You are on page 1of 158

SAP Afaria Installation Guide

Afaria 7 SP4
DOCUMENT ID: DC-IG-7-00-04
LAST REVISED: December 2013
Copyright

2013 by SAP AG or an SAP affiliate company. All rights reserved.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only,
without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the
materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx#trademark for additional trademark information and notices.
Contents
Installation User Assumptions.............................................1
Technical Support ..................................................................3
Locating Product Documentation........................................5
Afaria Architecture ...............................................................7
Afaria Server ...................................................................8
Additional Afaria Components ........................................9
Installation Options.............................................................11
Installing a Standard Environment ................................11
Afaria Reinstallation......................................................11
Afaria Upgrade..............................................................12
Afaria Appliance Deployment ........................................12
System Requirements and Release Notes........................13
Upgrading Afaria..................................................................15
Eligible Upgrade Path and Environment .......................15
Entering or Updating Your License Key ........................15
Discontinued Platform Support .....................................15
Afaria Single Server Upgrade.......................................16
Afaria Server Farm Upgrade.........................................17
Automatic Actions .........................................................17
Device IDs ...........................................................17
Assigned User Groups .........................................18
Substitution Variables ..........................................18
Discontinued Channel Types ...............................18
Session Manager Channels .................................19
iOS Device Configuration Policies .......................19
Portal Application Packages ................................20
Discontinued Access Policies ..............................20
Authentication......................................................20
Preparing to Install Afaria...................................................23
Creating a Domain User Account for Operating Afaria
..................................................................................23
SAP Afaria Installation Guide iii
Updating Passwords and Domain User
Accounts ..........................................................23
Syntax Examples for Updating Afaria Server
Password.........................................................24
Database Preparation...................................................24
Estimating Your Database Size Requirements ....24
Creating an SQL Anywhere Database and User
.........................................................................25
Configuring the SQL Anywhere Database for
Operations .......................................................25
Creating a SQL Server Database and User ........26
Configuring the SQL Server Database for
Operations .......................................................27
Apple Certificates for Managing Devices ......................27
Obtaining Root and Intermediate Certificates ......28
Obtaining an APNS Certificate............................28
Obtaining a Google API Key .........................................32
Obtaining End-User Acceptance Message Details .......33
Installing Afaria Server ........................................................35
Entering or Updating Your License Key ........................35
Verifying Software and Internet Connectivity
Requirements ...........................................................35
Starting the Setup Program..........................................36
Defining Server Type and Directory ..............................36
Selecting Microsoft SQL Server Database...................37
Selecting SQL Anywhere Database.............................37
Selecting Authentication Type.......................................38
Configuring LDAP Information.............................38
Configuring Active Directory Information.............40
Enabling SSL for Device Communication ....................41
Completing the Installation...........................................41
Installing Afaria Server Farm........................................42
Installing Afaria API Service and Administrator ...............43
Verifying Afaria Administrator IIS Settings ....................44
Changing the IIS Connection Timeout Value................45
Contents
iv Afaria
Starting Operations and Server Configuration.................47
Logging in to Afaria Administrator .................................47
Starting, Stopping, Restarting the Afaria Server ...........47
Verifying Afaria Server Settings for Device
Communication........................................................ 48
Verifying Afaria Server Settings After Installation.........48
Server Configuration for Installation and Management
..................................................................................48
Afaria Managed Authentication............................50
User Role Management ................................................50
Permissions .........................................................50
Viewing the Server Roles .................................... 53
Adding or Editing a User Role............................. 53
Logging in as Added User ................................... 54
Afaria Server Messaging.....................................................55
Addresses and Routing for SMS and SMTP Messages
..................................................................................55
SMS and SMTP Message Address Syntax ..................55
SMS Gateway ...............................................................57
Installing SMS Gateway .......................................57
Configuring Afaria Server for SMS Gateway ....... 58
Setting Up an SMS Modem ................................59
Setting Up an SMPP Service...............................59
Configuring SSL Connections for SMS Gateway
.........................................................................60
Setting Up SMTP..........................................................60
Installation and Configuration for Enrollment
Components....................................................................61
Installing Enrollment Server - Basic ..............................61
Configuring Afaria Server for Basic Enrollment Server
..................................................................................63
Configuring Afaria Server for Enrollment Codes ...........63
Configuring Certificate Authority ...................................64
Configuring an Enterprise Root Certificate
Authority ..........................................................64
Contents
SAP Afaria Installation Guide v
Tuning the Certificate Authority for Afaria............66
Configuring Certificate Authority Profiles ......................67
Associating Certificate Authorities for
Enrollment and Package Servers ....................68
Importing Apple Root and Intermediate Certificates for
MDM Management ...................................................69
Configuring Afaria Server for iOS Notifications .............69
Configuring SSL Connections for Enrollment Server ....71
Adding iOS MDM Payload Signing for iOS...................71
Importing Apple Root and Intermediate
Certificates for MDM Payload Signing .............72
iOS MDM Payload Signing Certificate
Requirements ..................................................72
Reinstalling the Enrollment Server for iOS MDM
Payload Signing...............................................73
Configuring Afaria Server for iOS MDM Payload
Signing............................................................73
Configuring the Relay Server for Certificate Authority
and Enrollment Server Connections .........................74
Package Server ....................................................................75
Installing Package Server .............................................75
Configuring Afaria Server for Package Server ..............76
Configuring SSL Connections for Package Server .......76
Access Control for E-mail ..................................................79
Setting Up Access Control for Email using Exchange
PowerShell Commandlets ........................................80
Access Control for Local Email using Filter ..................81
Access Control Components ..............................82
ISAPI Filter Components .....................................82
Installing Access Control Components on a
Single Machine................................................83
Installing Access Control Components on
Multiple Machines ............................................88
Configuring Afaria for Access Control ..................96
Support for Network Access Control ...............................105
Contents
vi Afaria
Installing and Starting Afaria NAC Service .................106
Adding an Account Name on Afaria NAC Server ........107
Self-Service Portal .............................................................109
Preparing to Install Self-Service Portal .......................109
Installing the Self-Service Portal .................................109
Afaria Self-Service Portal Address ............................. 111
Configuring Enrollment Codes for Self-Service Portal
................................................................................ 112
Configuring Afaria Server for Self-Service Portal
Acceptance Message............................................. 113
Configuring Afaria Server for Self-Service Portal
Request Timeout .................................................... 114
Editing Enrollment Codes for Self-Service Portal ....... 114
Removing Association of Enrollment Codes from Self-
Service Portal ......................................................... 114
Configuring Self-Service Portal iOS Consolidated
Authentication.........................................................115
Using iOS Consolidated Authentication with
User Group Assignments ............................. 115
Relay Server .......................................................................119
Relay Server Executable Components ....................... 120
Setting Up the Relay Server for Basic Operations ......120
Setting Up the Relay Server for Basic
Operations with IIS 7.5.................................. 120
Setting Up the Relay Server for Basic
Operations with IIS 6.0.................................. 128
Restarting the Relay Server Host ............................... 134
Relay Server Support for Server Components ........... 134
Relay Server Configuration FileExamples ....... 136
Configuring Relay Server for Afaria Server ........137
Configuring Relay Server for Enrollment Server
....................................................................... 140
Configuring Relay Server for Certificate
Authority ........................................................ 141
Configuring Relay Server for Access Control .... 142
Contents
SAP Afaria Installation Guide vii
Configuring Relay Server for Package Server ... 143
Launching the Relay Server Outbound Enabler .........144
Installing the Relay Server Outbound Enabler as
a Windows Service........................................145
Relay Server with SSL................................................145
Relay-Server-Related Logging...................................146
Uninstalling Afaria Components......................................149
Uninstalling Afaria Server ...........................................149
Contents
viii Afaria
Installation User Assumptions
SAP Afaria installation requires that you have knowledge of Window servers, Microsoft IIS,
database servers, your user directory manager, and the device types you plan to support.
