This article covers the following topics:
What are the settings required for the inSync iOS app on the device?
How does inSync use the MDM Push certificate and MDM profiles?
Why does the inSync iOS mobile app need an MDM profile?
How does an organization using inSync for mobiles obtain an Apple MDM push certificate?
What to do if the MDM profile is not getting installed successfully on the device?
Why does the inSync iOS mobile app need access to the location service of the device?
To use the inSync backup and device protection features on an iOS device, there are two settings needed. inSync will notify the user as shown.
inSync will ask the user to:
- Install the enterprise’s Mobile Device Management Profile (MDM) on the device.
- Enable the device’s location service for inSync. (This is required only for DLP.)
The Apple MDM Push certificate is needed by the inSync server to send notifications to the managed iOS mobile device for triggering backup and remotely wiping data. inSync uses the Apple Push Notification (APN) service to communicate with the mobile device.
Each iOS device managed by inSync is prompted to install the inSync MDM profile when the Device Protection feature is activated.
Apple Push Notification servers talk to only known entities that identify themselves with the help of the APN certificate and a private key. When the APN server gets a request related to decommissioning of a device from the inSync server, it will first verify the APN certificate and private key before passing on the decommission command to the device.
Devices keep polling the APN server for commands.
When the APN server passes on the inSync decommission request to the device, it will check whether the MDM profile installed carries the same identity that Apple verified while talking to inSync server (Apple Push Certificate). If they match, the device takes the command otherwise it discards it.
The profile has the SSL certificate details in it as well.
The device starts talking to the server specified in the profile (inSync server). When the inSync server sends a wipe-off request, the device carries out the request after verifying its authenticity.
An MDM (Mobile Device Management) profile installed on an iOS device enables that device to be remotely managed by an IT administrator. The administrator can remotely enforce enterprise-wide security policies using an MDM profile.
The inSync Device Protection feature requires the MDM profile of the organization to be installed on the device. This enables the administrator to remotely wipe off sensitive data in case the iOS device is lost or stolen. It also enables the inSync server to trigger backups on the device periodically.
If the IT administrator of an enterprise wants to use the inSync "Decommission" feature working on the enterprise’s iOS devices, the following requirements have to be met.
The organization needs to have an Apple MDM Push certificate installed on their inSync server. This certificate enables the inSync server to communicate with the mobile devices using the Apple Push Notification (APN) service. The devices need to have the inSync MDM profile installed on them in order to respond to the requests sent by the inSync server.
To obtain an Apple MDM Push Certificate:
1. The customer’s IT administrator creates a CSR (Certificate Signing Request) using the organization's private key. (The key that was used to get an SSL certificate for the customer’s domain.)
2. He sends this CSR to Druva Support to get it signed by Druva's private key.
3. Druva Support will send the signed CSR back to the customer.
4. The IT administrator will upload this to Apple's Pushcert portal.
5. Apple's Pushcert portal will provide "Apple MDM Push Certificate".
6. The IT Admin uploads it to their inSync web panel, along with the private key (private key and certificate in a single file).
The IT Admin also needs to install a SSL certificate that is used to communicate between the server and the mobile devices.
This SSL can be the same as the one uploaded for Web-Panel. Or inSync will automatically generate a self-signed certificate. The SSL is either generated by inSync as self-signed or the customer may put his own domain certificate, which is valid for his/her domain, like " *.druva.com". The certificates can be the one issued by Third-Parties like Verisign, Register.com, GoDaddy.
If the MDM profile is not getting installed on the device, the administrator needs to check for the following reasons:
- The Domain in the SSL certificate uploaded does not match the host name specified for MDM.
- The SSL certificate for MDM is self-signed and its "Issued to" does not match the MDM hostname.
- The MDM hostname does not resolve to the server's IP address.
- The user may have registered the same device in two different user accounts and the inSync MDM profile is already installed on one.
- The MDM Host Name field in the web-panel settings page is not the Fully Qualified Domain Name.
The inSync application needs access to the location services of the iOS device for device protection features. A device can be traced to its current location using inSync, which requires the location service.