Error: Invalid spaceKey on retrieving a related space config.

Configuring mobile device management

Before you invite users to enroll their mobile devices, you need to configure the mobile device management. BMC Client Management uses a proprietary security protocol that uses known cryptographic algorithms to secure the payload in transit from the on-premise client to a BMC server in the public cloud. The HTTPS implementation is in place but uses a self-signed certificate rather than a CA signed certificate to verify the identity of the BMC cloud server. That exposes a security risk, that is, BCM communicates with a BMC cloud server without being sure of its identity. A secure HTTPS connection is expected to use a CA signed certificate to be verified at client-side. Additionally, proprietary security protocols require deeper inspection and vetting to conclude that they are secure.

Note

The The mobile device management does not work with IPV6. You must use IPV4 to be able use this feature.

The following BMC Client Management video (5:28 min) provides step-by-step process to configure mobile device management:


https://youtu.be/Ymm12v4oiJY
 

Perform the following tasks to complete the end-to-end process of configuring mobile device management in BMC Client Management:

TaskDescriptionReference
1Review the prerequisites.Before you begin
2Set up the mobile device manager.

To define and configure the mobile device manager

3Set up an Apple push certificate.

To prepare and install an Apple Push Certificate

4Set up authorized domains.

To add an authorized email domain

5(Optional) Set up the terms and conditions.To create terms and conditions
6Authorize users and the user groups.

To add users (or user groups) to authorized users (or authorized user groups) list

7( Optional ) Customize the logo for the enrollment page.

To customize a logo for the enrollment page

8Send an enrollment invitation.

To invite users or user groups to enroll

For more information about mobile device management capabilities, see Mobile device management.

Before you begin

Ensure that the following prerequisites are met before configuring mobile device management:

  • At least one computer (physical or virtual) with internet access to serve as the mobile device manager. This computer is used to manage enrollment, notifications, and other communication with the managed mobile devices.
  • An Apple account to prepare an Apple Push Certificate. For more information about Apple account, see  Before You Enroll .
  • At least one directory server is configured for authentication. This directory server must be able to authenticate the users who are enrolling their mobile devices for mobile device management. For more information about the directory server, see Directory servers.
  • Default email system is set up for sending and receiving emails. For more information about default email settings, see Managing email settings.
  • Email addresses defined in the directory server for the users who will enroll their mobile devices. The users will receive the invitation on this email address and they will have to enroll their mobile devices using the same email address.

To define and configure the mobile device manager

After verifying the prerequisites, the first step in configuring mobile device management is to define and configure a mobile device manager.

  1. In the left pane, click Mobile Device Management.
  2. Right-click Mobile Device  Managers , and select Add Device  .
  3. In the Add a new Mobile Device Manager dialog box, search or browse to select the computer, and click OK.
    The computer is defined as the mobile device manager.
  4. In the left pane, select the newly defined mobile device manager.
  5. In the right pane, right-click any row and select Properties .
  6. In the Properties dialog box, specify the parameters as required.
    1. The Enrollment URL is a read-only, auto-populated field.

      Once enrolled, the mobile device will connect to the mobile device manager using this secure URL.

      • If you specify a  Server Name  in the step b, the URL is populated with the specified server name. For example, if you specify the server name as mobiledevicemanager.bmc.com, the URL is: https://mobiledevicemanager.bmc.com:1661/mdm.
      • If you leave the Server Name field empty, the URL is populated with the IP address after the following mobile device management configurations are completed:
        • The Apple Push Certificate is installed.
        •  At least one email domain is added to the Authorized Email Domains list.
        • At least one user or user group with a valid email address is added in the Authorized Users or Authorized User Groups lists, respectively.

        Note

        If you use the IP address in the URL, the server must be assigned a static IP address. If the URL changes (due to a change in the IP address or the port number), the enrolled mobile devices will not be able to connect with the mobile device manager.

    2. (Optional) Specify a Server Name for the mobile device manager.

      Note

      It is strongly recommended that you specify a server name. If you have specified the server name, the enrollment URL is built with the specified server name. So, even if the IP address of the server changes, the URL does not change and the enrolled mobile devices have continuous access to the mobile device manager.

    3. (Optional) Specify a different Server Port.
      The default port is 1661.

      Note

      Once assigned, the port number must not be changed. If the port number is modified, the enrollment URL will change and the enrolled mobile devices will not be able to connect to the mobile device manager.

    4. (Optional) Specify the Server Certificate and Signing Certificates names.
      • If these certificates are already installed, the certificate names are automatically populated.
      • If these certificates are already available but not installed, you can put the certificate in appropriate folder on the master server and specify the certificate file names in these fields. You can also select option to install the certificates.
      • If you do not have certificates, you can purchase and install the new certificates. If the server certificate is not configured, a temporary certificate is issued each time the agent service starts up. The temporary certificate is issued by the currently configured BCM Certificate Authority (CA).

        Notes

        • When purchasing new certificates, ensure that the Server Name matches the Certificate Subject Name or the Subject Alternative Name attributes in the certificate. These certificate attributes are used when the mobile device connects with the mobile device manager.
        • If you need to update the agent CA certificate, first you must install the new CA certificate in the mobile device using the Certificate payload. Then, the mobile device will trust the new CA certificate and continue connecting with the mobile device manager.


        For more information about preparing and installing the certificates, see Adding an SSL certificate.

    5. (Optional) Specify the number of notification threads to be opened in  Notification Thread Count .
      The default value is 2. To disable notification, specify the value as 0. If two or more mobile device managers are configured with a value greater than 0, only one mobile device manager is used for notification.

  7. Click OK.
    The mobile device manager is defined and configured.

To prepare and install an Apple Push Certificate

After at least one mobile device manager is defined and configured, you need to prepare and install an Apple Push Certificate. If you already have an Apple Push Certificate available, you can select the option to install the certificate.

  1. In the left pane, select  Mobile Device Management > Configuration .
  2. Right-click Apple Push Certificate, and select Prepare Certificate .
    The Apple Push Certificate Creation Wizard dialog box is displayed. 

    Note

    If you have already created and downloaded the Apple Push Certificate file, you can select the Install Certificate option and refer to step 8.

  3. Read the information, and click Next.
  4. On the Create CSR Certificate page, type the required information, and click Generate CSR Certificate.
  5. Type a name for the certificate request ( .csr ) file and save it on the local drive.
    You will need to upload this certificate in the next page to generate and download the Apple Push Certificate file.
  6. Click Next.
    The Apple Manual Procedure page is displayed. Follow the instructions on this page to create and download the Apple Push Certificate ( .pem ) file.
  7. After you have downloaded the Apple Push Certificate file, select the I have completed the steps and saved the PEM file from the Apple Portal check box, and click Next.
  8. On the Import Apple Push Certificate page, browse to select the Apple Push Certificate file.
    The page displays the encrypted text between the BEGIN CERTIFICATE and END CERTIFICATE marker lines.

  9. Click Finish.
    The certificate is now installed and the right pane displays the certificate name and its expiration date.

To add an authorized email domain

To enroll for mobile device management, the users need an email address registered in the directory server. The email domain of this registered email address must be listed in the Authorized Email Domain list. For example, if the email domain of a user's registered email address in the directory server is bmc.com, then bmc.com must be listed in the Authorized Email Domains list.

T he user needs to select the appropriate email domain from the list during enrollment. For example, if bmc.com , gmail.com , and yahoo.com are listed as authorized email domains and a user with email in the bmc.com domain is enrolling, the user needs to select bmc.com from the drop-down list.

Note

You can add multiple email domains as authorized email domains.

  1. In the left pane, select Mobile Device Management > Configuration > Enrollment.
  2. In the right pane, right-click in the Authorized Email Domains tab, and select Add Email Domain .
  3. In the Add an Authorized Email Domain window, specify the domain name that you want to authorize, and click OK.
    The email domain is added as an authorized email domain.

