openssl req -new -newkey rsa:2048 -nodes -keyout darrylmiles.me.key -out darrylmiles.me.csr
I was able to the use the command illustrated on Godaddy’s web site here.
The result of this command is two files:
- Now on your certificate authority web site, take the text from within your CSR file (in my case darrylmiles.me.csr) and copy this into appropriate request page:
- Once the certificate request was accepted, I downloaded it as shown:
- The ZIP file contained two files gd_bundle.crt and mdm.darrylmiles.me.crt. Both files contained the certificate information in PEM format, ie.—–BEGIN CERTIFICATE—–
Lots of letters/numbers here…
—–END CERTIFICATE—–I renamed the files as follows:
gd_bundle.crt to gd_bundle.crt
mdm.darrylmiles.me.crt to mdm.darrylmiles.me.cer
- I copied the darrylmiles.me.key, mdm.darrylmiles.me.crt and mdm.darrylmiles.me.cer to the IEM server to a directory called D:\ManagementExtender\Cert\
- I then configured the management extender using these settings:
- That’s it. Once the management extender is configured it’s now ready to accept device enrolments. Here are some screen captures of an iOS device being enrolled:
That’s it. IEM is now setup with a trusted certificate. If you have any queries, feel free to contact me or post a question to our developerWorks forum.
IBM Endpoint Manager for Mobile Devices provides a range of Android device management. Samsung have extended this capability for their devices via Samsung SAFE (Samsung for Enterprise).
End users with Samsung Devices
Users simply install the IBM Mobile Client from Google Play. Once the app is installed, it will also prompt the user to install the additional IBM Mobile Client for Samsung which provides the additional device support.
IBM Endpoint Manager Administrator
The administrator from within the IEM console, simply opens Mobile Device Management – Android Settings – Samsung Approved for Enterprise (SAFE). They then select +New Profile, choose a name and select a profile type from the list below. I’ve chosen System Restrictions in the following example:
Now select this Fixlet and click Take Action, and choose your Android device(s) you wish to configure.
There is quite a large list of Samsung SAFE settings in Version 1.0 + 2.0 available, so I put together a list of configuration settings from the console below:
Device Management with Samsung SAFE devices
- Create ActiveSync Profile
- Enable SAFE internal storage encryption
- Application Blacklist
- Restrict Roaming
- Shutdown device
- Certificate Import
- Roaming Data
- Roaming WAP Push
- Roaming Account Sync
- Android Market
- Android Browser
- Background Data
- Bluetooth Tethering
- Cellular Data
- Factory Reset
- Home Key
- Mock Location
- Near Field Communication Adapter
- Non Market Apps
- Screen Capture
- SD Card
- Setting Changes
- USB Debugging
- USB Mass Storage
- USB Media Player
- Voice Dialer
- WiFi Tethering
- Outgoing Calls
- Pairing the device with desktop computers
- Data (files and network) transfer over bluetooth
- Make the device discoverable
- Discoverable only for devices that know its ID
- Pairing with other devices
Samsung are now extending this management with Samsung Knox with the Galaxy S4, which I’d certainly like to test at later date.
IBM Endpoint Manager was recently recognised in the Leaders quadrant in Gartner’s 2013 Client Management Tools. This is a great endorsement of IEM which excels in patch management, multiplatform support and scalability.
Gartner defines Client Management Tools as:
“End-user computing and support organizations use client management tools to automate system administration and support functions that would otherwise be handled manually. They are configuration management tools that image client systems, track inventory, deploy configuration changes (such as software or patches), enforce configuration standards and assist with troubleshooting. Windows PCs are the primary target of management, but organizations are looking to extend these products to manage Macs, mobile devices and servers as well. Mobile device management (MDM) is still a separate market, but organizations are increasingly looking to use a single vendor and management platform to support their PCs, Macs and mobile devices.”
Hey, what a great endorsement of IEM’s capabilities… to manage your PCs, Macs AND mobile devices, from a single management platform.
Following my post last month on Enabling Authenticated Enrollment, I’ve also detailed below the process for enabling the Self Service Portal (SSP). The IBM Mobile Devices Self Service Portal is a web-based method that allows you to manage your personal device without logging onto the TEM console.
