To manage mobile devices using Mobile Device Manager Plus MSP, the MDM server must be reachable from the devices, at all times. While the MDM server is reachable when the devices are in the same network as the server, it is not possible for the devices to reach the server from outside the network. As the devices being managed are mobile and are mostly present outside the network, it is necessary to ensure devices are able to contact the MDM server, for continued device management. This can be achieved by mapping your internal IP address to a public IP address or FQDN(Fully Qualified Domain Name) after which the devices in LAN, or an external network can access the MDM server. This process is called Network Address Translation or NAT and is mandatory for managing devices outside your organization's network.
To ensure data security, self-signed or third-party certificates can be used. Since certificates encrypt the communication between the server and the devices, corporate data over the internet is secure.
It is recommended to use an FQDN since any changes to the internal IP address are automatically mapped to the FQDN and no intervention is required until you modify the NAT settings. Also, third-party certificates recognize the server using the FQDN. |
MDM server should be reachable via public IP address, you can configure the NAT settings in such a way that all the requests that are sent to the Public IP address get redirected to the MDM server.
For devices within the LAN
If you use the same DNS name for both public and private IP, then all internal requests within the LAN will be directed through the internal DNS to reach the private IP without getting routed through the public IP.
For devices in the Internet
Devices from an external network such as the internet, use the DNS name to reach the public IP address from where it gets directed to the private IP address.
This section explains about managing mobile devices without exposing the MDM server directly to the internet. This can be achieved with the use of a Secure Gateway which ensures that the MDM server is protected against risks and threats from vulnerable attacks. ManageEngine Secure Gateway is that component exposed to the internet and not the MDM server. The Secure Gateway acts as an intermediary between the managed mobile devices and the MDM server. If the MDM server has been setup in a De-Militarized Zone(DMZ), then Secure Gateway need not be configured, as the MDM server in a DMZ is most secure.
The MDM server communicates with the APNs/FCM/WNS to wake up the mobile device. All communications from the mobile device will be navigated through the Secure Gateway. When the device tries to contact the MDM server, Secure Gateway receives all the requests and redirects them to the MDM server.
Follow the steps below to configure NAT:
MDM is now successfully set up to manage mobile devices. To manage iOS devices you have to create an APNs certificate and upload it to the MDM server. Refer the Port details for iOS, Android and Windows devices.
We have made your job simpler! Learn how to set up Secure Gateway in 3 minutes through this demo video. |
The FQDN/IP initially specified will be registered on the enrolled devices and used for communication between the MDM server and devices. Depending on the organization's preferences, the FQDN/IP might have to be changed especially during the following scenarios. Although NAT is modified, the enrolled devices will continue to reach the MDM server using the previous FQDN/IP. This can be resolved by making a few changes to your environment for mapping the new address to the existing FQDN/IP. Without these changes, devices cannot be managed by MDM. However, devices enrolled after modifying NAT will not be affected and can be managed as usual.
To make the required changes, follow the steps given below. For all platforms other than Android:
For Android devices, the process of registering the new FQDN/IP in the enrolled devices can be done by contacting MDM Support at mdm-support@manageengine.com. If you want to modify the port, ensure that it is redirected to port 9383 in your internal environment for continued management of all platforms except Android, for which you need to contact MDM Support at mdm-support@manageengine.com Setting up Secure Gateway involves the following.
Setting Up Secure Gateway
MDM automatically syncs the required certificates for the Secure Gateway. In case the sync fails, admins can manually install the required certificates. Follow the steps given below to manually install the certificates.
You have successfully copied the certificates, click Install to complete the installation process.
Secure Gateway will start automatically. You can verify the same by running services.msc from the same machine. Also, verify if ManageEngine Secure Gateway has started. You have successfully configured the Secure Gateway.
Uninstalling Secure Gateway involves the following steps: