Mobility Manager 9.0. Installation Guide

Mobility Manager 9.0 Installation Guide

LANDESK MOBILITY MANAGER Copyright 2002-2012, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others. LANDesk does not warrant that this document is error free and retains the right to make changes to this document or related product specifications and descriptions at any time without notice. LANDesk does not assume any obligation to update the information contained herein. This document is provided AS IS and without any guaranty, warranty, or license, express or implied, including but not limited to: fitness for a particular purpose, merchantability, non infringement of intellectual property, or other rights of any third party. Any LANDesk products referenced in this document are not intended for use in medical, life saving, or life sustaining applications. Third parties may have intellectual property rights relevant to this document and the technologies discussed herein. Last updated: 11/6/2012 2

INSTALLATION GUIDE Contents Contents 3 Introduction to the LANDesk Mobility Manager 9.0 installation 4 Scope 4 Assumptions 4 LANDesk Mobility Manager overview and prerequisites 5 Mobility Manager components and architecture 5 Installation prerequisites 6 Configure DNS text records for agent enrollment 7 Setting up and configuring the MDM server 13 Set up and configure the MDM server 13 MDM server prerequisites 13 Install the server agent 14 Install the IIS role 14 Install the.net Framework 3.5.1 feature 17 Install the MSMQ feature 19 Set Up HTTPS 23 Submit the certificate request for CA approval 31 Complete the certificate request and bind to SSL 34 Obtaining certificates and keys for supported mobile devices 38 Obtain a APNS certificate to support Apple ios mobile devices 38 Obtain a GCM key to support Android mobile devices 49 Refer to the official Google instructions 49 Installing Mobility Manager on the servers 51 Install Mobility Manager on the MDM server 51 Install Mobility Manager on the core server 52 Mobility Manager installation prerequisites 52 Install Mobility Manager 52 Reactivate your core server 53 Understand and ensure installation of all required certificates 53 MDM server certificates 53 Core server certificates 54 Accessing and using Mobility Manager 55 Access the Mobility tool in the console 55 Configure enrollment profiles 55 Enable users to see content in the LANDesk Portal 58 Appendix: About self-signed certificates NOT supported by LANDesk 59 Self-signed certificates NOT supported by LANDesk 59 Step 1: Create a certificate request 60 Step 2: Submit a certificate request 64 Step 3: Complete the certificate request 67 Step 4: Add the signed authority for self-signed certificates 70 Additional MDM server certificate required 71 3

LANDESK MOBILITY MANAGER Introduction to the LANDesk Mobility Manager 9.0 installation The LANDesk Mobility Manager 9.5 setup process consists of several installation and configuration steps. It requires planning and preparation as well as technical proficiency and some familiarity with LANDesk Management Suite concepts and tools. This Installation Guide provides detailed instructions on how to perform each of these steps (or links to separate documents that describe third-party configuration procedures, such as creating and integrating certificates for various OS platforms, hosted on the LANDesk User Community). With the LANDesk Mobility Manager tool you can discover, enroll, and manage end user mobile devices from your LDMS console. After installation and configuration is complete, go to the LANDesk Mobility Manager Users Guide for information on how to use the tool's features. Scope The scope of this guide is to walk LANDesk Administrators through the setup of LANDesk Mobility Manager on the MDM server and LANDesk core server. After the setup of the servers the administrator will be able to begin enrolling and managing ios and Android devices via the LANDesk Management Suite console. Assumptions This document assumes the LANDesk Administrator has a working knowledge of LANDesk Management Suite as well as an understanding of certificates and Certificate Authority technology. It's also assumed that the MDM server is placed in the corporate DMZ, and that appropriate networking is in place in order for the LANDesk core server to communicate with the MDM server on the ports listed later in this document. 4

INSTALLATION GUIDE LANDesk Mobility Manager overview and prerequisites See the following topics for more information on LANDesk Mobility Manager features, components, architecture, and prerequisites for installation and configuration. Mobility Manager components and architecture 5 Installation prerequisites 6 Configure DNS text records for agent enrollment 7 Mobility Manager components and architecture The diagram below shows the components that need to be installed and configured in order to use LANDesk Mobility Manager. Mobility Manager components and communication flow A: Apple ios devices, B: APNS (Apple Push Notification Service), C: Corporate DMZ, D: MDM server, E: LDMS 9.0 core server with LANDesk Mobility Manager 9.0, F: GCM (Google Cloud Messaging for Android), G: Android devices 5

LANDESK MOBILITY MANAGER Installation prerequisites This section describes the hardware and software requirements for the servers, certificates, and firewall settings. You must comply with the following prerequisites in order to install, configure, and use LANDesk Mobility Manager. MDM server prerequisites IMPORTANT: Windows Server 2008 R2 x64 as the server machine Dual processor 4 GB RAM 10 GB hard drive IIS role: Basic Authentication ASP.NET Role Service (in Server Manager > Roles > Web Server (IIS) > Role Services) IIS Management Tools MSMQ (Microsoft Message Queuing) feature.net 3.5 feature LANDesk agent, which can be installed from: \\<core server name or IP address>\ldlogon\wscfg32.exe (NOTE: Deselect all options) Google Chrome or Apple Safari Web browser (NOTE: Needed for APNS certificate creation) Core server prerequisites IMPORTANT: Windows Server 2008 R2 x64 as the server machine Additional 1 MB on the database for every 100 managed mobile devices Server joined to the AD domain Windows PowerShell 2.0 enabled on the server (NOTE: Should already be enabled by default on Windows Server 2008) LDMS 9.0 core server with the SP3 release installed or LDMS 9.5 core server installed MSMQ (Microsoft Message Queuing) feature Silverlight 6

INSTALLATION GUIDE General certificate prerequisites before installing Mobility Manager Apple APNS certificate: For instructions on obtaining an APNS certificate for Apple ios mobile device support, go to: https://apnsportal.landesk.com Google Cloud Messaging (GCM) account: For instructions on obtaining a GCM (Google Cloud Messaging) account ID and API key for Android mobile device support, go to: http://developer.android.com/guide/google/gcm/gs.html Third-party signed certificate (VeriSign or some other Trusted Root vendor) Firewall settings MDM server to Internet: APNS: 2195, 2196, 5223 (all TCP) GCM: 5228 443 MDM server to LDMS core server: 80, 443 LDMS core server to MDM server: 80, 443 Internet to MDM server: 443 enrollment Additional console prerequisites Windows PowerShell 2.0 enabled on the server.net 3.5 Silverlight Configure DNS text records for agent enrollment This procedure describes how to set up the Text Tag (TXT) record in DNS that maps the agent enrollment URL. This record allows users to enroll Android or ios mobile devices using their individual email addresses. 7

LANDESK MOBILITY MANAGER To configure DNS text records 1. Log in to the DNS server. 2. Click Start > Administrative Tools > DNS to run the DNS Manager utility. 8

INSTALLATION GUIDE 3. From the DNS tree, navigate to the domain folder. 9

LANDESK MOBILITY MANAGER 4. Right-click the folder and click Other New Records. 10

INSTALLATION GUIDE 5. On the Resource Record Type dialog, select Text (TXT) from the list. 11

LANDESK MOBILITY MANAGER 6. Click Create Record to open the New Resource Record dialog. 7. Leave the Record name field blank. 8. Create a DNS text record for Android by adding the following in the Text field: android-mdm-enroll=https://<mdmserver>/mobileenrollment/ld-androidenroll.aspx Example: https://mdm.domain.com/mobileenrollment/ld-androidenroll.aspx 9. Click OK to create the record. 10. Repeat steps 6-9 to create a DNS text record for ios, but instead adding the following in the Text field: OSIAGENTREGURL=https://<MDMserver>/MobileEnrollment/ld-iosEnroll.aspx 11. Repeat steps 6-9 to create a DNS text record for LD Portal, but instead adding the following in the Text field: LDLAUNCHPAD=https://<MDMserver>/launchpad.cloud 12

INSTALLATION GUIDE Setting up and configuring the MDM server See the following topics for more information on setting up the MDM server for LANDesk Mobility Manager. Set up and configure the MDM server 13 MDM server prerequisites 13 Install the server agent 14 Install the IIS role 14 Install the.net Framework 3.5.1 feature 17 Install the MSMQ feature 19 Set Up HTTPS 23 Submit the certificate request for CA approval 31 Complete the certificate request and bind to SSL 34 Set up and configure the MDM server This section provides detailed instructions you can use to set up and configure the MDM (Mobile Device Management) server, including the following: "MDM server prerequisites" on page 13 "Install the server agent" on page 14 "Install the IIS role" on page 14 "Install the.net Framework 3.5.1 feature" on page 17 "Install the MSMQ feature" on page 19 "Set Up HTTPS" on page 23 MDM server prerequisites The following prerequisites must be met before you can install and configure LANDesk Mobility Manager on the MDM server. The following sections walk you through this entire process. IMPORTANT: Windows Server 2008 R2 x64 as the server machine Dual processor 4 GB RAM 10 GB hard drive IIS role.net 3.5 feature Google Chrome or Apple Safari Web browser (NOTE: Needed for APNS certificate creation) 13

LANDESK MOBILITY MANAGER MSMQ (Microsoft Message Queuing) feature The MSMQ (Microsoft Message Queuing) feature must be installed. (NOTE: For step-by-step instructions, see "Install the MSMQ feature" on page 19) The LANDesk server agent must be installed on the MDM server Also, Mobility Manager requires setup of HTTPS/443 on the MDM server with the proper certificate Install the server agent Follow these steps to install the server agent on the MDM server. To install the server agent 1. From the MDM server, go to: http://<core server name or IP address>/ldlogon/ 2. Run the wscfg32.exe file. 3. Clear any options you don't want to install on the server. 4. Click Install. 5. Follow the prompts until the installation has completed. Install the IIS role Follow these steps to install the IIS role required for the LANDesk Mobility Manager components. IMPORTANT: Windows Server Requirement You MUST install these features and Mobility Manager on a Windows Server 2008 R2 x64 machine. To install the IIS role 1. At the Windows Server 2008 desktop, click Start > Administrative Tools > Server Manager (or right-click Computer, and then click Manager). 2. In Server Manager, click Roles. 3. On the Before You Being page, click Next. 14

INSTALLATION GUIDE 4. Check Web Server (IIS). 5. Click Next. 6. Click Next. 7. Check ASP.NET. 15

LANDESK MOBILITY MANAGER 8. On the Add role services required dialog, click Add Required Role Services. 9. On the Select Role Services page, select Basic Authentication and IIS Management Console. (NOTE: You can choose additional options as desired.) 10. Click Next. 11. Click Install. 16

INSTALLATION GUIDE 12. Once the Installation succeeded message appears, click Close. NOTE: MSDN Library resource These instructions, and more detailed information about IIS, are found in the MSDN Library at: http://learn.iis.net/page.aspx/29/installing-iis-7-and-above-on-windows-server-2008-or-windows-server- 2008-r2/ Install the.net Framework 3.5.1 feature Follow these steps to install the.net Framework 3.5.1 feature required for the LANDesk Mobility Manager components. To install.net Framework 3.5 1. At the Windows Server 2008 desktop, click Start > Administrative Tools > Server Manager (or right-click Computer, and then click Manager). 2. In Server Manager, click Features. 3. In the right-hand pane of the Features Summary page, click Add Features. 4. On the Select Features page, select.net Framework 3.5.1. 17

LANDESK MOBILITY MANAGER 5. On the Add features required dialog, click Add Required Features. 6. Click Next. 18

INSTALLATION GUIDE 7. Click Install. 8. Once the Installation succeeded message appears, click Close. Install the MSMQ feature Follow these steps to install the MSMQ (Microsoft Message Queuing) feature required for the LANDesk Mobility Manager components. To install Message Queuing 4.0 1. At the Windows Server 2008 desktop, click Start > Administrative Tools > Server Manager (or right-click Computer and then click Manager). 19

LANDESK MOBILITY MANAGER 2. In Server Manager, click Features. 3. In the right-hand pane of the Features Summary page, click Add Features. 20

INSTALLATION GUIDE 4. On the Select Features page, expand Message Queuing, and then expand Message Queuing Services. 5. Check Directory Services Integration, and then click Add Required Features. (NOTE: This is for computers joined to a domain). 21

LANDESK MOBILITY MANAGER 6. Check HTTP Support, and then click Add Required Role Services. 7. Click Next three times, and then click Install. 8. Once the Installation succeeded message appears, click Close. 22

INSTALLATION GUIDE NOTE: MSDN Library resource These instructions, and more detailed information about MSMQ, are found in the MSDN Library (MS Tech Center) at: http://msdn.microsoft.com/en-us/library/aa967729.aspx Set Up HTTPS To have secure communication between the MDM server and mobile devices for enrollment, an SSL certificate is required. A third-party signed certificate (VeriSign or some other Trusted Root vendor) is required. This section will guide through importing or creating an SSL certificate request for use on the MDM server. CAUTION: Self-signed SSL certificates are not currently supported by LANDesk While a self-signed SSL certificate will work, it is not supported by LANDesk at this time. NOTE: Wildcards are supported in certificate requests Wildcards are supported when entering the Common name during the certificate request creation procedure so that only the Complete Certificate Request procedure needs to be done on each web server. To import an existing certificate NOTE: If you are using a third-party signed certificate (VeriSign or some other Trusted Root vendor) that has a wildcard value in it, for example *.domain.com, simply import it into IIS. Then go directly to "Install Mobility Manager on the MDM server" on page 51. 1. At the MDM server, click Start > Administrative Tools > Internet Information Services (IIS) Manager. 23

LANDESK MOBILITY MANAGER 2. In the Connections pane, select the MDM server from the tree, and then double-click Server Certificates. 24

INSTALLATION GUIDE 3. Under the Actions menu, click Import. 4. Import the.pfx file provided by the third-party vendor. To create a certificate If you need to create a secondary or child certificate for the third-party CA, the following steps will guide you through this process. However, if you imported the certificate, this procedure does not need to be completed. Instead, go directly to "Install Mobility Manager on the MDM server" on page 51. 1. At the MDM server, click Start > Administrative Tools > Internet Information Services (IIS) Manager. 25

LANDESK MOBILITY MANAGER 2. In the Connections pane, select the MDM server from the tree, and then double-click Server Certificates. 26

INSTALLATION GUIDE 3. Under the Actions menu, click Create Certificate Request. 4. Enter values on the Distinguished Name Properties page. The Common Name field is required, which is the IP or DNS name that the device will use to connect to the server. IMPORTANT: Make sure the CN of the certificate matches the URL used by the enrollment below. In other words, if you used an IP address for the certificate, then use the same IP address when enrolling. If you used a server name for the certificate, then use the server name when enrolling. NOTE: Wildcards are supported, for example 192.168.*.* 27

LANDESK MOBILITY MANAGER 5. When finished click Next. 28

INSTALLATION GUIDE 6. At the Cryptographic Service Provider Properties page, accept the default values, and then click Next. IMPORTANT: Your third-party SSL provider might require an encryption key with a 2048 bit length. Make sure you select a bit-length value that meets the requirements of your provider. 29

LANDESK MOBILITY MANAGER 7. Specify a file name and path for the text file that will contain the certificate request. 8. Click Finish to save the request file. Sample request text file The following graphic shows a sample request text file named request.txt opened in Notepad: 30

INSTALLATION GUIDE Submit the certificate request for CA approval This procedure submits the certificate request to the CA server using the web interface that is available for requesting certificates. NOTE: Change the URL to your CA server The following screen shots show the CA as being on localhost. You need to change the URL to the name of the CA server that you are using. To submit a certificate request 1. Open a browser and enter the following URL: http://certservername/certsrv. 2. At the Welcome page, click Request a certificate. 31

LANDESK MOBILITY MANAGER 3. Click advanced certificate request. 4. Click Submit a certificate request by using... 32

INSTALLATION GUIDE 5. Paste the entire content of the text file into the Base-64-encoded certificate request text field. This is the certificate request text file created in "Submit the certificate request for CA approval" on page 31. 6. From the Certificate Template drop-down list, click Web server. (NOTE: This dialog may not be visible/applicable depending on your environment.) 7. Click Submit. Follow the instructions on the Certificate Pending page. 33

LANDESK MOBILITY MANAGER 8. Once your certificate has been issued, from the Certificate issued page, click Download certificate and save the certificate. Complete the certificate request and bind to SSL This section describes the procedure to secure a specific website by editing or adding an SSL binding. A binding consists of a website listening on a specific port AND a certificate to bind to the port. To secure a website with a certificate and bind to SSL 1. At the MDM server, click Start > Administrative Tools > Internet Information Services (IIS) Manager. 2. Select the website server from the tree in the Connections pane. 34

INSTALLATION GUIDE 3. Double-click Server Certificates. 4. From the Actions menu at the right-hand side, click Complete Certificate Request. 5. Click the Browse button and locate the certificate file (.cer) that was issued by the CA request. 35

LANDESK MOBILITY MANAGER 6. Enter a Friendly name, which can be any desired name. 7. When finished, click OK. Once the certificate request is completed, it is listed in IIS. 36

INSTALLATION GUIDE 8. Next, to bind to SLL, right-click the website server, and then select Edit Bindings. 9. The available site bindings that are listed will vary depending on what was previously configured. Select either Add to add a new binding or Edit to modify an existing binding. 10. From the Type list, select https and enter the appropriate values for the site. 11. In the Port field, enter: 443. 12. From the SSL certificate list, select your certificate. 13. When finished, click OK. 37

LANDESK MOBILITY MANAGER Obtaining certificates and keys for supported mobile devices See the following topics for more information about obtaining certificates and keys for the mobile devices that you want to manage with LANDesk Mobility Manager. APNS (Apple Push Notification Service) certificates are needed for Apple ios mobile devices GCM (Google Cloud Messaging) API keys are needed for Android mobile devices Obtain a APNS certificate to support Apple ios mobile devices 38 Obtain a GCM key to support Android mobile devices 49 Obtain a APNS certificate to support Apple ios mobile devices An APNS (Apple Push Notification Service) certificate is needed in order to manage your Apple ios mobile devices. The APNS certificate enables communication between the LANDesk core server and the ios mobile device by utilizing the Apple Push Notification Service and the LANDesk agent on the device. Follow the procedures below to configure the MDM server to use the APNS certificate. "Step 1: Generate a certificate request" on page 38 "Step 2: Upload the certificate request with the Apple Push Certificate Portal" on page 40 "Step 3: Complete the certificate request" on page 41 "Step 4: Export the certificate" on page 44 "Step 5: Import the APNS certificate into the Personal Certificate Store" on page 45 "Step 6: Copy the APNS thumbprint and push the subject" on page 47 NOTE: Using the MDM server is recommended These procedures can be performed from any machine running IIS. However, using the MDM server is recommend but not required. Also, keep in mind that Step 1 and Step 3 must be done from the same machine. Step 1: Generate a certificate request To generate a certificate request 1. At the server, open a web browser. 2. Go to: https://apnsportal.landesk.com 38

INSTALLATION GUIDE 3. Sign in using your LANDesk licensing credentials. 4. Click Sign In. 5. Click Start. 6. Enter your common name. (NOTE: This name needs to be unique on the Apple server so do not use your first name etc. It's recommended to use your domain name. For example: LANDesk.com) 7. Click Download. 39

LANDESK MOBILITY MANAGER 8. Click Start > Run. a. In the Run dialog box, enter: certreq new b. Select the.inf file downloaded in the previous step c. Save the certificate signing request. 9. Click Select Request. 10. Browse to.req file saved in the previous step. 11. Click Open. 12. You will be prompted to save the signed request. Step 2: Upload the certificate request with the Apple Push Certificate Portal NOTE: Use a non-ie browser Testing showed that these steps work best in a non IE browser. Google Chrome is recommended, or some other browser. IE sometimes will not display the pages correctly. To upload the certificate request 1. Go to the Apple Push Certificate Portal to upload your request at: https://identity.apple.com/pushcert/ 2. Sign in to the Apple Push Certificates Portal with your Apple ID. 3. Click Create a Certificate. 4. Read and agree to the terms of use. 5. Click Choose file. 6. Browse to the file saved above. 7. Click Open. 40

INSTALLATION GUIDE 8. Click Upload. 9. Click Download. Step 3: Complete the certificate request NOTE: This step must be completed on the same computer where you created your certificate request in "Step 1: Generate a certificate request" on page 38 above. To complete the certificate request 1. At the server, click Start> Control Panel > Administrative Tools. 2. Click Internet Information Services (IIS) Manager. 41

LANDESK MOBILITY MANAGER 3. Select the server, and then double-click Server Certificates. 42

INSTALLATION GUIDE 4. In the Actions pane, click Complete Certificate Request. 5. Click the ellipsis button and browse to the Apple Push Notification Service SSL Certificate downloaded in the previous procedure. 6. Enter a friendly name. The friendly name can be any name, so enter something that you will remember. 7. Click OK. 43

LANDESK MOBILITY MANAGER Step 4: Export the certificate To export the certificate 1. With the new certificate highlighted, in the Actions page, click Export. 2. Enter a file path to save your exported certificate file, and a password which will encrypt the certificate's private key. 3. Click OK. 44

INSTALLATION GUIDE Step 5: Import the APNS certificate into the Personal Certificate Store To import the APNS certificate 1. Click Start > Run. 2. At the prompt, enter: mmc and then click OK to open the Microsoft Management Console. 3. Click File, and then click Add/Remove Snap-in. 45

LANDESK MOBILITY MANAGER 4. From this list of available snap-ins, click Certificates, and then click Add. 5. Click Computer account. 6. Click Next, and then click Finish. 7. Click OK. 46

INSTALLATION GUIDE 8. Right-click the Personal tree node, and then click All Tasks >Import. 9. Follow the Wizard prompts, pointing to the.pfx file created in Step 2 above, and providing the password. Step 6: Copy the APNS thumbprint and push the subject NOTE: The APNS thumbprint and Push Subject are used during installation. To copy the APNS thumbprint and Push Subject 1. With the Certificates snap-in installed in a Microsoft Management Console, double-click the newlyimported APNS certificate. 47

LANDESK MOBILITY MANAGER 2. Note the MDM certificate thumbprint. This will be used during installation of the MDM server. 48

INSTALLATION GUIDE 3. Select the Subject line and copy the highlighted section below. This will be used during initial configuration. Obtain a GCM key to support Android mobile devices This section provides information on obtaining a GCM (Google Cloud Messaging) API key in order to manage your Android mobile devices. The GCM API key enables communication between the LANDesk core server and the Android mobile device by utilizing the GCM key and the LANDesk agent on the device. Refer to the official Google instructions LANDesk recommends that you refer to the current documentation provided by Google on obtaining a GCM key. 49

LANDESK MOBILITY MANAGER Click the link below for the most up-to-date official Google procedures that describe how to create a GCM project and obtain a GCM API key: http://developer.android.com/guide/google/gcm/gs.html 50

INSTALLATION GUIDE Installing Mobility Manager on the servers See the following topics for more information on installing LANDesk Mobility Manager on the MDM server you've set up, and your LANDesk core server, and activating the product license to be able to access the Mobility Manager tool in the LANDesk console. Install Mobility Manager on the MDM server 51 Install Mobility Manager on the core server 52 Mobility Manager installation prerequisites 52 Install Mobility Manager 52 Reactivate your core server 53 Understand and ensure installation of all required certificates 53 MDM server certificates 53 Core server certificates 54 Install Mobility Manager on the MDM server This section describes how to install Mobility Manager on the MDM server. To install Mobility Manager on the MDM server 1. Import the LDMS core SSL certificate (created during the LDMS installation) into the Trusted Root CA. 2. Download the Mobility Manager Installation media. 3. Run the Mobility.exe file. 4. Go to where you unzipped the Mobility files. 5. Change to mobility-cloud. 6. Run the Mobility-cloud.exe self-contained ZIP file. 7. Change to the MobilityCloud directory that was in the ZIP file. 8. Run Cloud\Setup.exe, and follow the prompts to enter the following: MDM server name or IP address. (NOTE: This name must match the SSL certificate name used in the HTTPS binding.) MDM certificate password. (NOTE: This password is user-defined, and you will need to use it later.) APNS thumbprint. (For information, see "Step 6: Copy the APNS thumbprint and push the subject" on page 47 in the "Obtain a APNS certificate to support Apple ios mobile devices" on page 38 topic.) GCM (Google Cloud Messaging) Project ID and API Key (Android). (NOTE: The GCM Project ID should be acquired from the URL.) 51

LANDESK MOBILITY MANAGER 9. Export the Personal certificate named MDMSecure_xxxxxxxxxxx.cer from the MMC > certificates plug-in into the Trusted Root CA/certificates. You must export the certificate twice: a. For the first export: Include the private key, and use defaults for the rest of the settings. This export is used for the first-time configuration of the payloads below. b. For the second export: Don t include the private key, and use defaults for the rest of the settings. This export is used in step 1 of installing Mobility Manager on the LDMS core server. 10. Install any necessary Mobility Manager patches that have been posted since the release of version 9.0. (NOTE: For the latest information about LDMO patches, go to the LANDesk Support User Community at: http://community.landesk.com/support/docs/doc-24586) The Mobility Manager software is now installed on the MDM server. You can now proceed to ensure your LDMS core server is set up and configured in preparation to installing Mobility Manager on the core server. Install Mobility Manager on the core server If the core server is not already installed, refer to the installation section of the following document on the LANDesk User Community: Community Document 7423 If the core server is already set up and running, you must perform the following prerequisites prior to installing LANDesk Mobility Manager. Mobility Manager installation prerequisites MSMQ (Microsoft Message Queuing) feature. (For installation steps, see "Install the MSMQ feature" on page 19.) Silverlight plug-in. (For installation steps, go to: http://www.microsoft.com/getsilverlight/get- Started/Install/Default.aspx) Install Mobility Manager Once you've completed the prerequisites (core server, MDM server, certificates and tokens for mobile devices), you can install the LANDesk Mobility Manager software on your LANDesk core server and start using the tool to manage mobile devices. To install LANDesk Mobility Manager 1. Import the MDMSecure_xxxxxxxxx.cer file without the private key into the Trusted Root CA/certificates. (For more information, see step 9b in "Install Mobility Manager on the MDM server" on page 51.) 52

INSTALLATION GUIDE 2. On the core server, go to the LANDesk User Community, and download the LANDesk Mobility Manager software package. a. Run Setup.exe. b. Go to where you unzipped the Mobility files. c. Change to mobility. d. Run the Mobility.exe self-contained ZIP. 3. Change to the Mobility directory from the ZIP file. 4. Run Setup.exe. 5. Click Run. 6. Click Next. 7. On the End User License Agreement page, click I Accept. 8. Click Next. 9. Click Install. The Setup wizard shows the installation progress and status. 10. At the Completed page, click Finish. The setup program installs additional Mobility Management components. 11. When the Completed / Installation Successful message displays, click Close. 12. Install any necessary Mobility Manager patches that have been posted since the initial release of your Mobility Manager version. (NOTE: For the latest information about LDMO patches, go to the LANDesk Support User Community at: http://community.landesk.com/support/docs/doc-25100) Reactivate your core server IMPORTANT: Reactivate the core server You must reactivate your LANDesk core server in order to initialize the license for your Mobility Manager product, and to see and use the Mobility tool in the console. Understand and ensure installation of all required certificates There are a number of certificates which are used by both the core server and MDM server. Reference the tables below to make sure they are all installed. MDM server certificates Certificate Store Purpose Installation Core Trusted Root CAs Validation of core when secure client calls are made. This certificate is not imported to the store by wscfg32.exe and must be manually imported. This certificate was created during the LDMS Step 3 (of "Install Mobility 53

LANDESK MOBILITY MANAGER Certificate Store Purpose Installation installation. Manager on the MDM server" on page 51) APNS Personal Used in communicating with APNS service. Step 2 HTTPS Cert Personal (and Trusted Root CAs) Bound to the HTTPS server. This certificate must have been requested by IIS on the MDM server, which request must have been fulfilled by the CA. Step 1 NOTE: We have seen (for no explicable reason) that enrollment may fail if the public key HTTPS certificate is not in the Trusted Root CAs store. The private key certificate should be inserted into the Personal store when it is added to the server certificates in IIS (see Odyssey's documentation on creating the SSL certificate.) If enrollment is failing, you may wish to try adding the public key cert as well. MDM Secure_ xxxxxx Personal Used by the MDM server to authenticate itself to the core. Automatically installed Core server certificates Certificate Store Purpose Installation Core Personal (and Trusted Root CAs) Server validation to managed nodes, including the MDM server. Calls to the core from MDMSecureClient will use this certificate to validate the core. Automatically installed with core server MDM Secure_ xxxxxx Trusted Root CAs Used to validate the MDM server for calls made to the Mobile.MDMSecure web service on the core. Step 1 (of "Install Mobility Manager on the core server" on page 52) 54

INSTALLATION GUIDE Accessing and using Mobility Manager See the following topics for more information about accessing the Mobility Manager tool in the console, enrolling users, and other basic tasks. Access the Mobility tool in the console 55 Configure enrollment profiles 55 Enable users to see content in the LANDesk Portal 58 Access the Mobility tool in the console Now you can log in to the LANDesk Management Suite console and access the Mobility tool. The Mobility tool appears in the Tools menu and in the Toolbox. NOTE: Using the LANDesk Mobility Manager tool For information about specific features and how to enroll and manage mobile devices with the LANDesk Mobility Manager tool, see Welcome to LANDesk Mobility Manager. Configure enrollment profiles This section describes how to configure enrollment profiles for your mobile device users. 55

LANDESK MOBILITY MANAGER IMPORTANT: Enroll mobile devices and accessing the LANDesk Portal app Once you've configured enrollment profiles, you can enroll mobile devices so that your end users can access and use the LANDesk Portal app. This procedure is described in detail in the Mobility Manager User's Guide. For more information, see Enroll mobile devices in the User's Guide. To configure enrollment profiles 1. Launch the LANDesk Management Suite console. 2. Click Open the Mobility tool > Mobile Policy Management. 3. Click the Configure toolbar button to open the Mobility options dialog. 4. Click ios enrollment profile to open the ios enrollment profile page. 5. Enter a user-defined Profile name. 6. Enter a user-defined Description. 7. Enter a user-defined Organization. 8. In the Push certificate subject field, change the APNS certificate subject name to match the certificate used. NOTE: If this is a development certificate, make sure to select the Use development APNS server checkbox, and change the APNS server to the "sandbox" in the config file. 56

INSTALLATION GUIDE 9. Click Apply. NOTE: If you're using a trusted third-party CA, you do not need to create the Root Certificate credentials. Nor will anything appear in the Payloads list. 10. Click the Payloads button to open the General payload settings dialog. 11. Click Credentials > MDMSecure. 12. Click the Add New icon at the top left corner of the Credentials panel, and then click Cert file. 13. Browse to the MDMSecure certificate exported with the private key that you saved above. 14. Enter the password. 15. Click Save changes. 57

LANDESK MOBILITY MANAGER 16. Click Close to return to the Mobility options dialog. 17. From the Cryptography credentials for authentication drop-down list, select MDMSecure. 18. Click OK. NOTE: About the MDM Secure certificate The certificate we are calling "MDM Secure" does not need to be the encryption certificate described in the ios enrollment profile settings. Any PKCS#12 will work fine as an encryption certificate. However, since there are already multiple certificates that LDMS deals with, the certificate used to authenticate between the MDM server and the core server will work fine as the encryption certificate. The fact that the same certificate is used for two purposes simply reduces the complexity of your installation. Enable users to see content in the LANDesk Portal In order for your mobile device end users to see content in the LANDesk Portal, an administrator must add the user's Active Directory account or a group containing them to a mobile catalog. (This procedure is described in detail in the Mobility Manager User's Guide. For information, see Add mobile device users to a catalog in the User's Guide.) In addition, LANDesk Portal users need to be granted default rights (Read & Execute, List Folder Contents, and Read) to the Launchpad folder on the core server. In a default installation, the Launchpad folder is located at: C:\Program Files (x86)\landesk\managementsuite\landesk\launchpad 58

INSTALLATION GUIDE Appendix: About self-signed certificates NOT supported by LANDesk See the following topics for information about using self-signed certificates. IMPORTANT: You can use self-signed certificates, but they are NOT officially recommended nor supported by LANDesk Support. Self-signed certificates NOT supported by LANDesk 59 Step 1: Create a certificate request 60 Step 2: Submit a certificate request 64 Step 3: Complete the certificate request 67 Step 4: Add the signed authority for self-signed certificates 70 Additional MDM server certificate required 71 Self-signed certificates NOT supported by LANDesk Self-signed certificates CAN be used with LANDesk Mobility Manager, but they are NOT recommended nor supported by LANDesk Support or the User Community. LANDesk is not responsible for any problems incurred when using self-signed certificates instead of the recommended processes and configuration of Mobility Manager. CAUTION: This appendix is provided as an instructional source ONLY, and is not intended to be used in a production environment. Follow the procedures below to configure a self-signed certificate. "Step 1: Create a certificate request" on page 60 "Step 2: Submit a certificate request" on page 64 "Step 3: Complete the certificate request" on page 67 "Step 4: Add the signed authority for self-signed certificates" on page 70 "Additional MDM server certificate required" on page 71 NOTE: Wildcards are supported in certificate requests Wildcards are supported when entering the Common name during the certificate request creation procedure so that only the Complete Certificate Request procedure needs to be done on each web server. 59

LANDESK MOBILITY MANAGER Step 1: Create a certificate request 1. At the MDM server, click Start> Control Panel.> Administrative Tools > Internet Information Services (IIS) Manager. 2. Select the MDM server in the Connections list, then double-click Server Certificates. 60

INSTALLATION GUIDE 3. From the Actions menu, click Create Certificate Request, and enter the following information: Common Name: This field is required, which is the IP or DNS name that the device will use to connect to the server. IMPORTANT: Make sure the CN of the certificate matches the URL used by the enrollment below. In other words, if you used an IP address for the certificate, then use the same IP address when enrolling. If you used a server name for the certificate, then use the server name when enrolling. NOTE: Wildcards are allowed for the certificate CN, for example 192.168.*.* Organization: Name of your organization. Organizational unit: Name of the group/department within your organization. City/locality: City or locality in which your organization resides. State/province: State or province in which your organization resides. Country/region: Country or region in which your organization resides. 4. When finished, click Next. 61

LANDESK MOBILITY MANAGER 5. At the Cryptographic Service Provider Properties page, accept the default values, and then click Next. 62

INSTALLATION GUIDE 6. Specify a file name and path for the text file that will contain the certificate request. 7. Click Finish to save the request file. Sample request text file The following graphic shows a sample request text file named request.txt opened in Notepad: 63

LANDESK MOBILITY MANAGER Step 2: Submit a certificate request 1. Open a browser and enter the following URL: http://certservername/certsrv. 2. At the Welcome page, click Request a certificate. 64

INSTALLATION GUIDE 3. Click advanced certificate request. 4. Click Submit a certificate request by using... 65

LANDESK MOBILITY MANAGER 5. Paste the entire content of the text file into the Base-64-encoded certificate request text field. This is the certificate request text file created in "Self-signed certificates NOT supported by LANDesk" on page 59. 6. From the Certificate Template drop-down list, click Web server. (NOTE: This dialog may not be visible/applicable depending on your environment.) 7. Click Submit. Follow the instructions on the Certificate Pending page. 66

INSTALLATION GUIDE 8. Once your certificate has been issued, from the Certificate issued page, click Download certificate and save the certificate. Step 3: Complete the certificate request 1. At the MDM server, click Start > Administrative Tools > Internet Information Services (IIS) Manager. 2. Select the server from the tree in the Connections pane. 67

LANDESK MOBILITY MANAGER 3. Double-click Server Certificates. 4. From the Actions menu at the right-hand side, click Complete Certificate Request. 5. Click the Browse button and locate the certificate file (.cer) that was issued by the CA request. 68

INSTALLATION GUIDE 6. Enter a Friendly name, which can be any desired name. 7. When finished, click OK. Once the certificate request is completed, it is listed in IIS. 69

LANDESK MOBILITY MANAGER Sample certificate listed in IIS The following graphic shows a sample certificate displayed in the Server Certificates pane in IIS: Step 4: Add the signed authority for self-signed certificates Finally, if you are using a self-signed certificate, you MUST add the authority chain. 1. In the LDMS console, open the Mobility Policy Management tool. 2. Click the Configure toolbar button to open the Mobility options dialog. 3. Click ios enrollment profile to open the ios enrollment profile page. 4. Click the Payloads button to open the General payload settings dialog. 5. From the ios Configuration types list, click Credentials. 6. Click the Add New icon at the top left corner of the Credentials panel. 7. Browse to Root Certificate to use as the signing authority. 8. Click Save. 9. Click Close to return to the Mobility options dialog 10. In the certificates list, check the cert from the step above. 70

INSTALLATION GUIDE 11. Click Save. Additional MDM server certificate required Note that in addition to the certificates listed in the "Understand and ensure installation of all required certificates" on page 53 section, if you're using a self-signed certificate the following also needs to be included with the MDM server certificates. Certificate Store Purpose Installation Root CA Cert Trusted Root CAs Root certificate of the CA which issued the request for the HTTPS certificate bound on the MDM server. It is also used in the ios Enrollment Profile to establish a certificate chain on the ios device. If this certificate is not part of the enrollment profile settings, ios will not allow the device to check-in to the HTTPS server. Only if NOT using thirdparty certificate This certificate is not required if the root CA is already a trusted third-party (i.e. Verisign). 71