From eScan Wiki
Pre-Requisites for Managing iOS Devices
The eScan EMM requires a SSL certificate to manage your iOS devices from the EMM console. This document gives you information on all the pre-requisites for managing iOS devices and how you can import the SSL certificate. It also briefs on what the certificate is about and where you can purchase the same.
- Make sure you have a dedicated IP. You can have static IP or use NATing *
- Decide on a domain name.
You need to decide a domain name for your EMM console to which the connecting devices are directed to your server, for eg: emm.mycompany.com
- Add A-record. Creating an A-record will re-direct anyone who visits emm.mycompany.com to the dedicated IP. For more information on creating your A-record please contact your DNS provider/Name Server Provider.
- Make sure that the below ports are made available for proper functionality. Ports: 10443,2021,2221,2222,2225,2226,443,3333. </br> In case, you are using NAT or NO-IP, port redirection to the local Corporate 360 server will be required.
- Acquiring the SSL certificate from an Apple approved Certificate Authority (CA) **. For more help on "How to generate a SSL certificate using Certificate Authority (CA)" click here.
- Import certificate and start managing your iOS devices
* If you are using NATing please refer this link for more information
** List of Apple Approved CA https://support.apple.com/en-us/HT204132
- This is not the iOS certificate or some certificate that will be provided by Apple.
- This is a normal SSL certificate that organization's use on their server for SSL communication (https). Eg: When you connect to a website www.escanav.com you are on a secured connection, as this server 'escanav.com' has a SSL certificate installed.
- If you are having the server as 'emm.mycompany.com', you need to get a SSL certificate for the domain emm.mycompany.com. You will have to buy this from a CA or generate it for free.
- The certificate thus bought from the CA has to be renewed every year or if it is for free it has to be renewed every 3 months.
- This certificate needs to be imported in the console, for the server and the Apple servers to communicate securely.
How to import a C.A certificate on the eScan Corporate 360 EMM console?
A. To add the certificate when you log into the eScan Corporate 360 console for the first time:
- Click on eScan Mobility Management (EMM). It opens the EMM console use only for Android and iOS devices.
- Under To manage iOS devices you need to add a Trusted CA Certificate, click on Start with iOS. It opens a new window where you can import your certificate files.
- Browse the file from your local drive.
- Save the files.
You will see a confirmation message “Certificate added successfully ”.
B. To add the CA certificate if
- You had selected to proceed with "Start with Android (without iOS)" earlier
- You have deleted the previous certificate please follow the steps below:
- On the left menu click Settings.
- Select Certificate Management tab.
- Click the Add button. The Add Certificate window is displayed.
- Browse the file from your local drive.
- Save the files. You will see a confirmation message “Certificate added successfully”.
What is a CA certificate?
To manage iOS devices on the EMM console you are required to add a trusted CA certificate. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet. The digital certificate is an essential part of secure communication and plays an important part in the public key infrastructure (PKI). Certificates typically include the owner's public key, the expiration date of the certificate, the owner's name and other information about the public key owner.
Why is a CA Certificate required?
The certificate is from a trusted third party who is responsible for physically verifying the legitimacy of the identity of an individual or organization before issuing a digital certificate. It guarantees that the individual granted the unique certificate is, in fact, who he or she claims to be. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key.
How to purchase a CA certificate?
Please contact an authentic SSL certificate issuing authority (like Lets Encrypt (free provider), Rapid SSL , Comodo etc.) to purchase a CA certificate. Make sure the certificate they issue is mentioned among the list in the link below.
List of Apple Approved CA https://support.apple.com/en-us/HT204132
How to create your A-record for the dedicate IP?
Creating an A- record will re-direct anyone who visits your EMM to the dedicated IP. For more information on creating your A-record please contact your ISP.
The eScan EMM for iOS devies can be used in different scenarios as below.
Scenario 1: eScan server is installed on a system and a Static IP (Public IP) is assigned to the system.
Scenario 2: eScan server is installed on a system locally and NAT with port redirection is done to the server system.
1. SSL Sniffing devices provide their own Certificate, which would be rejected by EMM and iOS during the validation process. Disable SSL Sniffing for Network Interfaces of EMM.
2. Self-Signed Certificates are not accepted.