Installation User Assumptions
SAP Afaria Installation Guide 1
Installation User Assumptions
2 Afaria
Technical Support
SAP provides industry-leading support and a variety of downloads to help you get the most out
of your products and solutions.
If you are a current Sybase customer please use the following sites:
For information about Sybase Customer Service and Support, visit www.sybase.com/
support.
If you have a technical support contract, you can locate your local technical support center
at www.sybase.com/contactus/support.
For SAP Afaria customers with a maintenance agreement, visit METS at http://
frontline.sybase.com/support.
If you are a current or new SAP customer and need to:
Log a technical support case;
Get updates on a current case;
Download the latest Afaria enhancements; or
Get access to the Afaria knowledgebase;
Please visit the SAP Service Marketplace at http://service.sap.com
Technical Support
SAP Afaria Installation Guide 3
Technical Support
4 Afaria
Locating Product Documentation
Locate documentation for help with installing and using the product. Documentation is on the
product installation image.
1. Start the setup program (setup.exe).
2. Click Documentation.
3. Click the item of interest.
Readme includes information about finding system requirements and release notes
on the technical support site and information about what is located on the product
installation image.
Installation guide the English version of Afaria Installation Guide.
Documentation folder opens the \Documentation folder on the installation
image. All product documentation is available in English. Some documents may be
available in additional languages.
Locating Product Documentation
SAP Afaria Installation Guide 5
Locating Product Documentation
6 Afaria
Afaria Architecture
Afaria uses a distributed architecture that provides complete functionality and enterprise-
grade security while managing mobile devices and computers.
The architecture uses the enterprise network behind your firewall for components that require
the highest security, uses the DMZ for proxy components, and uses public entities in the
Internet for publicly available services, such as commercial application markets.
Figure 1: Afaria Architecture Internet, DMZ, and Enterprise Network
Afaria Architecture
SAP Afaria Installation Guide 7
Internet devices and public entities.
Devices user devices, such as smartphones and computers that Afaria manages.
Devices either have an Afaria application installed or have a native capability that
Afaria uses to interact with the hosting device. Devices connect to Afaria servers or
their proxies using HTTP and SSL.
Public entities and services entities that support device management and features,
such as the Apple Push Notification Service (APNS) for managing iOS devices, or a
commercial application market for Afaria application policies.
DMZ relay or proxy servers, such as a Microsoft Forefront Threat Management Gateway
server or a SAP Sybase SQL Anywhere Relay Server to enforce firewall rules and receive
device communication before relaying it to an Afaria server in the enterprise network. For
Access Control for Email, an optional feature, the e-mail proxy server hosts the access
control filter to allow or block incoming requests based on access control policy
information from Afaria. Using relay servers in the DMZ to relay communication is
optional, but recommended to increase enterprise network security.
Enterprise network the component servers and the email network require connectivity to
the Afaria server, and sometimes the database. When relay servers are configured for the
components, Afaria servers receive incoming communication from the relay servers,
rather than directly from the Internet.
You can consolidate some or all the server components on to fewer servers, or on to a
single server.
If devices are resident within the enterprise network, you can configure them to make
direct connections to Afaria servers.
Afaria Server
The Afaria Server program is central to Afaria operations. The Afaria Server has no user
interface; settings and features are available through the Afaria Administration console, a Web
application.
It can operate as a single, standalone server, or as multiple servers in a server farm. The server
communicates with the Afaria database and additional components or devices as necessary.
Standalone Afaria server a single Afaria server operating as the only server in an
installation. The server has a one-to-one relationship with the database.
Afaria Server farm multiple Afaria Servers operating together in an installation. The
servers have a many-to-one relationship with the database. A server farm includes one
master Afaria Server and one or more farm servers.
See also
Creating a Domain User Account for Operating Afaria on page 23
Database Preparation on page 24
Additional Afaria Components on page 9
Afaria Architecture
8 Afaria
Additional Afaria Components
The Afaria Administration console, database, and additional server components support the
Afaria server for operations.
Supporting components:
Afaria Administration console the Afaria server interface, a Web UI that you can
access with any supported Web browser. Afaria uses role-based access policies to control
user rights. Rights are associated with functions in the user interface and with individual
tenants. Define server configuration; roles for the administrators; manage devices, groups,
and policies; and monitor system activity.
Afaria administrator, the individual the person that installs and operates the product.
Afaria database SAP SQL Anywhere or Microsoft SQL database that stores procedures;
configuration properties; device, group, and policy data; and all message and activity
logging. For Afaria server components, access to the database is either direct to the
database or indirect through the Afaria server.
Certificate authority certificate authority definitions are assigned to the enrollment and
package servers to support enrollment of iOS devices or to facilitate certificate
provisioning for application onboarding. You can also select CA profiles in embedded
SCEP requests in the Android and iOS configuration policies.
Enrollment Server required for handheld device enrollment and iOS operations. The
enrollment server retrieves enrollment policies and starts the enrollment process for
devices requesting enrollment. For iOS, the enrollment server also delivers management
payloads.
Self-Service Portal lets end-users enroll their device in Afaria management, and lets
users view their device information and issue commands, such as to reset a password. The
portal is optional for enrollment and allows users to install application policies with
support from the package server.
Relay server proxy for HTTP and HTTPS connections from the Internet to a component
server, such as the Afaria server or the enrollment server. The relay server is optional, but
recommended for increased enterprise network security.
Package Server for application policies, serves Afaria application packages to devices.
For application onboarding, serves certificates and device provisioning data to calling
third-party applications. The portal package server does not serve commercial
applications to devices.
E-mail server for Access Control for local e-mail, an optional feature, the server hosts the
access control PowerShell service, which polls the Afaria server for current access control
policies, and delivers that information to the e-mail proxy in the DMZ. For Access Control
for hosted e-mail, e-mail hosting is on the Internet and does not include an e-mail server in
the enterprise.
Afaria Architecture
SAP Afaria Installation Guide 9
See also
Installing Enrollment Server - Basic on page 61
Configuring Afaria Server for Package Server on page 76
Configuring Relay Server for Access Control on page 97
Configuring the Relay Server for Certificate Authority and Enrollment Server
Connections on page 74
Afaria Architecture
10 Afaria
Installation Options
Install Afaria on a server that does not have the software installed, or reinstall to a different
installation path.
Installing a Standard Environment
Complete a standard installation to install Afaria with a separately installed database, Afaria
server, and Afaria Administration console. A standard environment is appropriate for
installations with one or multiple Afaria servers.