To create terms and conditions

Terms and conditions are displayed when the users enroll their mobile devices. The terms and conditions for a user or user group are selected when they are added to an authorized user or an authorized user groups list for the mobile device management. You can create multiple instances of the terms and conditions depending on your requirements. For example, you can create separate instances of the terms and conditions for the users in different countries.

  1. In the left pane, select Mobile Device Management > Configuration > Enrollment.
  2. Right-click Terms and Conditions, and select Create new Terms and Conditions .
  3. In the Properties window, specify the terms and conditions details, and click OK.
    The newly created instance of terms and conditions is created.
  4. In the left pane, select the newly created instance of the terms and conditions. 
  5. Go to the Content tab and type or paste the text for the terms and conditions.
    The text box supports plain text and HTML.
  6. Click Save.
    The content of the terms and condition is saved.

Note

You can view the users and user groups to whom this instance of the terms and conditions is assigned, in the Authorized Users and Authorized User Groups tabs respectively.

To add users (or user groups) to authorized users (or authorized user groups) list

Before you can invite the users to enroll for mobile device management, you need to authorize them. From the directory server, you can either add individual users or add user groups to the list of authorized users or user groups respectively.

Important

For the users to enroll their mobile devices for mobile device management, they must have an email address in their account information in the directory server.

  1. In the left pane, select Mobile Device Management > Configuration > Enrollment.
  2. In the right pane, right-click in the Authorized Users (or Authorized User Groups) tab, and select Add User  (or Add User Group ).
  3. In the Select a User (or Select a User Group) dialog box, search or browse to select the users (or user groups) you want to authorize for enrollment.
  4. From the Select Terms and Conditions list, select the terms and conditions you want to set for the selected users (or user groups).
    This instance of terms and conditions is displayed when the users enroll their mobile devices.
  5. Click OK.
    The selected users (or members of the user group) are authorized to enroll their mobile devices.

To customize a logo for the enrollment page

From the Customization tab, you can customize the logo that will be displayed during mobile device enrollment.

  1. In the left pane, select Mobile Device Management > Configuration > Enrollment.
  2. In the right pane, click the Customization tab.
  3. Click Browse and select the image that you want to set as logo.
    In the Import Picture dialog box, the red selection box displays the area of the image to be used as logo.
  4. Move the red selection box to select a part of the image.
    You can also resize the red selection box by dragging the right lower corner. The right pane displays the preview of the selected part of the image as a logo. If you resize the red selection box, the aspect ratio is maintained and the cropped image is resized to appropriate dimensions.
  5. After you select the image or part of the image, click OK.
    The Logo Customization page displays the preview of the enrollment page with the new logo.
  6. Click Apply to confirm your selection.

To invite users or user groups to enroll

After completing the preceding configurations, you can start inviting users to enroll for mobile device management. To enroll, the user must have an active account in directory server with a valid email address. Also, the email domain of the registered email address must be added to the authorized email domains list.

  1. In the left pane, select Mobile Device Management > Configuration > Enrollment.
  2. In the right pane, click the Authorized Users (or the Authorized User Groups) tab.
  3. Right-click the user (or the user group) you want to invite to enroll, and select Send Enrollment Email .
    The Mail Settings dialog box is displayed.
  4. Select a Mobile Device Manager from the list.
    The mobile devices enrolled using this invitation are enrolled on this mobile device manager. Also, all future communications with the enrolled mobile device are managed by this mobile device manager.
  5. Select the Language for the email.
    The user receives the enrollment invitation email in the selected language.
  6. Click OK.
    An enrollment invitation email with a link to complete the mobile device enrollment is sent to the users.

Where to go from here

Enrolling mobile devices

Viewing information about managed mobile devices

Managing configuration profiles for managed mobile devices

Managing mobile applications

Performing remote operations on managed mobile devices

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Frank Chew

    This still only supports iOS? Why is there a note about IPv6 not working and nothing about it only working with iOS and not Android?

    Mar 29, 2019 02:04