Enabling the Self Service Portal
The SSP fits in with the overall IEM for MDM architecture as detailed here. In most cases, the SSP will be located on your intranet for users to access as required.
Start with the Setup and Configuration Wizard, and open Install Additional MDM Features, then select Setup Self Service Portal as shown below.
You’ll note that Authenticated Enrollment has been configured via these steps. Select Deploy Self Service Portal and then Take Action.
Select the server that will host the SSP and click OK.
IEM will then automatically begin downloading the required components for the Self Service Portal and install them on the server as shown below.
Once the SSP is installed next click on the third step to Configure the Self Service Portal.
Enter in the details for your Web Reports and TEM Console (which in most cases will probably be the one server). An example screen capture is shown below. Click Configure SSP and it will take a few minutes for this configuration to be completed.
If you have any issues with setting up the SSP, a handy URL to have is https://yourSSPservername/ssp/diag which provides some SSP diagnostic information:
Your users will access the SSP via a web browser, ie. https://yourSSPservername/ssp Once logged in, they can select one or more devices they have registered to IEM. They can then see information similar to the following for each of their mobile devices:
Users can then lock their device, clear passcode or even remotely wipe the device. I expect IBM will add additional functionality to the SSP in coming releases. A handy end user guide on the SSP is provided here
So all done! You now have the SSP up and running. If you have any queries or feedback, please post them on the developerWorks forum here.
The update of IBM Endpoint Manager for Mobile Devices last month included the new Authenticated Enrollment feature. In the article below, I’ll detail how you can easily enable this and configure user enrollment questions too.
Before you do, it’s a good idea to recap the overall MDM architecture once more. You’ll already have your Endpoint Manager server running on your internal network and the Management Extender for iOS on a server in your DMZ (servers shown below in grey). You’ll then want to have a very small server to run the Trusted Service Provider/Self-Service Portal components as highlighted in green below (I’ll cover the Self-Service Portal in a future post). Whilst I don’t see any reason why these new services couldn’t also run on your TEM server, you’d need to ensure you don’t have a possible clash with Web Reports running on port 80. For larger environments a dedicated server would be preferable. Ensure you’ve made any DMZ firewall rules as required.
Enabling Authenticated Enrollment
By default, devices can be managed by MDM without any authentication. You can now restrict access to your MDM deployment to only authenticated users who log in with a username and password from an LDAP/Active Directory service.
Start with the Setup and Configuration Wizard, and open Install Additional MDM Features. The Enrollment Server comes installed automatically on the Management Extender for iOS. So Step 1) and 2) will already be completed from your updated you completed here.
Next, click on Deploy Trusted Service Provider, which will present you with the following window:
Select the server which will host the Trusted Service Provider service (in my case IEMMDMSP1)
The IEM Server will then automatically download the required files from the Internet as shown below.
In about five minutes in my test environment, the installation was complete and the server was in a Pending Restart status. The install seemed to have completed just fine, so just to be sure all was ok, I restarted my server. Maybe I should have been more patient and waited, but all was ok. After the server restarted the status updated to Completed.
Next I configured the enrollment as shown below. Note for my Active Directory server (dc1.home.int) I deselected SSL and entered the Login Attribute of userPrincipalName. Ensure you test your settings. When you click on Configure Authenticated Enrollment, it took a minute or two for this to be all setup on the Management Extender for iOS server.
So, once all this has been setup when you enroll your iOS device you’ll now be asked to authenticate as shown below (where I’m entering in my Active Directory user account and password)
Custom Enrollment Questions
Finally, you can also present the user with a range of Custom Enrollment Questions, such as where they work, department ID, accepting an End User License Agreement (EULA). Questions can be presented with links, checkboxes, radio buttons etc. An example list of questions are shown below:
This is then presented to the user as shown below:
This information is then visible to the administrator in the console as follows:
So all done! You now have authenticated enrollment up and running. If you have any queries or feedback, please post them on the developerWorks forum here.
Last week, IBM announced the next release of IBM Endpoint Manager for Mobile Devices (see the announcement here). This update included a bunch of new goodies such as Self Service portal, Enhanced Enrollment Options, Location Services for iOS and Office 365 support. I’ll include further information on these updates on this blog in the coming weeks.
So just how easy is it to upgrade your current IEM for MDM to this latest release? I’d say it took me less than ten minutes, and I’ve included some screen captures of the process below. OK, let’s get started…
On my server, I first went to the Health Checks window as shown below. Instead of the Status being all green, it showed two items with a red Fail status.
I proceeded to the Upgrade Management Extender for Apple iOS and clicked on the link. IEM automatically detected the component that needed upgrading and I then clicked on Take Action.
IBM Endpoint Manager then automatically downloaded the updated software components from our cloud based content servers as shown:
Approximately five minutes later, the update was applied, yay !
You’ll remember in the Health Check window, I had to also activate two new analysis. So again, I clicked on the link to do these too.
The Heath Checks dashboard will now have a green Pass status.
Easy hey! It’s expected that in the new few days the endpoint applications will be automatically available too on the Apple AppStore and Google Play. If you have any queries on this release, feel free to post them on our developerWorks forum.
A few months ago, IBM released a new component to it’s popular Endpoint Manager product (aka BigFix). IBM Endpoint Manager for Mobile Devices (IEM for MDM) now brings management capabilities to popular Apple iOS and Google Android mobile devices. So the same product you use to manage your traditional PCs (Windows and Apple OS X) workstations and servers (Windows, AIX, Linux, Solaris etc) can now also manage your mobile phones (whether they be organisation supplied or the increasingly popular BYOD).
I’ve installed and demo’ed IEMforMDM to a number of Australian customers. Whilst the product is easy to install and configure, the only delays are usually getting customer’s to include standard ports (443) defined on their Internet facing firewalls. Therefore, I decided I’d test out the product on both IBM’s SmartCloud Enterprise and Amazon Web Services (AWS) public clouds. All I need is two very small Windows VMs (each less than 2GB of memory and 30GB of storage). This provides me the flexability for demonstrating the product, but also provides an option for some clients who want to test the product in a non-production environment.
The architecture and setup for IEMforMDM is detailed on the following wiki. You can see if you’re managing both Android and iOS devices you need a minimum of two VMs.
Before I started though, I decided I’d use the No-IP service for my two VMs so that regardless of their location in both public clouds (and DNS/IP address changes) their public DNS name would remain the same. I setup No-IP on both VMs and configured No-IP to run as a Service. I found that even though I set No-IP to run as a Service, it didn’t want to update the IP address details of the hosts when they started. So I created a very small cmd file to restart the No-IP service 5 minutes after each VM started. This seemed to work just fine.
Installing IEMforMDM is relatively straightforward. I’ll repeat much of the excellent step by step instructions from IBM’s public wiki. However as the product does rely on you having some familiarity with the Endpoint Manager (BigFix), I’ve included some screen captures which the install instructions on the wiki don’t include.
Pre-requisite TEM install/Relay Setup
- Using the demonstration code from here, install the (Tivoli) Endpoint Manager product following these instructions on your first VM. Let’s call it IEMMDM1. Contact your nearest IBM software seller if you need something longer than the standard 30-day eval period.
- Once the TEM server is install the TEM agent on the second VM, let’s call it IEMMDM2. This is achieved via the Client Deploy utility available via the Start – All Programs – Tivoli Endpoint Manager – Tivoli Endpoint Manager Client Deploy
- Once the Agent is deployed, it will automatically register itself on the TEM Console. From there we want to also make this server a Relay (which are TEM clients with additional functionality). This can be achieved via the TEM console as shown in the following screen capture.
Installing the Management Extender for Apple iOS
Step 1: Deploy the Management Extender Fixlet
- Open the Task: Deploy Management Extender for Apple iOS ID# 70. The Task is found in the “Mobile Device Management” domain under the “Setup” node.
- Click the button in the Fixlet and select the target computer to deploy the Management Extender (if the target computers are not relevant, make sure the agent and a relay are installed first)
- When prompted, use a DNS name (or IP address) that the Apple iOS devices can reach. For example:
- Target the computers to install the Management Extender for Apple iOS. ie. Select the server name IEMMDM2.
- The installation will create a certificate request that must be signed by both IBM and Apple before you can manage your Apple iOS devices. Which we’ll cover in Step 2 below.
Step 2: Obtain certificate to manage Apple iOS devices
- Download the CSR file that was generated during the installation by using a browser and visiting https://<dns or IP address from step 1>/csr and save the file. For example, using the above naming convention, you would browse to https://yourpublicdns.org/ (as per Step 3), or on the IEMMDM2 server itself, browse to https://localhost/csr
- Send an email to firstname.lastname@example.org and attach the push.csr file. Please use the email subject of: “MDM APNS CSR <organization name>”
- IBM will respond in email with a signed certificate request (for me it was very quickly)
- Go to https://identity.apple.com/pushcert/ I found it was best to do this with Firefox, otherwise if you use IE the file you receive back from Apple might not be correctly saved. See here
- Log in with your Apple ID (consider using a non-personal ID so that other members of the organization can use the Apple ID in the future).
- Select Create Certificate.
- Read and agree to the Terms and Conditions.
- Follow the instructions to upload the certificate file that you received from IBM.
- Download the new signed push certificate “MDM_IBM Global Engineering Solutions_Certificate.pem”
- If you open the pem file in a text editor, you should see a base64 encoded certificate that starts with “—–BEGIN CERTIFICATE—–” and has a few dozen lines of seemingly random characters.
- Rename the file to “push.cer” and create a backup copy.
Step 3: Configure the Management Extender
NOTE: There will be a delay of a few minutes after deploying the management extender before it will report its configuration info and appear in this dashboard.
- Open the “Configure Management Extender” Dashboard from the Setup and Configuration section.
- Select the Management Extender for Apple iOS and click “Configure”
- Select the configuration options. It is not common to change the port numbers. The refresh interval controls how often the management extender will send a refresh command to the agents. Using a more frequent refresh interval will allow you to see updated information from your devices faster, but will potentially cause more data and battery usage on the device.
- Using the Browse function for ‘I have a push certificate from this extender’ select the push.cer certificate that you received from Apple in the instructions above, select ‘Configure iOS Managment Extender..’, Target the machine name of the Extender in the Action, and select OK to deploy.
- If you have a push_key.pem file (because you generated the csr and key pair manually), then use the section for ‘I have a push certificate from an existing extender’. However most customers will use ‘I have a push certificate from this extender’.
- If you have an HTTPS key and a signed certificate, you can setup via the option for, ‘I have SSL files to use in place of the default self-signed certificate’ (this will replace the self-signed HTTPS certificate and prevent the HTTPS warnings on the devices).
Your Managemt Extender for Apple iOS is now ready to manage iOS devices (listening on port 443). You can test it by opening your browser and visiting ‘https://<dns or IP address from step 1>’. You should then see the following screen in your web browser:
With the Management Extender for iOS running, I then performed a number of additional server configuration steps.
- I activated the Analysis for mobile devices. Basically clicking the one Activate button as shown here:
- Whilst a number of Anaysis were not applicable for my setup, I activated all of the mobile items in the console as shown below:
Registering the client for iOS devices is detailed here. It’s as simple as going to the Apple AppStore and searching for/installing the IBM Endpoint Manager application, then entering in the public DNS you detailed above. ie. our example yourpublicdns.org
As mobile endpoints are registered, they’ll start automatically appearing in the console.
You’ll then be able to perform a range of task management tasks such as device info, application inventory, send messages, recommend apps, blacklist/whitelist apps, partial/full wipe, location info ! The full list of functions and administration guide is provided on IBM’s InfoCenter here.
I’ve found the performance of IEM for MDM running on the public cloud (from Australia to the US) to be excellent. So it’s certainly a great way to try out the product. IBM’s released a number of software products available for trial on the IBM and AWS clouds, so maybe IEM for MDM will also be officially included over time.
Have you tried out IBM Endpoint Manager for Mobile Devices? I’d be interested in what you think of the product and any suggestions you might have.