This documentation is for older versions of WSO2 products and may not be relevant now. Please see your respective product documentation for clustering details and configurations.
||
Skip to end of metadata
Go to start of metadata

The following diagram illustrates a typical deployment pattern for WSO2 Enterprise Mobility Manager.

As indicated in the above diagram, when clustering EMM, there is worker manager separation. However, this differs from standard WSO2 Carbon worker manager separation . In a standard WSO2 product cluster, worker and manager separation is derived from deployment synchronization. However, in EMM there is no deployment synchronization.

EMM includes an admin console that can be used by any user with administrative privileges. These users can perform some actions on enrolled devices and the devices can retrieve those actions by requesting the pending operations. This is done by either walking the device through a push notification or configuring the device to poll at a pre-compiled frequency.

Normally administrative tasks should be run from manager node.

There are two major deployment patterns for the manager node. One could be running the manager node in the private network due to security constraints and other is allowing end users to access the management node so that they can control and view their devices.

A manager node is used to run background tasks that are necessary to the update the device information such as the location and applications installed.

Virtual machines used in a high availability cluster

The following is a list of virtual machines (VMs) that are used in a high availability cluster and their details.

  • Manager - 1 VM
  • Worker - 2 VMs
  • Key manager - 2 VMs
  • DBs - 1 MySQL instance

All the VMs have 4 cores and 4GB memory.

Open ports

80 and 443 are from the NGINX server.

The following ports need to be opened for Android and iOS devices so that it can connect GCM (Google Cloud Message) and APNS (Apple Push Notification Service) and enroll to WSO2 EMM.

Android

The ports to open are 5228, 5229 and 5230. GCM typically uses only 5228, but it sometimes uses 5229 and 5230.

GCM does not provide specific IPs, so it is recommended to allow the firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.  

iOS

  • 5223 - TCP port used by devices to communicate to APNS servers

  • 2195 - TCP port used to send notifications to APNS

  • 2196 - TCP port used by the APNS feedback service

  • 443 - TCP port used as a fallback on Wi-Fi, only when devices are unable to communicate to APNS on port 5223

The APNS servers use load balancing. The devices will not always connect to the same public IP address for notifications. The entire 17.0.0.0/8 address block is assigned to Apple, so it is best to allow this range in the firewall settings.

Setting up the database

The following databases are needed when clustering EMM.

Database NameDescriptionDatabase Script Location
CDM core database (DM_DS)This database stores generic data about devices (such as unique identifier, device type, ownership type), device enrollment information, device operations, policy management related data, etc. <PRODUCT_HOME>/dbscripts/cdm/
APIM Database (WSO2AM_DB)This database stores data related to JAX-RS APIs and OAuth token data. <PRODUCT_HOME>/dbscripts/apimgt/
Registry database (REG_DB)This database acts as the registry database and stores governance and config registry data. The registry database must be mounted to all nodes in the cluster. <PRODUCT_HOME>/dbscripts/
User and permission manager (UM_DB)This database stores the user permission related details. <PRODUCT_HOME>/dbscripts/

The following databases are related to plugins. These enable you to keep the data that is essential for these devices to work (such as APNS related keys) and this data is not available in the CDM core database.

Database NameDescriptionDatabase Script Location
iOS DB (MobileIOSDM_DS)Stores the iOS related the data. <PRODUCT_HOME>/dbscripts/cdm/plugins/ios
Android DB (MobileAndroidDM_DS)Stores the Android related data. <PRODUCT_HOME>/dbscripts/cdm/plugins/android/
Windows DB (MobileWindowsDM_DS)Stores the Microsoft Windows related data. <PRODUCT_HOME>/dbscripts/cdm/plugins/windows/

To change the datasource configurations, please change the following files.

Files to changeDatasource
<PRODUCT_HOME>/repository/conf/datasources/master-datasources.xml

This file must include the datasource configuration for the following databases.

  • APIM database

  • Registry database

  • User permission manager database
<PRODUCT_HOME>/repository/conf/datasources/emm-datasources.xml

This file must include the datasource configuration for the following databases.

  • CDM core database

  • IOS plugin database

  • Android database

  • Windows database


Mounting the registry

See Remote Instance and Mount Configuration Details for more information on registry mounting and why it is useful. These must be done in all nodes. Do the following steps to configure this.

  1. O pen the <PRODUCT_HOME>/repository/conf/ datasources/master-datasources.xml file and add the following datasource configurations.

    <datasource>
             <name>WSO2REG_DB</name>
             <description>The datasource used for Registry database</description>
             <jndiConfig>
                   <name>jdbc/WSO2REG_DB</name>
             </jndiConfig>
             <definition type="RDBMS">
                   <configuration>
                        <url>jdbc:mysql://localhost:3306/C_REG</url>
                        <username>root</username>
                        <password></password>
                        <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                        <maxActive>50</maxActive>
                        <maxWait>60000</maxWait>
                        <testOnBorrow>true</testOnBorrow>
                        <validationQuery>SELECT 1</validationQuery>
                        <validationInterval>30000</validationInterval>
                   </configuration>
              </definition>
    </datasource>
  2. Add the following configurations to the <PRODUCT_HOME>/repository/conf/registry.xml file.

    <dbConfig name="mounted_registry">
            <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
    
    <remoteInstance url="https://localhost:9443/registry">
            <id>instanceid</id>
            <dbConfig>mounted_registry</dbConfig>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
            <cacheId>root@jdbc:mysql://localhost:3306/C_REG</cacheId>
    </remoteInstance>
    
    <mount path="/_system/config" overwrite="true">
            <instanceId>instanceid</instanceId>
            <targetPath>/_system/config</targetPath>
    </mount>
    
    <mount path="/_system/governance" overwrite="true">
            <instanceId>instanceid</instanceId>
            <targetPath>/_system/governance</targetPath>
    </mount>

Configuring the load balancer

This section provides instructions on how to configure Nginx as the load balancer. You can use any load balancer for your setup and Nginx is used here as an example. This covers the configuration in the main Nginx configuration file.

The location of this file varies depending on how you installed the software on your machine. For many distributions, the file is located at /etc/nginx/nginx.conf. If it does not exist there, it may also be at /usr/local/nginx/conf/nginx.conf or /usr/local/etc/nginx/nginx.conf. You can create separate files inside the conf.d for each configuration. Three different configuration files are used for the Manager, Key Manager and Worker node in the example provided in this page.

  1. In the Key Manager, create a VHost file inside the /etc/nginx/conf.d  directory and add the following configurations into it.

    upstream keymgt.emm-c.wso2.com {
            ip_hash;
            server 192.168.57.149:9763;
            server 192.168.57.144:9763;
    }
    
    server {
            listen 80;
            server_name keymgt.emm-c.wso2.com;
            location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass http://keymgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
    
    upstream ssl.keymgt.emm-c.wso2.com {
        ip_hash;
        server 192.168.57.149:9443;
        server 192.168.57.144:9443;
    
    }
    
    server {
    listen 443;
        server_name keymgt.emm-c.wso2.com;
        ssl on;
        ssl_certificate /opt/keys/server.crt;
        ssl_certificate_key /opt/keys/server.key;
        location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass https://ssl.keymgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
  2. In the Manager node, create a VHost file inside the  /etc/nginx/conf.d  directory and add the following configurations into it.

    upstream mgt.emm-c.wso2.com {
            ip_hash;
            server 192.168.57.146:9763;
    }
    
    server {
            listen 80;
            server_name mgt.emm-c.wso2.com;
            location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass http://mgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
    
    
    
    upstream ssl.mgt.emm-c.wso2.com {
        ip_hash;
        server 192.168.57.146:9443;
    
    }
    
    server {
    listen 443;
        server_name mgt.emm-c.wso2.com;
        ssl on;
        ssl_certificate /opt/keys/server.crt;
        ssl_certificate_key /opt/keys/server.key;
        location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass https://ssl.mgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
  3. In the Worker node, create a VHost file  inside the  /etc/nginx/conf.d  directory and add the following configurations into it.

    upstream wkr.emm-c.wso2.com {
            ip_hash;
            server 192.168.57.145:9763;
            server 192.168.57.142:9763;
    }
    
    server {
            listen 80;
            server_name wkr.emm-c.wso2.com;
            location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass http://wkr.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
    
    
    
    upstream ssl.wkr.emm-c.wso2.com {
        ip_hash;
        server 192.168.57.145:9443;
        server 192.168.57.142:9443;
    
    }
    
    server {
    listen 443;
        server_name wkr.emm-c.wso2.com;
        ssl on;
        ssl_certificate /opt/keys/server.crt;
        ssl_certificate_key /opt/keys/server.key;
        location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass https://ssl.wkr.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }

Generating SSL certificates to NGINX

Create SSL certificates for both the manager and worker nodes using the instructions that follow.

  1. Create the Server Key.
    $sudo openssl genrsa -des3 -out server.key 1024

  2. Certificate Signing Request.
    $sudo openssl req -new -key server.key -out server.csr

  3. Remove the password.
    $sudo cp server.key server.key.org
    $sudo openssl rsa -in server.key.org -out server.key

  4. Sign your SSL Certificate.
    $sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

While creating keys, enter the host name (*.emm-c.wso2.com) as the common name.

Add the public key of the NGINX server to the client_truststore.jks (you can download the public key from the browser). Use the following command to add the public key to client_truststore.jks

keytool -import -alias emm-c.wso2.com -file emm.wso2.com.crt -keystore <PRODUCT_HOME>/repository/resources/security/client-truststore.jks

Note: If you need to configure iOS in your cluster, do not configure the SSL certificate in above way. You can use the SSL certificate generated in the 6th step of iOS Configuration document.

Configuring the manager node

EMM has three key consoles.

  • EMM console - For device management related tasks such as adding policies, operations, users, roles and devices.

  • Publisher - Used for adding and publishing the enterprise mobile applications.

  • Store - Device user can go and subscribe to the apps and it gets installed to the device.

The above three consoles could be running inside the company network due to security concerns or could be exposed through a load balancer.

Note: There can be one EMM manager node if you use policy monitoring and policy change management. If you do not plan to use those, you can have a cluster of manager nodes.

Do the following to configure the manager node.

  1. In the <PRODUCT_HOME>/ repository/conf/security/authenticators.xml file, do the following configurations.  The hostURL, adminUsername, and adminPassword must be configured with the respective values in order to validate the OAuth token.

    <Authenticator name="OAuthAuthenticator" disabled="false">
    ...
            <Config>
                <Parameter name="isRemote">true</Parameter>
                <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter>
                <Parameter name="adminUsername">admin</Parameter>
                <Parameter name="adminPassword">admin</Parameter>
            </Config>
    </Authenticator>
  2. Change the ServerUrl of the IdentityConfiguration in the <PRODUCT_HOME>/repository/conf/security/cdm-config.xml file. Enable policy monitoring and device monitoring as shown in the following configuration sample. You can change the frequency of the tasks running by changing the MonitoringFrequency and Frequency in the PolicyConfiguration and TaskConfiguration.

    <IdentityConfiguration>
            <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>
            <AdminUsername>admin</AdminUsername>
            <AdminPassword>admin</AdminPassword>
    </IdentityConfiguration>
    
    
    <PolicyConfiguration>
    ...
            <MonitoringEnable>true</MonitoringEnable>
            <MonitoringFrequency>60000</MonitoringFrequency>
    ...
    </PolicyConfiguration>
    
    <TaskConfiguration>
            <Enable>true</Enable>
            <Frequency>600000</Frequency>
           ……...
    </TaskConfiguration>
  3. Change the HostName and MgtHostName in the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    <HostName>wkr.emm-c.wso2.com</HostName>
    <MgtHostName>mgt.emm-c.wso2.com</MgtHostName>
  4. Change the following in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm/app/conf directory. This must only be configured in the manager node as this is specific to the admin UI.

    ………………………….
        "httpsURL" : "https://mgt.emm-c.wso2.com",
        "httpURL" : "http://mgt.emm-c.wso2.com",
    ………………………….
        "oauthProvider": {
            "appRegistration": {
                "appType": "webapp",
                "clientName": "emm",
                "owner": "admin@carbon.super",
                "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register",
                "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants",
                "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer",
                "tokenScope": "admin",
                "callbackUrl": "https://mgt.emm-c.wso2.com/api/device-mgt/v1.0"
            },
            "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token"
        },
    ………………..
        "generalConfig" : {
            "host" : "https://wkr.emm-c.wso2.com",
    ………………...
        },
  5. Change the following in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory. This is used for the device agent download.

       "httpsURL" : "https://wkr.emm-c.wso2.com",
        "httpURL" : "http://wkr.emm-c.wso2.com",
        "enrollmentDir": "/emm-web-agent/enrollment",
        "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/",
        "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/",
        "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/",
        "adminService":"https://wkr.emm-c.wso2.com",
        "idPServer":"https://keymgt.emm-c.wso2.com",
        "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin",
        "oauthProvider": {
            "appRegistration": {
                "appType": "webapp",
                "clientName": "emm-web-agent",
                "owner": "admin@carbon.super",
                "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register",
                "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants",
                "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer",
                "tokenScope": "admin",
                "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0"
            },
            "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token"
        },
    …………..
        "generalConfig" : {
            "host" : "http://wkr.emm-c.wso2.com",
    …………………………..
        },

Configuring the worker node

Do the following to configure the worker node.

  1. In the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file, do the following configurations. The hostURL, adminUsername, and adminPassword must be configured with the respective values in order to validate the OAuth token.

    <Authenticator name="OAuthAuthenticator" disabled="false">
            <Priority>10</Priority>
            <Config>
                <Parameter name="isRemote">true</Parameter>
                <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter>
                <Parameter name="adminUsername">admin</Parameter>
                <Parameter name="adminPassword">admin</Parameter>
            </Config>
    </Authenticator>
  2. Change the ServerUrl of IdentityConfiguration in the <PRODUCT_HOME>/repository/conf/security/cdm-config.xml file. This is used by the worker node to validate the user details after the Key Manager validates the OAuth token. You must disable policy monitoring and device monitoring as indicated in the following code snippet.

    <IdentityConfiguration>
            <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>
            <AdminUsername>admin</AdminUsername>
            <AdminPassword>admin</AdminPassword>
    </IdentityConfiguration>
    
    <PolicyConfiguration>
    ...
            <MonitoringEnable>false</MonitoringEnable>
            <MonitoringFrequency>60000</MonitoringFrequency>
    ...
    </PolicyConfiguration>
    
    
    <TaskConfiguration>
            <Enable>false</Enable>
            <Frequency>600000</Frequency>
    ...
    </TaskConfiguration>
  3. Change the HostName and MgtHostName in the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    <HostName>wkr.emm-c.wso2.com</HostName>
    <MgtHostName>wkr.emm-c.wso2.com</MgtHostName>
  4. Change following in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory. These parameters are used to point to the NGINX URLs of worker nodes and the Key Manager. If this is not configured, the local IP address of the server is used.

       "httpsURL" : "https://wkr.emm-c.wso2.com",
        "httpURL" : "http://wkr.emm-c.wso2.com",
        "enrollmentDir": "/emm-web-agent/enrollment",
        "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/",
        "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/",
        "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/",
        "adminService":"https://wkr.emm-c.wso2.com",
        "idPServer":"https://keymgt.emm-c.wso2.com",
        "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin",
        "oauthProvider": {
            "appRegistration": {
                "appType": "webapp",
                "clientName": "emm-web-agent",
                "owner": "admin@carbon.super",
                "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register",
                "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants",
                "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer",
                "tokenScope": "admin",
                "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0"
            },
            "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token"
        },
    ...
        "generalConfig" : {
            "host" : "http://wkr.emm-c.wso2.com",
    ...
        },

Note

Make sure to start the worker node using the sh <PRODUCT_HOME>/bin/wso2server.sh -DworkerNode=true command. Do not use -DworkerNode=true to start the worker node.

Configuring the Key Manager node

Do the following configurations in the Key Manager node.

  1. Make sure that DB configurations are done and registry mounting is correctly set up.

  2. Configure the HostName. To do this, edit the <PRODUCT_HOME>/repository/conf/carbon.xml file as follows.
    <HostName>keymgt.emm.wso2.com</HostName>

Configuring the iOS server

The following are the steps involved when configuring iOS. Also see iOS Server Configurations in the WSO2 EMM documentation for more information.

  • Installing WSO2 EMM iOS features via the P2 repository

  • Configuring the general iOS server settings

  • Generating the MDM APNS certificate

You must be enrolled in the Apple Developer Program as an individual or organization before starting the iOS server configurations.

Follow the instructions given below to configure the iOS server-side configurations:

Installing WSO2 EMM iOS features via the P2 repository

For more information on installing the P2 repository, see Installing WSO2 EMM iOS features via the P2 Repository .

Configuring the general iOS server settings

  1. Update the following parameters in the ios-config.xml file, which is in the <EMM_HOME>/repository/conf directory.  Enter the server IP or the server domain name for the following parameters.

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <iOSEMMConfigurations>
        <!-- iOS MDM endpoint urls -->
        <iOSEnrollURL>https://wkr.emm-c.wso2.com/ios-enrollment/scep</iOSEnrollURL>
        <iOSProfileURL>https://wkr.emm-c.wso2.com/ios-enrollment/profile</iOSProfileURL>
        <iOSCheckinURL>https://wkr.emm-c.wso2.com/ios-enrollment/checkin</iOSCheckinURL>
        <iOSServerURL>https://wkr.emm-c.wso2.com/ios-enrollment/server</iOSServerURL>
    </iOSEMMConfigurations>
  2. Change the following properties in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory as follows.

    .....
        "enrollmentDir": "/emm-web-agent/enrollment",
        "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/",
        "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/",
        "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/",
        "adminService":"https://wkr.emm-c.wso2.com",
        "idPServer":"https://keymgt.emm-c.wso2.com",
        "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin",
       …………….
        "usernameLength":30,
        "device" : {
            "ios" : {
                "location" : "https://wkr.emm-c.wso2.com/emm-web-agent/public/mdm.page.enrollments.ios.download-agent/asset/ios-agent.ipa",
                "bundleID" : "org.wso2.carbon.emm.iOSMDMAgent",
                "version" : "1.0",
                "appName" : "EMM iOS Agent"
            }
        },



  3. You must generate the Certificate Authority (CA), Registration Authority (RA) and SSL certificate. For more information on general iOS server configurations, see General iOS Server Configurations .

    Note: Once SSL certificates are generated and after following the rest of the steps, add the ia.crt and ia.key as the SSL certificates in NGINX.

Generating the MDM APNS certificate

For more information on generating the MDM APNS certificate, see Generating a MDM APNS Certificate .

Configuring the App Manager

For this release we are using WSO2 App Manager in the manager node. Applications will be uploaded to the manager node and URLs will be provided from the manager node. The devices will get them through the manager URLs.

To configure clustering with WSO2 App Manager, the Android agent has to be changed. Set the APP_MANAGER_HOST as http://mgt.emm-c.wso2.com in org.wso2.emm.agent.utils.Constants.

  1. Configure single sign-on (SSO) for the Store and Publisher in the App Manager store and publisher. Change the following config elements in the <APPM_HOME>/repository/conf/app-manager.xml file.

    1. Change the ServerURL, Username and Password elements in the <AuthManager> section to point to the Identity Server URL and credentials.

      <ServerURL>https://keymgt.emm-c.wso2.com/services/</ServerURL>
    2. Change the providerURL element in the <SSOConfiguration> section as shown below:

      <IdentityProviderUrl>https://keymgt.emm-c.wso2.com/samlsso</IdentityProviderUrl><providerURL>https://keymgt.emm-c.wso2.com</providerURL>
    3. Change the ServerURL element in the <EntitlementServiceConfiguration> section as shown below:

      <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>
  2. Change AppDownloadURLHost in <APPM_HOME>/repository/conf/app-manager.xml file.

    <Config name="AppDownloadURLHost">http://mgt.emm-c.wso2.com</Config>
  3. Change the identityProviderURL config in the <AppM_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json file as shown below:

    "ssoConfiguration": {
          "enabled": true,
          "issuer": "APPM_Store",
          "identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso",
          "keyStorePassword": "wso2carbon",
          "identityAlias": "wso2carbon",
          "responseSigningEnabled": "true",
          "storeAcs" : "https://mgt.emm-c.wso2.com/store/acs",
          "keyStoreName": "/repository/resources/security/wso2carbon.jks"
      },
  4. Change the identityProviderURL element in the <AppM_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json file as shown below:

    "ssoConfiguration": {
          "enabled": true,
          "issuer": "APPM_Publisher",
          "identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso",
          "keyStorePassword": "wso2carbon",
          "identityAlias": "wso2carbon",
          "responseSigningEnabled": "true",
          "publisherAcs": "https://mgt.emm-c.wso2.com/publisher/sso",
          "keyStoreName": "/repository/resources/security/wso2carbon.jks"
      },
  5. Start both the WSO2 App Manager and WSO2 Identity Server.

  6. Log into the WSO2 Identity Server management console.

  7. Click Add under Service Providers . This is found in the Main menu.

  8. Give a name for the service provider and click Register .

  9. You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section and click Configure .

  10. Provide the configurations to register the App Store as the SSO service provider. These sample values may change depending on your configuration.

    1. Issuer: APPM_Store

    2. Assertion Consumer URL: https://mgt.emm-c.wso2.com/store/acs. This is the URL for the ACS page for your running store app.

    3. Select the following options:

      1. Enable Response Signing

      2. Enable Single Logout

  11. Click Register once done.

  12. Similarly, provide configurations to register the App Publisher and social apps as SSO service providers. These sample values may change depending in your configuration.

    1. Issuer: APPM_Publisher

    2. Assertion Consumer URL: https://mgt.emm-c.wso2.com/publisher/acs. This is the URL for the ACS page for your running publisher app.

    3. Select the following options:

      1. Enable Response Signing

      2. Enable Single Logout

  13. Click Register once done.


  • No labels