Mobile Device Management Implementation Plan

Owned by Former user (Deleted)
Last updated: Jun 01, 2021 by lsh (Unlicensed)
9 min read

Mobile Device Management Implementation Plan

This document provides a detailed step-by-step plan for setting up an device management service placed in a typical company single-server DMZ.

It is divided into three main sections, each describing necessary phases of an Device Management implementation


  Preparation

  • Prepare network access
  • Prepare certificates



  Deployment

  • Install prerequisites
  • Deploy services



  Enrollment

  • Verify your installation 
  • Enroll your devices

The result of completing all the steps in this plan should be a fully operational system with an enrolled test device, ready for device management and distribution of profiles and apps.


  Preparation


#ActionComments / Description
1

It is important that certain ports are opened between the DMZ and LAN, and between the DMZ and the internet, for the MDM services to be able to communicate with devices outside of the company infrastructure.

Request that your network manager opens the required ports for traffic from the DMZ server towards the CapaInstaller servers that are assigned to host the Backend service and the Frontend service.

The service default port numbers are referenced in the CapaInstaller Network Port Reference

The ports numbers are customizable.

2

Assign a physical or virtual Windows server in the DMZ to host the MDM service (from now on referred to as the DMZ server).

Before MDM deployment, create a DNS Alias record to the server hosting your MDM service. This way the alias can easily be redirected to another host later, if the MDM service is moved to a new server.


3Request that your network manager creates a firewall rule or opens up traffic from the internet to the DMZ server. This is often done by using a subdomain (http/https: mdm.company.com > DMZ server).

As a minimum these two ports must be opened: 443 (SSL) and 5024.

The service default port numbers are referenced in the CapaInstaller Network Port Reference


For a quick overview of the required open network ports click below

 CapaInstaller Network Ports reference

Default network ports utilized by devices and services


⇒ Incoming

443 TCP ⇒ CapaInstaller MDM Service

Encrypted communication for devices

5021 TCP ⇒ CapaInstaller Front-end Service

Internal non-encrypted communication for devices

5022 TCP ⇒ CapaInstaller Front-end Service

Public encrypted communication for devices

5023 TCP ⇒ CapaInstaller Back-end Service

Encrypted communication for services

5030 TCP ⇒ CapaInstaller OS Deployment Service

Encrypted communication for services

5024 ⇒ CapaInstaller SCEP Service

Certificate exchange for devices

8443 TCP ⇒ CapaInstaller MDM Service

Encrypted communication for devices

Outgoing ⇒

443 TCP ⇒ Windows Push Notification Services

Microsoft push notifications

2195 | 2196 TCP ⇒ Apple Push Notification service

Apple push notifications

443 | 5228 | 5229 | 5230 TCP ⇒ Google Cloud Messaging

Google push notifications

7000 TCP ⇒ CapaSystems Web Services

Certificate and License Management




The referenced ports for CapaInstaller services are the default values. If the defaults are changed, refer to the port set configured for the services in your organization.

If you have other isolated zones, for example a separate WIFI zone, a DMZ or an offsite hosting zone, port for these zones should be observed to be opened accordingly.



Furthermore, there are some platform specific network preparations needed as documented below...

 Network Preparation for Managing Apple Devices
 Click here to view platform-specific instructions...

Preparing network for Apple MDM

#ActionComments / Description
1

You need an account identity with Apple to allow generating a specific push certificate per CapaInstaller MDM solution.

Register for an Apple developer account (recommended), or alternatively sign up for an Apple Enterprise agreement, to get access to certificate generation on the Apple servers.

Complete your Apple account registration well in advance of implementation because it may take some time before the registration procedure is complete.

Apple Developer Registration (recommended):

https://developer.apple.com/register/index.action

 

Enroll in the iOS Developer Enterprise Program:

https://developer.apple.com/programs/start/enterprise/

2

In order to manage iOS devices you need a Push certificate issued by Apple. This allows access to the Apple push servers.

Use your Apple account created in step 1 for generating a unique certificate per MDM solution

Generate an Apple certificate through the Apple Push Certificate wizard.

Consult Certificate handling in CapaInstaller for a step-by-step guide for generating the Apple Push Certificate.
3

Request a TLS/SSL certificate for the company web site (most companies already have one). This can be a wildcard certificate, or it can be issued to the server hosting the MDM service.

In order to make SSL connections work, SSL certificates need a binding to a specific IP port. The MDM service will automatically do this binding.

The certificate should originate from one of the Certificate Authorities root certificates trusted by Apple ( http://support.apple.com/kb/HT5012 ).

If the SSL certificate binding fails, there is probably already another certificate binding for the port in question.