Prerequisites
Before the installation, create a Windows user account for operations and establish your
database environment. Ensure that VC Runtime and .NET framework programs are installed.
Task
1. On your planned Afaria server, double-click on setup.exe. Select a language (English
or Japanese).
If your installation is planned to have only one Afaria server, the server is a standalone
server. If your installation is planned for a farm, the first server installed is the master or
main server.
2. After you have selected a language, enter your license key to complete the server
installation.
3. On your planned administrator server, complete the Afaria API Service and Afaria
Administration console installation.
4. Complete procedures for getting started with operations.
5. (Server farm) For each additional server, prepare for the install by creating a Windows user
account for operations, enter your license key, and complete the Afaria server
installation.
The additional servers in a farm are called farm servers.
6. Install and configure additional components such as enrollment server and package server.
For one box setup, install enrollment server and package server on the same machine,
where Afaria Administrator Console is installed. For multi box setup, install enrollment
server and package server on diffrent machines.
Afaria Reinstallation
Reinstallation is re-running an installation on an Afaria server or administrator server that
already has the same version of the product installed. Reinstalling is appropriate for repairing
Installation Options
SAP Afaria Installation Guide 11
problems associated with corrupted or deleted files, and for making certain types of changes to
your current installation. If only enrollment server needs to be repaired, then only enrollment
server can be reinstalled. It is similar with other components too.
Reinstall Afaria when changing the database version or type, changing the authentication
type, adding newly licensed features or capacity, changing the directory location (default path
is \Program Files (x86)), or repairing the product. When changing the database, the new
database is empty and the former database is left in place.
Afaria Upgrade
Upgrade is running an installation on an Afaria server or administrator server that has a
version of the product installed that is on the supported upgrade path. An upgrade is defined as
upgrading the complete environment; the devices must upgrade along with the server and
administrator components. Do not plan to upgrade only the server and not upgrade the
enrollment server and package server. You have to upgrade all the components, which are
already installed.
Afaria Appliance Deployment
Deploy the Afaria Appliance on a VMware host with minimal interaction, as most of the
settings are preconfigured.
During the setup, you configure only a few computer-specific and security settings. Once
deployed, this installation supports device enrollment and management.
For deployment and configuration details for the Afaria Appliance, see document Afaria
Appliance Deployment Guide.
Installation Options
12 Afaria
System Requirements and Release Notes
Before you install your Afaria components, ensure that your environment complies with the
system requirements. Complying with system requirements and reviewing the information in
the release notes helps you to take full advantage of features and operate your system
appropriately.
Complete system requirements are delivered with your order fulfillment. They are also
available in the product release notes available on the technical support site. The release notes
include information about known product issues.
Note: Using terminal services or comparable means is not a viable method for installation.
System Requirements and Release Notes
SAP Afaria Installation Guide 13
System Requirements and Release Notes
14 Afaria
Upgrading Afaria
Before beginning an upgrade, validate all prerequisite and system requirements, create a
system backup, and close all browsers currently running Afaria Administration console. A
system backup includes the database, application software, and application data. If a relay
server is used, shutdown the relay server (rsoe) before beginning an upgrade.
Eligible Upgrade Path and Environment
Upgrade to 7 SP4 is supported from Afaria 7 SP2 and Afaria 7 SP3.
Entering or Updating Your License Key
Enter or update your license key any time you receive a new key. This defines the Setup menu
options available during install.
Perform the update on each Afaria server.
1. Start the setup program (setup.exe).
2. Select a language (English or Japanese).
3. On the Setup menu, click License Key.
4. Type your license key in the key box and click Licensing Details to review your licensing
information.
The maximum number of concurrent sessions supported per server depends on your
licensing. The ability to run the maximum number of licensed concurrent sessions
depends on the available memory, the speed, and the number of processors on your server.
5. Click Apply to save the license key and return to the Setup menu with your licensed
options available.
6. On the Setup menu, click Install > Install Server and complete the server installation.
The reinstallation updates the server to support the license change.
7. Click Next.
Discontinued Platform Support
Prepare for discontinued support of several device and channel types in Afaria 7.
Recommendations for items that have been discontinued in Afaria 7:
Device type Symbian delete devices and data prior to upgrading.
Upgrading Afaria
SAP Afaria Installation Guide 15
Device type Java delete devices and data prior to upgrading.
Data Security Manager for Windows
1. Unencrypt devices and uninstall Data Security Manager client.
2. Delete channels.
Data Security Manager for Handhelds
1. Unencrypt devices and uninstall Data Security Manager client.
2. Delete channels.
Antivirus/Firewall policies
1. Disable policies in group profiles to remove the Antivirus/Firewall client from devices.
2. Delete policies.
OMA DM policies
1. Run session to remove policies from devices.
2. Disable policies in group profiles.
3. Delete policies.
Application Control policies
1. Disable policies in group profiles to remove the Application Control client from
devices.
2. Delete policies.
License Manager delete License Manager data and settings.
API object model plan for discontinued use. A new API service model replaces the API
object model.
Afaria Single Server Upgrade
Upgrade an installation that includes a single Afaria server.
1. Stop Afaria services. Also stop other services like iPhone services, backend portal
services, and API services.
2. Upgrade the server.
Do not start the Afaria server service at this time.
3. Upgrade the Afaria Administration console application.
4. Start Afaria server service.
5. Upgrade additional servers, such as the enrollment server (formerly "provisioning
server").
6. Connect devices for upgrade.
Upgrading Afaria
16 Afaria
Afaria Server Farm Upgrade
Upgrade an installation that includes multiple Afaria servers.
1. Stop all Afaria services on a master (main) and on all farm servers.
Do not start the main server and all farm servers until all components are upgraded.
2. Upgrade the main Afaria server.
Do not start the Afaria server service at this time.
3. Upgrade the farm servers.
Do not start the Afaria server service at this time.
4. Install the Afaria API and upgrade Afaria Administration console application.
5. Upgrade additional servers, such as the enrollment server (formerly "provisioning
server"), package server, Self-Service Portal.
6. Start Afaria server service on main server, then start the server service on the farm
server(s).
7. Start the remaining services on all server(s).
8. Verify Afaria Client Service is running on all farm servers and replication is successful.
9. Connect devices for upgrade.
Automatic Actions
Upgrading to Afaria 7 includes actions to support the new management model.
The Afaria management model has changed from one that used group profiles as a container
for assignments, monitor/action pairs, allowed channels, policies, and packages. The new
model is improved for usability to use only policies and groups to manage devices.
Device IDs
In Afaria 7, the device ID is a required field for new devices. It is a column in the device grid.
The upgrade to Afaria 7 processes device IDs and client names:
If the device ID is blank in Afaria 6.6 FP1 2011_06, then the upgrade copies client names
into the device ID fields.
If the device ID is non-blank in Afaria 6.6 FP1 2011_06, then the upgrade leaves the device
ID untouched.
Afaria customers who rely on client name instead of device ID for searches, custom views, and
other operations, consider the impact to your continued operations.
Upgrading Afaria
SAP Afaria Installation Guide 17
Assigned User Groups
In Afaria 7, user groups are available and NT/LDAP groups are no longer used.
The upgrade to Afaria 7 processes NT/LDAP groups. For each group profile with one or more
NT/LDAP groups assigned in Afaria 6.6 FP1 2011_06, the upgrade:
Creates a new user group that contains all of the NT or LDAP groups assigned to that
profile.
Names the group to reflect the NT/LDAP group names, such as "Upgrade_grp1_grp2."
In the group note field, includes the name and path of each NT/LDAP group.
If subsequent group profile processing has an identical set of NT/LDAP groups assigned, the
upgrade does not create a duplicate user group.
Substitution Variables
Afaria allows you to use system and directory substitution variables or create your own
userdefined variables. Variables are supported for many, but not all, fields.
For upgrading from the old, non-prefix syntax, there is a hierarchy for evaluating the variables.
They are:
1. System
2. User-defined
3. Directory
Note: On upgrade, if any invalid directory variable names are detected, a warning message is
displayed. The message lists (by tenant) any variables with invalid names, and offers to
continue or abort the install.
Discontinued Channel Types
In Afaria 7, all channels other than Session Manager channels are discontinued. Inventory
Manager and Configuration Manager channels are discontinued as channels but the features
remain present in Afaria 7 configuration policies.
The upgrade to Afaria 7 processes Inventory and Configuration Manager channels:
Create an Afaria configuration policy for each channel using a naming convention to
reflect its origin:
If it was assigned to a group profile <ChannelName>-<ProfileName>-
<ChannelID>
If it was not assigned to a group profile <ChannelName>
Description is preserved.
Priority value is preserved.
Upgrading Afaria
18 Afaria
For Windows Mobile, BlackBerry, and Windows devices with schedules, new "best fit"
schedules are created.
Authentication and published states are preserved.
The upgrade to Afaria 7 processes remaining discontinued channels:
Backup Manager
Delete any existing Backup Manager channels.
Leave backed up data in ABD folder.
Document Manager
Delete any existing Document Manager channels.
Leave data in source locations.
Leave files in differencing and compression caches. They will eventually age out.
Software Manager for Windows, Windows Mobile, Symbian, and Palm
Delete any existing Software Manager channels.
Remove package tracking information.
Patch Manager
Delete any existing Patch Manager channels.
Delete the patches pulled down from Microsoft site to the path configured on the Afaria
server.
Session Manager Channels
In Afaria 7, all Session Manager channels continue, but are delivered in session policies.
The upgrade to Afaria 7 processes Session Manager channels:
Create a session policy for each channel using a naming convention to reflect its origin:
If it was assigned to a group profile <ChannelName>-<ProfileName>-
<ChannelID>
If it was not assigned to a group profile <ChannelName>
Description is preserved.
Priority value is preserved.
For Windows Mobile, BlackBerry, and Windows devices with schedules, new "best fit"
schedules are created.
Channel encryption is discontinued in Afaria 7. We recommend users run secure sessions
instead.
Authentication, published, and default channel states are preserved.
iOS Device Configuration Policies
In Afaria 7, all iOS Device Configuration policies continue, but become configuration
policies.
The upgrade to Afaria 7 processes iOS device configuration policies:
Upgrading Afaria
SAP Afaria Installation Guide 19
Create a configuration policy for each channel using a naming convention to reflect its
origin:
If it was assigned to a group profile <PolicyName>-<ProfileName>
If it was not assigned to a group profile <PolicyName>
Description is preserved.
Priority value is preserved.
Group assignment is preserved.
A policy with an assignment is published.
A policy without an assignment is unpublished.
Enabled or disabled state in group profile is preserved as enabled or disabled in the
payload.
Portal Application Packages
In Afaria 7, all portal application packages continue, but become application policies.
The upgrade to Afaria 7 processes portal application packages:
Create an application policy for each package using a naming convention to reflect its
origin:
If it was assigned to a group profile <AppName>-<ProfileName>
If it was not assigned to a group profile <AppName>
Description is preserved.
Priority value is preserved.
Group assignment is preserved.
A package with an assignment is published.
A package without an assignment is unpublished.
Required or optional state is preserved.
Enabled or disabled state in group profile is preserved as published or unpublished in
policy, respectively.
Discontinued Access Policies
In Afaria 7, access policies are discontinued and replaced by roles. An upgraded system does
not upgrade access policies to roles.
Authentication
When upgrading to SAP Afaria SP4, Afaria automatically enables authentication in the server
configuration for each tenant.
This authentication requires that users provide credentials when devices connect to SAP
Afaria. This might cause devices to prompt users for credentials in situations when devices did
not prompt for credentials prior to SAP Afaria SP4. You can configure the authentication
settings on the Server > Configuration > Security page in the administrative console.
Upgrading Afaria
20 Afaria
Enrollment and package servers that required authentication prior to SAP Afaria SP4, still
require authentication after the upgrade.
The upgrade should not affect authentication for the clients that connect to the SAP Afaria
server because authentication is configured at the policy level in addition to on the server. For
example, if an administrator does not want Android xComms sessions authenticated and the
administrator did not previously have any channels configured for authentication, then
enabling the authentication setting will not change this.
If an administrator configured a channel to require authentication and enabled authentication
at the server, but later disabled the authentication on the server prior to upgrading to SAP
Afaria SP4, Afaria will automatically enable authentication at the server configuration. As a
result, Afaria starts authenticating after the upgrade.
Upgrading Afaria
SAP Afaria Installation Guide 21
Upgrading Afaria
22 Afaria
Preparing to Install Afaria
Before starting Afaria installation and configuration, prepare for the installation process by
reviewing the system requirements found in the latest version of the release notes, preparing
the database, and obtaining Apple Certificates.
Creating a Domain User Account for Operating Afaria
Create a domain Windows account to install the Afaria server, farm server, and related servers.
If applicable, the account is also used to run the Windows service.
The main Afaria server, farm servers, and other related servers and components must use the
same domain user account name and password.
Note: If you plan on installing SSP with LDAP, ensure the domain user you create has
permission to access the Active Directory server.
1. On the planned server, create a Windows domain user account with these attributes:
Log on as Service if the server uses a Windows service, Afaria starts automatically
after reboot
2. On the planned server, add the domain user as an administrator in the user group.
3. Record the account credentials you will use when prompted as you install the Afaria
server, Afaria Administration console, and additional components.
4. (Active Directory environment) On the domain controller, update the user account
properties (AccountName > Properties > Account > Log On To) to ensure the Log On
To list of log on workstations is either unrestricted or includes the planned Afaria
Administrator server and all planned Afaria Administrator browser computers.
Updating Passwords and Domain User Accounts
As needed and without reinstalling the Afaria server, change the domain user account and
password associated with the Afaria server service, or the user password associated with the
database.
The main Afaria server and all farm servers must use the same user account name and
password.
1. Close all Afaria programs.
2. Using a command line, run the setup program (setup.exe) with parameters to change
the service account or password.
The setup program accepts parameters in any order. Available parameters:
Preparing to Install Afaria
SAP Afaria Installation Guide 23
-Maintenance required for all commands.
-ServiceAccount= name required if changing the user account and password
associated with the Afaria server service.
-ServicePassword=password required if changing the user account and password
associated with the Afaria server service.
-DatabasePassword=password required if changing the database user account
password.
3. Allow the program to run to completion.
The setup program runs silently, and may take several minutes to complete. You may not
know when it has finished unless you watch the task list or run the setup from a batch file.
To check for errors, see C:\silent.log.
Syntax Examples for Updating Afaria Server Password
When updating the user account and password on an Afaria server, the Afaria setup program
accepts parameters in any order.
Examples:
setup -Maintenance -DatabasePassword=password
setup -Maintenance -ServiceAccount=name -ServicePassword=password
setup -Maintenance -DatabasePassword=password -ServicePassword=password2
Database Preparation
The Afaria server uses a database to log system activity and data. All servers in a farm access
the same database, unless you install the Afaria Appliance, in which case you must install and
configure your database before installing the Afaria server. The Afaria Appliance includes
database installation and configuration.
The product supports using SAP Sybase SQL Anywhere or Microsoft SQL Server for the
database; however, configure only one type of database.
Refer to the system requirements for complete database support information.
Estimating Your Database Size Requirements
To understand your weekly disk space requirements for operations with all logging enabled,
estimate your database size. Plan disk availability based on requirements.
1. Estimate values:
Number of sessions per day
Average session size
2. Apply the estimates to the daily formula for estimated growth per day:
(# of sessions per day) * (average session size) = estimated growth per day
Preparing to Install Afaria
24 Afaria
3. Apply the daily estimate to the weekly formula for estimated growth per week:
(estimated growth per day) * 7 = estimated growth per week
For example, to determine the weekly disk space growth for 1000 daily sessions with an
average session size of 60KB:
(1000 sessions per day) * (60KB average session size) * 7 days = 420MB
So in this example, the database is estimated to grow by 420MB per week.
Consider these items for calculating estimates:
Add 1MB of data per week to the estimate for each device that reports inventory.
Session channels with 100 events add an average of 40KB in database growth per session
in additional log data.
Creating an SQL Anywhere Database and User
If you plan to use an SQL Anywhere database with Afaria, create the database for operations,
and an associated user to provide a user context to access the database.
The database name should remain the same throughout the Afaria server installation and
configuration process.
1. Create a database. Use default configuration settings with the exception of these
attributes:
Install jConnect metadata support disabled.
Page size 8192 KB minimum.
2. Create a database user for the Afaria service to use for database access. Assign the database
administrator (DBA) authority to the user.
3. Connect to the new database using these network database server properties:
Identification database user name and password that you created for database access.
Database indicate the database server name and start line dbsrv11.exe, as well as
the database name and file.
Do not start the database using start line dbeng11.exe, which is for non-network
database servers and does not support enough database connections for the Afaria
service.
SAP strongly recommends that you have only one instance of dbsrv11.exe per
database.
Configuring the SQL Anywhere Database for Operations
For SQL Anywhere operations, prepare your database environment for sustainability and
availability.
To create a Windows service that automatically starts the database whenever the Afaria server
is restarted:
Preparing to Install Afaria
SAP Afaria Installation Guide 25
1. In Sybase Central, select the Services tab and run the New Services wizard.
2. Name the service.
3. Select the Network Database Server service type.
4. Accept the default executable, dbsrv11.exe.
5. Specify the parameters to run only the TCP/IP network driver (-x) for the database name
and path (-n).
For example, -x tcpip -n afariadb c:\afaria\afaria.db
6. Select default Local system account and Allow service to interact with desktop for
running the service.
7. Select start-up type Automatic.
8. Select to restart the service now.
Upon completion of the wizard, create a system event to back up and truncate the log. SAP
recommends a log size of 50MB for an initial setting.
Creating a SQL Server Database and User
For Microsoft SQL Server database operations with Afaria, create the database and an
associated user to provide a user context to access the database.
The database name should remain the same throughout the Afaria server installation and
configuration process.
1. Create a database with these attributes:
Datafiles Automatically Grow File, Unrestricted Filegrowth.
Transaction Log Minimum size 25 MB, Automatically Grow File, Unrestricted
Filegrowth.
2. Create a role called db_executor with the execute right.
3. For the user you plan to use for Afaria operations with the database, ensure the user has
these attributes for your database:
Default schema dbo
Role db_ddladmin
Role db_datawriter
Role db_datareader
Role db_executor
Password does not contain the semicolon (;) character
Example SQL script for creating a SQL user for database operations
This example script creates a new role with the execute right for a database named Afaria and
assigns the user JBrowne all the required attributes the user needs for Afaria operations.
--For a database named Afaria and a login named JBrowne, create a
User named
JBrowne and grant the user the appropriate rights.
Preparing to Install Afaria
26 Afaria
USE Afaria
GO
--Create a new role for executing stored procedures
CREATE ROLE db_executor
--Grant stored procedure execute rights to the role
GRANT EXECUTE TO db_executor
GO
--Assign user to dbo and required roles
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name =
N'JBrowne')
BEGIN
CREATE USER [JBrowne] FOR LOGIN [JBrowne] WITH DEFAULT_SCHEMA =
dbo
EXEC sp_addrolemember db_ddladmin, JBrowne
EXEC sp_addrolemember db_datawriter, JBrowne
EXEC sp_addrolemember db_datareader, JBrowne
EXEC sp_addrolemember db_executor, JBrowne
END;
When you install the Afaria server, use the credentials from a user like this one if you choose
SQL authentication for the Afaria database. If using Windows integrated authentication
instead of SQL authentication, the Windows user requires the same rights and roles.
Configuring the SQL Server Database for Operations
For Microsoft SQL Server operations, prepare your database environment for sustainability
and availability.
Verify that logs are truncated on checkpoint:
1. Right-click the database and select Properties.
2. In the Properties window, click the Options tab.
3. In the Recovery section, click the Model list box and select Simple.
Apple Certificates for Managing Devices
Using Afaria to manage iOS devices requires an Apple Push Notification Service (APNS)
certificate, an Apple, Inc. Root certificate, and an Apple Application Integration certificate.
These certificates allow Afaria to communicate securely with iOS devices and uniquely
identify your enterprise Afaria installation as a trusted vendor for mobile device management
(MDM).
An enterprise uses a Macintosh or Windows computer, the Apple Push Certificates Portal, and
the SAP Apple CSR signing site to obtain the push, root, and application integration
certificates, then installs the certificates for Afaria operations.
Preparing to Install Afaria
SAP Afaria Installation Guide 27
See also
Configuring Afaria Server for iOS Notifications on page 69
Obtaining Root and Intermediate Certificates
Once per Afaria environment, obtain root and application integration certificates to install in
your environment, so that any APNS certificates you or your tenant customers install have a
valid chain to the root. You will install the certificates when you are installing and configuring
for iOS operations.
1. Go to the Apple Root Certification Authority site at http://www.apple.com/
certificateauthority.
2. Download Apple Inc. Root Certificate.
3. Download Application Integration.
See also
Completing and Exporting the APNS Certificate on page 31
Obtaining an APNS Certificate
For a system tenant or non-system tenant, obtain an APNS Certificate to validate your iOS
MDM request to the APNS service. You will install the certificate when you configure the
Afaria server for iOS notifications.
Obtain a certificate based on the Afaria tenant implementation:
If you are an enterprise using only system tenant, obtain one Apple push certificate for the
system tenant.
If you are an enterprise, using multiple tenants to separate operations obtain one Apple
push certificate for the system tenant.
If you are a hosting enterprise using multiple tenants to separate multiple customers,
ensure each customer obtains their own Apple push certificate for their tenant. Do not
obtain a push certificate for the system tenant, as it will become the backup certificate for
tenants that do not obtain a certificate.
Requirements for Obtaining an APNS Certificate
To obtain an Apple Push Notification Service (APNS) certificate, you must have a Web
browser and an Apple ID.
Computer with administrator rights Macintosh OS X workstation or Windows server.
Web browser Safari or Mozilla Firefox.
Apple ID as issued to your enterprise (recommended) or to you as an individual by Apple
to associate with the certificates. An Apple iOS Developer Program membership is not
required to obtain an Apple ID.
Preparing to Install Afaria
28 Afaria
General Apple Certificate Tasks for iOS MDM
From your Mac or Windows server and the SAP Apple CSR signing site, create your
certificate signing request (CSR) to deliver to Apple and get a push certificate and download
the root and application integration certificates.
1. Creating a Certificate Signing Request
On either a Macintosh or Windows server, start the certificate signing request that will
become your enterprises APNS certificate (push certificate). Use the same server to finish
the request later.
2. Getting Your CSR Signed by SAP
As a required part of the Apple certificate process, submit your enterprise CSR to the SAP
Apple CSR signing site.
3. Getting an APNS Certificate from the Apple Portal
Get an Apple-signed APNS certificate to install in Afaria for authorizing your Afaria-
based Apple Push Notification Service requests.
4. Completing and Exporting the APNS Certificate
On the Macintosh or Windows server that originated the certificate signing request,
complete the request and export the APNS certificate for Afaria operations.
5. Obtaining Root and Intermediate Certificates
Once per Afaria environment, obtain root and application integration certificates to install
in your environment, so that any APNS certificates you or your tenant customers install
have a valid chain to the root. You will install the certificates when you are installing and
configuring for iOS operations.
Creating a Certificate Signing Request
On either a Macintosh or Windows server, start the certificate signing request that will become
your enterprises APNS certificate (push certificate). Use the same server to finish the request
later.
See also
Getting Your CSR Signed by SAP on page 30
Creating a Certificate Signing Request on Macintosh
On any Macintosh server in your enterprise, use the Keychain Access utility to create your
CSR.
1. On your server, open Applications > Utilities > Keychain Access.
2. In the left pane, select Keychain > Login, and Category > Certificates.
3. From the menu, select Keychain Access > Certificate Assistant > Request a Certificate
from a Certificate Authority.
Preparing to Install Afaria
SAP Afaria Installation Guide 29
4. On the Certificate Information page, enter the e-mail address and common name, select
Save to disk and Let me specify key pair information, then click Continue.
5. Save the file (.CSR) and record the location.
The CSR request is created and ready for signing.
Creating a Certificate Signing Request on Windows
On any Windows server in your enterprise, use the IIS Manager utility to create your CSR.
1. On your server, open Internet Information Services (IIS) Manager.
2. From the Connections column, select the server.
3. In the center pane, in the IIS section, double-click Server Certificates.
4. In the right pane, click Create Certificate Request.
5. On the Distinguished Name Properties page, enter:
Common name name of the person generating the request.
Organization legally registered name of your organization.
Organizational unit name of the department within the organization.
City/locality organizations city location.
State/province organizations state location.
Country/region two-letter ISO code for organizations country location.
6. On the Cryptographic Service Provider Properties page, select:
Cryptographic Service Provider Microsoft RSA SChannel.
Bit length 2048 or greater.
7. On the File Name page, define the path and file name (.TXT).
8. Save the file and record the location.
The CSR request is created and ready for signing.
Getting Your CSR Signed by SAP
As a required part of the Apple certificate process, submit your enterprise CSR to the SAP
Apple CSR signing site.
1. Go to the Sybase Mobile Enterprise Technical Support site's Apple CSR signing page at
http://frontline.sybase.com/support/applecert.asp.
2. Upload your CSR certificate to the Web site.
The CSR may be in .CSR (Macintosh) or .TXT (Windows) format.
3. After the upload is complete, download your signed CSR (.SCSR).
The signed CSR is ready for upload to the Apple Push Certificates Portal site to get an APNS
Certificate.
Preparing to Install Afaria
30 Afaria
See also
Creating a Certificate Signing Request on page 29
Getting an APNS Certificate from the Apple Portal
Get an Apple-signed APNS certificate to install in Afaria for authorizing your Afaria-based
Apple Push Notification Service requests.
1. From your computer and using a Web browser (SAP recommends Safari) go to the Apple
Push Certificates Portal site at https://identity.apple.com/pushcert.
2. Log in using your Apple ID credentials.
3. Click Create a Certificate.
4. After accepting the terms of use, click Choose File and select the signed CSR (.SCSR)
received from the SAP Apple CSR signing site.
5. Click Upload.
After uploading your certificate, a new Apple-signed push certificate for mobile device
management for vendor Sybase appears on the Certificates for Third-Party Servers page.
6. Click Download to save it locally in .PEM format.
The APNS certificate is now in an incomplete state. Complete the certificate on the server that
originated the CSR.
Completing and Exporting the APNS Certificate
On the Macintosh or Windows server that originated the certificate signing request, complete
the request and export the APNS certificate for Afaria operations.
See also
Obtaining Root and Intermediate Certificates on page 28
Completing and Exporting the APNS Certificate on Macintosh
On the Macintosh server that originated the certificate signing request, complete the request
and export the APNS certificate for Afaria operations.
1. On your server, locate the APNS certificate file (.PEM), as downloaded from the Apple
Push Certificates Portal.
2. Double-click the file to install and complete the certificate request.
The Keychain Access utility displays.
3. In the Keychain Access utility, in the left pane, select Keychain > Login, and Category >
Keys.
4. Verify that the certificate, identified by the common name you assigned it, appears with a
key value in the Kind column.
5. Right-click the private key and select Export.
Preparing to Install Afaria
SAP Afaria Installation Guide 31
6. Save the file in .p12 or .pfx format.
7. Enter and record a password of your choice to export the certificate.
You now have an APNS certificate from Apple, which is now ready to be added to the Afaria
Server.
Completing and Exporting the APNS Certificate on Windows
On the Windows server that originated the certificate signing request, complete the request
and export the APNS certificate for Afaria operations.
1. On your server, locate the APNS certificate file (.PEM), as downloaded from the Apple
Push Certificates Portal.
2. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
3. From the Connections column, select the server.
4. In the center pane, in the IIS section, double-click Server Certificates.
5. In the right pane, click Complete Certificate Request.
6. Select the .pem certificate from the Apple Push Certificates Portal.
7. Enter a common name for tracking the certificate and click OK.
8. To export the APNS certificate to the correct format, right-click the certificate and select
Export.
9. Specify a path to save the certificate file in .pfx format.
10. Enter a password, and then click OK.
You now have an APNS certificate from Apple, which is now ready to be added to the Afaria
Server.
Obtaining a Google API Key
To create enrollment policies for Afaria device enrollment, the Google URL Shortener API
must be accompanied by an API key that identifies your organization as the calling entity.
If you are planning to use TinyURL as your only URL shortening service, you need not have a
Google API key.
1. Go to developers.google.com
2. In the Developer Tools group, click API Console.
3. After logging in, create a new API project or using an existing project, navigate to the list
of all services, and activate the URL Shortener API.
4. Navigate to the API Access page, locate the Simple API Access item.
5. Record the API key for use in Afaria configuration for enrollment codes.
Preparing to Install Afaria
32 Afaria
Next
Google APIs Web site http://code.google.com/apis/console
Google URL Shortener API getting started https://developers.google.com/url-shortener/v1/
getting_started
See also
Configuring Afaria Server for Enrollment Codes on page 63
Obtaining End-User Acceptance Message Details
Obtain the end-user acceptance message to appear on the Self-Service Portal.
Contact the customer's legal department or other relevant sources to obtain a copy of the
acceptance message, in HTML or text format.
See also
Configuring Afaria Server for Self-Service Portal Acceptance Message on page 113
Preparing to Install Afaria
SAP Afaria Installation Guide 33
Preparing to Install Afaria
34 Afaria
Installing Afaria Server
Install the Afaria server as the first server component in your installation.
This section is intended as a sequence of steps to follow from start to finish.
Entering or Updating Your License Key
Enter or update your license key any time you receive a new key. This defines the Setup menu
options available during install.
Perform the update on each Afaria server.
1. Start the setup program (setup.exe).
2. Select a language (English or Japanese).
3. On the Setup menu, click License Key.
4. Type your license key in the key box and click Licensing Details to review your licensing
information.
The maximum number of concurrent sessions supported per server depends on your
licensing. The ability to run the maximum number of licensed concurrent sessions
depends on the available memory, the speed, and the number of processors on your server.
5. Click Apply to save the license key and return to the Setup menu with your licensed
options available.
6. On the Setup menu, click Install > Install Server and complete the server installation.
The reinstallation updates the server to support the license change.
7. Click Next.
Verifying Software and Internet Connectivity Requirements
(Optional) Verify whether the server meets the software requirements for installing one or
more Afaria Server components, and supports some of the Internet connectivity requirements.
The Internet connectivity checks include:
Afaria Server Google Cloud Messaging service
Afaria Server Apple APNS Push service
Afaria Server Apple APNS Feedback service
Afaria API Server Tiny URL service
Afaria API Server Google URL service
Installing Afaria Server
SAP Afaria Installation Guide 35
1. Start the setup program (setup.exe).
2. Click Readiness Checker.
If the checker returns failure on any of the software checks, and you proceed without fixing
them, the installation fails. If the checker returns failure on some Internet connectivity
checks, the installation proceeds.
You can also run the checker as a standalone utility by running AfariaChecker.exe,
which is available in the Utility folder of the Afaria product image. You should only
continue with the installation when the Readiness checker result shows pass.
Starting the Setup Program
Start the Afaria Server setup program and install an Afaria Server.
Prerequisites
Install, configure, and start your database for Afaria Server. Establish a user account for
installing and operating Afaria Server.
Task
1. Start the setup program (setup.exe).
2. On the setup menu, click Install.
3. Click Install Afaria Server .
The End User License Agreement dialog displays.
4. Click Yes or No to indicate your acceptance or rejection, then click Next to continue with
the installation wizard, and specify the server installation type (master or farm) and
directory.
The installation continues only when you accept the agreement.
Defining Server Type and Directory
Select options for master or standalone server setup, directory selection, and service account.
1. On the Confirm Master or Standalone Server install page, click Next.
If you are installing a main or standalone server, continue selecting the authentication type.
If you are installing a farm server, complete the installation.
2. On the Directory Selection dialog, accept the default location or click Browse to navigate
to a new location and click Next to continue with the installation wizard, and database
definition.
The default directory is C:\Program Files (x86)\Afaria\.
Installing Afaria Server
36 Afaria
Selecting Microsoft SQL Server Database
If you selected Microsoft SQL Server, continue with the Microsoft SQL Server Setup dialog.
1. One the Select Database Engine dialog, select the applicable database.
2. Select the Microsoft SQL Server.
3. On the Service Account dialog, specify the account name and password you created for
operating Afaria.
This account should be the same domain account that is used across Afaria Servers and
components.
4. Select either Windows Authentication to use a Windows administrator account with SQL
Server privileges or SQL Server Authentication to use the SQL Server account with its
associated password that you set up for Afaria.
5. Click Next to continue.
6. On the SQL Server Database dialog, select the database you configured for Afaria.
If you are installing a farm server, you must select the database for the existing Afaria
Server.
If you are reinstalling the Afaria Server as standalone, you must select a new database.
7. Continue with selecting server authentication options.
Selecting SQL Anywhere Database
If you selected SQL Anywhere, continue with the SQL Anywhere Server Setup dialog.
Prerequisites
If you are using SQL Anywhere server, manually restart the database server to pick up the
most up-to-date client drivers
The UTF-8 character set is required in a double byte environment.
Task
1. On the SQL Anywhere Server Database dialog, enter the Database name and click
Next.
2. Select the SA Server Name from the list.
The list populates only with names of SQL Anywhere servers on the same subnet. To
locate a SQL Anywhere server outside the subnet, select Edit Host/Port. The Host name
may be a machine name or IP address.
Installing Afaria Server
SAP Afaria Installation Guide 37
3. Select a login type and click Next to continue:
Integrated login select this option to integrate your Windows login with your SQL
Anywhere login.
SA user login enter the login information for the database user with DBA authority
that you created for your Afaria database.
4. On the SQL Anywhere Server database dialog, select the database you created, then click
Next to continue.
The Afaria installation program validates the database you specify. If you type the
database name incorrectly or type the name of the wrong database, you may see a
Request to start/stop database denied error.
5. Continue with selecting server authentication options.
Selecting Authentication Type
Select the user authentication type for connecting devices; either Windows authentication or
Microsoft SQL Server authentication. Local authentication is always enabled.
1. In the SQL Set Up dialog, select the applicable authentication type and click Next to
continue.
a) Select Windows Authentication, then select one of:
NT domain-based for local authentication, retain <none> as the domain. For NT
domain authentication, enter the domain. As the administrator, you must also be a
member of this domain. Use commas to separate multiple domains. Click Next.
LDAP-based click Configure LDAP. See Configuring LDAP Information.
Active Directory click Configure Active Directory. See Configuring Active
Directory Information.
b) Select SQL Server Authentication and define the SQL Server login and authentication.
The username and password should be in the domain, and be the same name that is used
throughout the installation of Afaria and its components. Click Next.
2. Complete the installation.
If you do not choose a domain during installation, you can do so later on the Server
Configuration > Properties > Security page.
To allow users to use blank passwords, additional operating system settings are
required. See the Administration Reference Guide.
Configuring LDAP Information
Configure LDAP settings to support LDAP user authentication and channel assignments.
1. In the LDAP Server Login Information dialog, enter the login information.
Installing Afaria Server
38 Afaria
Server Address enter your LDAP server address as either a fully qualified domain
name, such as Afaria.mycompany.com, or as an IP address.
Port Number Afaria automatically defaults to the LDAP standard port 389. If you
enter another port number, you must enter a number greater than 1024.
Server Type select your LDAP server type.
Use SSL select to enable SSL communication with your LDAP server.
Note: If the root CA certificate is not imported to the trusted root store while selecting
the option to enable the SSL, a message is displayed:
You must enter a valid server address to continue.
SSL Port Number define the LDAP server port for SSL communications.
Anonymous Login select Anonymous Login to allow the Afaria server to
communicate with the LDAP server without using a dedicated LDAP user account for
the server. If using anonymous login, configure your LDAP server to allow a search of
the directory structure for users, user groups, and organizational units and all of their
attributes.
User DN if not using anonymous login, enter the user DN (distinguished name) for
the LDAP account the Afaria Server uses to communicate with the LDAP server. If you
do not know the user name for the account, click Search User. You must have an LDAP
proxy user configured for an anonymous login to be able to search for users.
You can enter a name using a wildcard character to search for the correct User DN. For
example, you can enter *mith or *mit* to search for Smith.
Password enter the password for the LDAP account the Afaria Server uses to
communicate with the LDAP server.
2. In the LDAP Root Directory dialog, select a root directory that contains all of the groups,
organizational units, and users the server requires for authentication and assignments.
3. In the LDAP User Characteristics dialog, select a characteristic.
LDAP Class Name for Users select or enter the LDAP Class Name for Users.
User Name Attribute select or enter the user name attribute to use in the LDAP
environment. When client users connect to the server, they enter the user ID as the user
name you specify.
4. In the LDAP Container Settings dialog, select a membership basis for assigning channels
to users.
Support OU membership select to assign channels to users based on their
organizational unit (OU).
Support OU and group membership select to assign session policies to users based on
both their OU and groups.
5. Complete the installation.
Installing Afaria Server
SAP Afaria Installation Guide 39
Configuring Active Directory Information
Configure Active Directory settings to support user authentication and channel assignments.
1. In the Active Directory Server Login Information dialog:
Server Address enter your Active Directory server address as either a fully qualified
domain name, such as Afaria.mycompany.com, or as an IP address.
User enter the user name for the Active Directory account the Afaria Server uses to
communicate with the Active Directory server. The user must have access rights to the
directory structure.
Password enter the password for the Active Directory account the Afaria Server uses
to communicate with the Active Directory server.
Specify whether to enable SSL communication with your Active Directory server.
2. In the Active Directory User Characteristics dialog:
Active Directory Class Name for Users select or enter the Active Directory Class
Name for Users.
User Name Attribute select or enter the user name attribute to use in the Active
Directory environment. When client users connect to the server, they enter the user ID
as the user name you specify.
3. Complete the installation.
Note: To monitor the changes in the Active Directory object data using DirSync control,
the user account must have the Replicating Directory Changes permission on the domain
naming context. To grant the Replicating Directory Changes permission to a user account
or group, you must modify the permissions on the directory partition object.
Basic Rights for Active Directory User
Basic rights required for Active Directory user during installation.
Discovering objects in Active Directory using the Active Directory management agent
(ADMA), the account that is specified for connecting to Active Directory must have explicitly
granted Replicating Directory Change permissions for every domain that the management
agent accesses.
To manage and monitor the changes in the Active Directory, the user should explicitly be
granted Replicating Directory Change permissions. They need not belong to the Domain
Administrator's group. Any user granted the Replicating Directory Change permissions will
have the necessary privileges.
To create, modify, and delete objects within Active Directory using a non-administrative
account, you need to add additional permissions as appropriate. For example, for Microsoft
Metadirectory Services (MMS) to create new user objects in an Organizational Unit (OU) or
container, the account that is used must be explicitly granted the Create All Child Objects
permission, as the Replicating Directory Changes permission is not sufficient to allow the
creation of objects.
Installing Afaria Server
40 Afaria
Enabling SSL for Device Communication
Enable SSL for secure device communication using XNETS and HTTPS protocols.
1. If you are not sure about using SSL to enable secure communication, you can disable SSL
during installation by deselecting the Enable SSL for Device Communication (XNETS
protocol) check box in the Enable SSL dialog. You can enable SSL for device
communication later from the Server > Configuration > Device Communication page
in Afaria Administration console.
Note: Enable SSL for Device Communication (XNETS protocol) check box is selected by
default.
2. If the Enable SSL for Device Communication (XNETS protocol) check box is selected by
default, click Next. A warning message is displayed. Click Yes.
3. Click Next to continue and complete the installation.
After the installation is complete, you must associate the certificate obtained from a
Certificate Authority (CA) using the Server > Configuration > Device Communication
page in Afaria Administration console to use SSL for device communication.
Completing the Installation
Continue with the Ready To Start Installation dialog box to complete installation.
1. On the Ready to Start Installation dialog, click Install.
The Setup Complete dialog opens when the installation is complete.
2. If you receive a message that a file is in use, choose an appropriate action.
Abort quits the installation.
Note: Canceling an installation leaves services stopped on the Afaria Server. You need
to restart services.
If you are reinstalling and you abort the installation, you may find that some of the files
have been updated and some have not, leaving the installation in an undesirable state.
Re-run the installation program to restore stability and normal operations. If normal
operations do not resume, uninstall the program and install it again.
Retry close the application using the file specified, and then click Retry to install the
file again. If the installation does not continue, click Ignore.
Ignore continues the process but requires you to restart the computer to complete the
installation.
Installing Afaria Server
SAP Afaria Installation Guide 41
You may be prompted to restart your computer when the file copying process is completed.
After the restart, the installation program continues from the point at which it was
interrupted.
3. Select whether to start the service at this time.
To allow connections immediately, start the service. To continue with additional
installations and configuration, do not start the service.
4. Click Finish.
Installing Afaria Server Farm
For a farm environment, install additional servers after installing the main Afaria Server and
the Afaria Administration console.
Prerequisites
Ensure all farm servers are in the same domain and the domain username and password
matches the ones specified for Afaria Administration console and API services.
Task
For each planned farm server:
1. Start the setup program (setup.exe).
2. Enter the license key.
3. Start the server installation.
4. Complete the installation, using the same domain user account, database, and options as
the main Afaria server.
You must select the database for the existing Afaria Server.
5. Start Afaria Server service on the main server, then on the farm servers.
Installing Afaria Server
42 Afaria
Installing Afaria API Service and Administrator
Install Afaria API Server and Administrator on either the Afaria Server or a different server.
Prerequisites
If you plan to use Windows Basic Authentication for Afaria Administrator users, you must
install the "Basic Authentication" role service on the Web Server (IIS). Use the Microsoft
Server Manager utility for the installation.
Task
1. Start the setup program (setup.exe) in the Afaria installation directory.
2. On the setup menu, click Install.
3. Click Install Afaria API Service and Administrator, and click Next.
4. On the Select Database engine dialog, select the applicable SQL Anywhere or Microsoft
SQL database you configured previously and click Next.
5. On the SQL Anywhere Server Set Up dialog, select a Server Name and confirm the
existing or enter the applicable field values.
All the database fields will be pre-populated if the Afaria Server is installed on the same
machine. If not, you will need to enter them manually.
6. On the SQL Anywhere Server Setup dialog, enter the Database name and click Next.
7. On the Directory Selection dialog, change the default install path, if desired, and click
Next. Create a directory for the installation if required.
8. On the Service Account dialog, define the domain or local account associated with the
Afaria API Service and Administrator and click Next.
The account credentials should be the same as those used for the Afaria server install.
9. