Introduction

Today employees prefer to use their own devices at the office instead of using company provided devices. Allowing employees to bring their own devices to the enterprise has its own advantages but, at the same time, increase security risks. For example, say an employee’s device that has enterprise sensitive data is lost or stolen then the enterprise data can be compromised. Giving WI-Fi access to employees who bring their mobiles devices was challenging in WSO2. These issues can be solved with the use of WSO2 Enterprise Mobility Manager (EMM).

A separate Wi-Fi network was setup for Mobile devices and was integrated to WSO2 EMM. WSO2 EMM was deployed at WSO2 where employees can enroll their devices using their LDAP credentials to access internet on their mobile devices; currently, iOS and Android devices are supported. WSO2 EMM enabled WSO2 to have its Enterprise Mobile Store, where mobile apps like WSO2 Mobile Directory can be hosted and pushed to employees’ devices that have been enrolled to WSO2 EMM. The Mobile Directory application was a very important mobile application to employees because the number of employees at WSO2 is increasing and people find it difficult to contact others. Previously, they would resort to emailing and calling to get basic profile information of colleagues.

Since the system is used for the purpose of giving internet privileges to employees’ devices, only basic operations from the MDM server side can be performed (like device lock, passcode policy, etc.). The system allows the user to enroll to the WSO2 EMM from both within the network (company WiFi) and also outside (using Cellular). When the user enrolls his/her device to the system via the private network (WSO2-Staging), the device is given a session that can be used to access the internet. Once the session expires (i.e. when the user comes in the next day), a pop up will be displayed prompting the user to enter LDAP credentials provided the device is still enrolled to the system.

Architecture - overview

1. When the device connects to the private network (WSO2-Staging), it checks with the router if it has a session. If so, then the device already has internet access in this network, else it will be redirected to the EMM server.
2. The EMM server will check if the device is enrolled in the server.
1. If the device is already registered in the system, then it will direct the user to the WiFi Login page where the user would have to enter the LDAP credentials to get a new session.
2. If not, it will be directed to the appropriate EMM page. In the case of Android, it will be directed to the MDM Agent download page whereas for iOS, it will be directed to the EMM registration page.
3. Upon successfully enrolling the device to the EMM server, the server will automatically create a new session for the device.

The diagram below shows how the EMM server contacts the device. First, the EMM server sends a message to the GCM/APN server depending on the device it wants to contact, i.e. Android or iOS device. The GCM/APN server will in turn contact the device and the device will initiate a connection with the EMM server.

Issues encountered

The purpose for employees to enroll to WSO2 EMM is to get internet access for their devices. During deployment, we noted that specific ports need to be open for Android and iOS devices so that it can connect GCM (Google Cloud Message) and APNS (Apple Push Notification Service) and enroll to our system.

• Android:
• The ports to open are 5228, 5229 and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn’t provide specific IPs. It changes IPs frequently.
• iOS:
• TCP port 5223 (used by devices to communicate to the APNs servers)
• TCP port 2195 (used to send notifications to the APNs)
• TCP port 2196 (used by the APNs feedback service)
• TCP Port 443 (used as a fallback on Wi-fi only, when devices are unable to communicate to APNs on port 5223)

Enrollment

Android enrollment is straightforward. When the user needs to connect to the private network (WSO2-Staging), he/she can either click on “Sign-in to network”. This will appear in the Notification bar or open the browser and enter a URL; this will redirect to the “WSO2 EMM Registration” page. Then the user needs to download and install the agent. Afterwards, the user needs to open the MDM Agent and follow the steps to enroll the device.

There is a work-around when connecting iOS to private network (WSO2-Staging). When the device connects to the network, the WSO2 EMM iOS enrolment page will pop up. The user needs to click on cancel and then try to connect to the private network (WSO2-Staging). This process needs to be repeated until a small popup is displayed when clicking on “Cancel” as shown below.



Click on “Use Without Internet” and then open Safari. Click on a bookmark or enter a URL and the browser will be redirected to the WSO2 EMM iOS enrollment page. The user needs to first click on “Download Root Certificate” and install it. Then the user needs to click on the “EMM Login Page” and follow the steps to enroll the device. Once the device is enrolled the user can manage his/her device from the MDM console.



Limitations

If the user has an iOS 6 device, then he/she needs to enroll to the WSO2 EMM using another network or via GPRS. The reason for this is that in iOS 6, there is no feature that allows the device to use the network without internet. The moment the user clicks on the “Cancel” button in the popup screen when he/she clicks on WSO2-Staging in WiFi, the device will get disconnected from WiFi.

After enrollment, if the user un-enrolls his/her device, the device will still have internet until the session expires, i.e. until the user tries to connect to another network or when he/she comes to the next day and tries to connect to the network again.

Click here to download WSO2 EMM and for further details on its features.