4Verify with your network manager that there are not any restrictions that prevent devices on the local network from communicating out to the internet on the following port ranges: 2195-2196

Mobile devices use these ports for contacting the Apple Push Networks

The port numbers are referenced in the CapaInstaller Network Port Reference

Network Preparation for Managing Android Devices
 Click here to view platform-specific instructions...
#ActionComments / Description
1Verify with your network manager that there are not any restrictions that prevent devices on the local network from communicating out to the internet on the following port ranges: 5223, 5228-5230.

Mobile devices use these ports for contacting Google Cloud Messaging.

The port numbers are referenced in the CapaInstaller Network Port Reference

Network Preparation for Managing Windows Phone Devices
 Click here to view platform-specific instructions...
#ActionComments / Description
1Ensure that mobile devices can call into the OMA Port chosen in the MDM service configuration (default is 8443).

Mobile devices use this port for contacting CapaInstaller.

The port numbers are referenced in the CapaInstaller Network Port Reference

2Create a DNS alias for the subdomain "EnterpriseEnrollment", which points to the MDM server.

During enrollment the user will be requested to provide an email address. Part of this email address will be used to auto discover the MDM service in CapaInstaller.

e.g. the user enters the following email: firstname.lastname@company.com

The windows phone device will take the domain part of the email address and try to find the MDM server at the following url: https://EnterpriseEnrollment.company.com/Discovery.svc

another example, the user enters this email: abc@example.com

The device will search for the MDM service at this url: https://EnterpriseEnrollment.example.com/Discovery.svc

  Deployment 

#ActionComments / Description
1Before you install the MDM service, make sure that the DMZ server has .NET 4.0 installed.

If .NET 4.0 is not installed on the DMZ server, make sure you install it now.


2On a newly deployed CapaInstaller system with no services, make sure that the internal server has a Backend service and a Frontend service deployed. If not, deploy them on the internal server before deploying the MDM and SCEP services

How to Deploy Backend Service

How to Deploy Frontend Service


Check that the two ports for the Frontend and Backend services are open through the DMZ. Open a browser on the DMZ server and verify that you are able to open the following URLs:

Frontend service: http://capaserver.company.com:[frontend public port]/cifrontend. If there is no DNS lookup in the DMZ, you must write something like http://[frontend server IP]:[frontend public port]/cifrontend.

Backend service: http://capaserver.company.com:[backend public port]/cibackend. If there is no DNS lookup in the DMZ, you must write something like http://[backend server IP]:[backend public port]/cibackend.

The response from the services will be some internal json. The important thing is that the response is different from HTTP status code 404 (Not found) or HTTP status code 500 (Internal server error).

If this fails, check the following:

  • Are the ports open from the DMZ to the Frontend and Backend services?
  • Are the two services running?
  • Is there any computer-specific firewall (for example a Windows firewall) running on the computer that runs the services? If yes, disable that firewall.


The port numbers that must be open are referenced in the CapaInstaller Network Port Reference

3

For DMZ deployment, open System Administration in the CapaInstaller console and offline deploy the SCEP service and the MDM service. The target machine is the DMZ server.

In non-DMZ setups (not recommended) simply deploy the services normally from System Administration directly to the internal server.

Offline deployment is described in the deployment guide for the MDM and the SCEP services.

It is assumed that the MDM and SCEP services are placed on the same server.


4

When you have created both services as offline-installations in CapaInstaller, you must to install the services on the DMZ Server.

Log in to the DMZ server and open the following URL:

Back-end service: http://capaserver.company.com:[backend public port]/cibackend/install . If there is no DNS lookup in the DMZ, you must write something like http://[backend server IP]:[backend public port]/cibackend/install.

You should now see a web page that lets you install the MDM and SCEP services,

If you cannot open the web page, check the following:

  • Are the ports open from the DMZ to the services?
  • Is the Backend service running?
  • Is there any computer-specific firewall (for example a Windows firewall) running on the computer that runs the services? If yes, disable that firewall.

If you cannot see any MDM or SCEP service to install:

  • Have the missing services been deployed to the right computer? Check System Administration in the CapaInstaller console.
5Go back to the web page and select the MDM service. It will now download an executable file.The browser may ask you to allow the .exe file to be downloaded; you can safely allow this.
6

When download has completed, run the executable with administrative privileges.

The MDM service will now be installed, and it should automatically start after installation.

If you cannot install the MDM service, check the following:

  • Did you run the .exe file as administrator?
  • Is the MDM service installed in C:\Program Files\CapaInstaller\Services\MdmService?
  • Does the MDM service log file (C:\Program Files\CapaInstaller\Logs\Services\cimdm.log) show anything?
  • Is the MDM service installed/running? Check Windows' Task Manager/Services Manager.
Apple-Specific Deployment Tasks
 Click here to view platform-specific instructions...
#ActionComments / Description
1Install the TLS/SSL certificate and the generated Apple Push certificate on the DMZ server.Certificate handling in CapaInstaller
2On the web page, select the SCEP service. It will now download an executable (.exe) file.The browser may ask you to allow the .exe file to be downloaded; you can safely allow this.
3

When download has completed, run the executable with administrative privileges.

The SCEP service will now be installed, and it should automatically start after installation.

If you cannot install the SCEP service, check the following:

  • Did you run the .exe file as administrator?
  • Is the SCEP service installed in C:\Program Files(x86)\CapaInstaller\Services\Scep?
  • Does the SCEP service log file (C:\Program Files(x86)\CapaInstaller\Logs\Services\ciScep.log) show anything?
  • Is the SCEP service installed/running? Check Windows' Task Manager/Services Manager.


  Enrollment

#Server-Side ActionsComments / Description
1Now the services are installed successfully. Verify that both services get a green check mark in System Administration in the CapaInstaller console.If a service does not have a green check mark, try to restart the service.
2

Check that the services are running. Log in to the DMZ server and open the following URLs:


CapaInstaller MDM URL:
Apple specific URL:

SCEP service: http://localhost:[scep port]

Windows specific URL:

MDM service OMA (https): https://mdm.company.com:[oma port]/omadm

If running, the SCEP service will display a dummy page stating that the SCEP server is running.

If running, the MDM service will show an error page stating that the used device cannot be enrolled into this service. Do not worry about the error message; the fact that you can see it indicates that the MDM service is running.

If running, the MDM service will display a dummy page stating that the CapaInstaller OMA DM server is running.

3

Check that the services can be reached from the internet. Log in to a pc on the internet—or use a 3G/4G phone or tablet (the important thing is that the device must access the services from the internet and not the local network)—and open the following URLs for your implemented platforms:


 CapaInstaller MDM URL

Apple specific URL


Windows specific URLs


If you cannot access the services, check the following:

  • Are the ports open from the internet to the DMZ?
  • Are the MDM and SCEP services running?
  • Is there any computer-specific firewall (for example a Windows firewall) running on the computer that runs the services? If yes, disable that firewall. 

If running, the MDM service will show an error page stating that the used device cannot be enrolled into this service. Do not worry about the error message; the fact that you can see it indicates that the MDM service is running.

If running, the MDM service will display a dummy page stating that the CapaInstaller OMA DM server is running.


Now the server-side preparations are complete, and the system is ready for enrollment.

Before enrolling the first device, check device compatibility and readiness. 


#Client-Side Checks

1

  • Make sure your device is at least 80% charged and or plugged in.
  • Back up your device before enrolling.
Apple-Specific Enrollment
 Click here to view platform-specific instructions...
#Comments / Description
1The Apple iOS version must be iOS 5 or newer.
2Some features will only work if the device is configured with an Apple account
Android-Specific Enrollment
 Click here to view platform-specific instructions...
#Comments / Description
1The Android version must be 2.3 or newer.
2Some features will only work if the device is configured with a Google account
3It is recommended that you use the Chrome browser for enrollment
Windows-Phone-Specific Enrollment
 Click here to view platform-specific instructions...
#Comments / Description
1The Windows Phone version must be 8.1 or newer.
2Some features will only work if the device is configured with a Microsoft account




2

Try to enroll a device for every platform you plan to support. If devices seem not to appear in the console post-enrollment, remember to check the "Quarantined Units" view for devices waiting for an approval to enroll.

Device enrollment


If enrollment fails, check the services' log files.


Your system is now ready, and you have your first device enrolled and ready for management and deployment.

Best Practice Notes


  1. Complete your Apple account registration for generating the Apple Push certificate well in advance of implementation because it may take some time before the registration procedure is complete.

  2. Because the MDM service is located on a specific server that might be changed or moved, make a DNS routing from an alias so all devices are enrolled at a simple URL like https://mdm.example.com/ which can be pointed to the MDM URL.
  3. Change the Apple certificate in good time before it expires, otherwise all Apple devices must be re-enrolled.

  4. The enrollment page (MDM service configuration) should preferably use port 443. This is because browsers automatically assume port 443 when they access a URL that begins with https. If the service uses another port, you can either add the port to the enrollment URL (for example https://mdm.example.com:8443/cimdm ) or use a DNS alias or a reverse http proxy that routes from port 443 to the configured port.

  5. The login URL, for example https://mdm.example.com/, must be protected with a valid SSL certificate.

  6. Just like when you deploy software to pcs, we recommend that you test new MDM profiles and MDM devices in a "development" Configuration Management Point before you promote the profiles or devices to the "production" Configuration Management Point. By default you will probably want all enrolled devices to be in the "production" Configuration Management Point. In order to make a device enroll in the "development" Configuration Management Point, you must either create a new user that uses the "development" Configuration Management Point or move an existing user to the "development" Configuration Management Point before enrollment.

Read more: