The two main components of WSO2 Enterprise Mobility Manager are
mobile device management and mobile application management. Setting
up WSO2 EMM can be done by following the “Getting Started” guide
as mentioned in the documentation. This article mainly emphasizes on
how to obtain the certification configuration for your personal
domain.
Enrolled devices and WSO2 Enterprise Mobility Manager communicates
using the HTTPS protocol. This is to make sure that the private and
sensitive data stored in the mobile device cannot be retrieved by a
third party or unauthorized personals. All the communication carried
out between devices, APNS and EMM server is based on certificates
included in the key-store files with the extension “jks”. These
security features are critical since EMM supports both cooperate
owned (COPE) and personal (BOYD) device management. In the section
“Configuring
the product” guide you have been provided with the
steps to configure the EMM server to used in your local subnet where
the server and the devices uses a SSL certificate issued by the
inbuilt Certificate Authority of the EMM server.
Communications
between devices and EMM server
WSO2 EMM server consists of the following components:
-
SCEP server component.
-
CA server component.
-
Device Management Component.
The iOS device acts as a SCEP client where it sends the SCEP request
to the Server. For enrollment purposes, this communication requires a
certificate which will be generated by the CA server component of
EMM. The iOS device will generate a private/public key pair and send
a certificate signing/authorization request to the CA where the CA
component will need to generate the public key certificate and store
the public key for encryption which will be used later.
There is communication between IOS devices and APNS as well as
Android devices and GCM for policy monitoring and to perform
operations. All the devices will communicate with the EMM server
using the agent applications. All these communications must be
secured using certificates.
You can see the communication flow in Figure 1 given below.
In order to provide secure communication between the components
represented in Figure 1, you have to obtain an SSL certificate for
your domain from a Certificate Authority. When hosted under a public
domain the obtained SSL certificates needs to be included into the
key stores.
Obtaining
an SSL Certificates for your domain
You can choose one of the SSL certificate providers available in the
market according to your requirements and budget. You can
successfully obtain an SSL certificate for your domain by following
the steps provided below accordingly:
-
Purchase a SSL certificate.
-
Create a CSR form including your domain and project data
-
Submit the CSR to the SSL vendor
-
Verify the CSR request by validating that you control the domain the certificate will protect.
-
Your SSL certificate will be delivered to you or can be downloaded as facilitated by your certificate vendor.
You can follow the “Get
SSL on my website” guide for more information on how
to obtain SSL certification.
Configuring
for IOS device management
Configuring the IOS device management and communications is a three
step process :
-
Obtaining a signed CSR from WSO2.
-
Configuring EMM server for IOS device management.
-
Configuring the IOS client.
Obtaining a signed CSR from WSO2
Create a Certificate Signing Request (CSR) file from the EMM server
using your private key. You can use commands given below to generate
the CSR file:
openssl
genrsa -des3 -out <Your_Private_Key_File> 2048
openssl
req -new -key <Your_Private_Key_File> -out <You_CSR_File>
Make
sure to create both Your_Private_Key_File and Your_CSR_File
files with .pem extension
Provide correct information to the
prompted questions related to your organization and the project. Make
sure to provide the actual organization name as this is a required
field. The Email address provided should be valid as this will act as
the identification of your CSR request in order to identify you in a
CSR expiration situation. Common name stands for the fully qualified
domain name of your server. Make sure that the information you have
provided is of high accuracy since the artifacts provided will bind
to the provided domain name. IOS device can be only managed by the
server which is hosted under the provided host name.
You can submit the CSR request to
the “Obtain
the signed CSR file” form. Make sure to enter the
same information as you entered in the CSR request when filling the
above form.
You will be provided with the
following artifacts which is required to configure the EMM server to
manage IOS devices:
-
The signed CSR file in .plst format.
-
Agent source code.
-
P2 repository, which contains the feature list.
Please refer “Obtaining
the Signed CSR File” guide for more information on
obtaining a signed CSR file.
Configuring EMM server for IOS device management
IOS server configuration is a complex and prolonged process which can
be described by the following steps. By following these steps in
order you can easily configure the EMM server for iOS device
management:
-
Installing IOS feature to EMM server.
-
Configure general IOS server settings.
-
Generate the MDM APNS certificate.
Installing IOS feature to the EMM server
Start the EMM server in order to
install the features from the P2 repository obtained via the CSR
request.
You can navigate to the carbon
console using <YOUR_DOMAIN>/carbon and then navigate to the
configure tab. Then select the features option from the list.
IOS related features will be
available in the P2 repository provided to you with the signed CSR.
Install all the three features given. After the installation of the
features is completed, stop the EMM server and process to the
following location : <EMM_HOME>/repository/conf
You will find a new configuration
file “
ios-config.xml
” in the
directory. Modify the “iOSEMMConfigurations” accordingly. Please
refer to “Installing
WSO2 EMM iOS Features via the
P2 Repository” guide for more information.
Configure general IOS server
settings.
In order to setup your server with
IOS, follow the instructions given in “
General iOS Server Configurations” guide until Step
5.
After completing Step 5 follow the
instructions given below:
-
Convert the downloaded ssl certificates from your vendor to .pem files.
openssl x509 -in <RA
CRT> -out <RA CERT PEM>
Example:
openssl x509 -in
your-domain-com-apache.crt -out your-domain-com-apache.pem
openssl x509 -in
your-domain-com-ee.crt -out your-domain-com-ee.pem
-
Create a certificate chain with the root and intermediate certifications.
cat <CERTIFCATE 1>
<CERTIFICATE 2> ... >> <CERTIFICATE CHAIN>
Example:
cat
your-domain-com-apache.pem your-domain-com-ee.pem >>
clientcertchain.pem
cat
your-domain-com-apache.crt your-domain-com-ee.crt >>
clientcertchain.crt
-
Export the SSL certificate chain file as a PKCS12 file with "wso2carbon" as the alias.
openssl pkcs12 -export
-out <KEYSTORE>.p12 -inkey <RSA_key>.key -in clientcertchain.crt -CAfile clientcertchain.pem -name "<alias>"
Example:
openssl pkcs12 -export
-out KEYSTORE.p12 -inkey ia.key -in clientcertchain.crt -CAfile clientcertchain.pem -name "wso2carbon"
After following the steps as above resume the
configuration from Step 7.b as in
“General iOS Server Configurations” guide.
Note
that Step 6 and 7.a need to be skipped since the server configuration
mentioned in those steps is for the public domain with already
obtained SSL certificates.
Generate the MDM APNS certificate.
Go
to the Apple
Push Certificate Portal and upload the .plist file
provided with the signed CSR from WSO2 and generate the MDM
certificate. Follow the instructions given in “Generate
MDM APNS Certificate” guide in order to convert the
downloaded certificate to .pxf format.
After completing
the instructions given, you can proceed with the IOS platform
configuration as instructed in the “IOS
Platform Configuration” guide.
Configuring
Android device management
To enable secure communication between android devices and your EMM
server please follow the “Android
Configurations” guide. You can skip the certificate
generation described in Step 1 under “Generating a BKS File” and
move to Step 2 directly since you have already completed the above
when configuring the IOS device communication.
Configuring Windows device
management
There
are no additional configurations needed to enable windows device
management.