Mobile Device Management - Initial Setup

On the management side, you can enroll end users, view real-time information about the organization’s devices, and create, maintain, and deploy policies that suit your business requirements. The service consists of two components:

1. A portal where you configure and maintain the service and user device configuration profiles.
2. A device enrollment component, where end users enroll their devices in the service and install the configuration profile for configuring the organization mail account and Wi-Fi connection, for instance.

The Mobile Device Management (MDM) client is a software component of the Horizon Luna cloud offering. The purpose of the MDM client is to transfer data regarding the state of mobile devices (MDs) to the MDM service in the cloud. The client then allows the MD state to be displayed in a browser view or the portal for the tenant. The branded client on the MD is basically an MDM client wrapped in an MDM agent, encapsulating the client for communication with the MDM service.

1. Introduction to Mobile Device Management

Mobile device management (MDM) is a software tool used to manage and enforce security policies on smartphones, tablets, and other endpoints. To perform these functions, MDM tools interact with an MDM server and communicate with installed MDM profiles on the devices being managed. When a device has MDM profiles installed, MDM administrators can push applications, updates, and configurations in and out of devices using the company's proprietary remote exchange server.

MDM solutions are effectively communication controllers between a managed wireless device and the company network. They perform the push and pull operations between a managed device and the company data. They can remotely wipe data from lost devices and restrict the use of Wi-Fi and Bluetooth. These security features are only available after the MDM policies and profiles are installed on the devices from their respective MDM servers. No enforcement is available on wireless devices without MDM.

Some newer features will manage how cellular data or Wi-Fi bandwidth will interact with the company apps. Managed devices can be restricted to company functions and data only. Enterprise messaging tools are limited to the organization's API Gateway usage; without activations, the organization's devices will not have functionalities. Devices connecting to BES, Exchange, and Lync will be managed according to the profile's agent configurations. One new feature is the enterprise activation via either cellular data or Wi-Fi.

2. Key Components of Mobile Device Management

To start iPhone, iPad, and Mac management with MDM, you need an Apple Push Notification service certificate for each organization’s MDM server. You also need an MDM SSL certificate for each MDM server. For some features (such as device lock, supervised restrictions, and network configurations), you also need to enroll in the Device Enrollment Program, School Manager, or Business Manager and supervise your devices. A key goal of mobile device management is to provide robust Apple device management that organizations of all sizes can use to deploy and maintain device settings.

MDM is a solution that allows large and small businesses and educational institutions to control mobile devices. Using the MDM protocol, an MDM server can manage iOS and macOS devices. MDM can enroll devices in its device inventory, install configuration profiles, or install and remove apps. MDM solutions can also restrict device functionality and place status updates on devices. MDM uses the Apple Push Notification service to communicate with managed devices. If you want to manage a new Apple device, follow these steps to configure the MDM service you manage: create a push certificate, generate a client certificate, connect to APNs to receive updates, use the HTTP API, or send a Device Enrollment Command to your MDM server to initiate the MDM check-in process.

3. Planning and preparing for MDM Implementation

When planning to deploy MDM for mobile devices, there are certain best practices to consider that will ensure the greatest level of success for each phase of the deployment process. Expecting the unexpected can ease the process of planning and aid in avoiding common pitfalls. This chapter outlines what planning and getting prepared for an MDM implementation entails.

Any successful deployment has its roots in the planning and preparation stages. The phases prior to the deployment of MDM are essential in that they lay the groundwork for every additional step of the process. It is during these initial stages that much of the heavy lifting will take place with seemingly no progress. Ensuring that the pre-deployment process is handled accurately can lead to a reduction in deployment and integration issues and assist in achieving the desired results with MDM. Understanding these critical initial steps can contribute greatly to a successful deployment and recurring operations. Some considerations will include components of the MDM deployment, the different phases of the deployment process, and the common logistical needs of deployment, or the requirements for successful and issue-free deployment.

4. Configuring and Deploying MDM Solutions

Configuring a server can be accomplished in one of two ways. The first is to install a dedicated server. This is recommended because it ensures that other unrelated applications do not interfere with MDM. However, after a period of evaluation coupled with the varied resources of the organization, such as a small corporate environment, the system can be housed on an existing corporate server. One exception to not using a dedicated server involves mobile device management applications that are native to the corporate server.

Initial Setup: Connect to the Internet and enable any necessary network settings or applications. After creating an Apple ID, connect to the Apple Store and install OS X Server, which will become the iPhone Configuration Utility. Run Server. app, at which point the user should select the 'Welcome' window and click the 'Next' button, which will take the user to the 'General' window, where the 'Setting Up' tab should be selected. Since we will be configuring the iPhone Configuration Utility on a system running under Mountain Lion or Mavericks, it will need to be installed on a system running at least OS X 10.8.3. At the 'Settings and Network Interface' window, select the 'General' tab first. Under 'Computer Name', enter 'mdm-1', which will produce the following:

Under 'Primary Network Interface', we will be using the LAN interface to communicate with any Apple devices. Click back onto the 'Computer Name' tab and under 'Setting Up', enter the fully qualified domain name. We strongly recommend keeping a DHCP reservation for any IP address that is used. Click on 'Network' and access the LAN. Enable just one service, such as 'Server', and point the listener address to the server's LAN IP. The workgroup should be set to 'Example'. You will receive a green check mark verifying that the 'Setup Assistant' is now complete.

A second way to configure a dedicated server is through cloud services, using the 'Configuration Assistant'. The user is presented with the 'Create Access Key' dialog. Here, the user must supply an Access Key ID and a Secret Access Key, which can be used in conjunction with the RSA key pair to send Secure Shell (SSH) requests. The steps in the assistant dialog are as follows:

1. Enter Access Key ID. Enter the alphanumeric value of up to 20 characters and compile.
2. Enter Secret Access Key. Enter the alphanumeric value of up to 40 characters and compile.
3. Select OK. Select 'OK' to start the assistant, or click 'Apply' if the user wishes to apply changes without closing the prompted dialog. Upon clicking 'Next', at this point the user will be in the 'Create - Server' dialog, where the account information just supplied has been prepopulated.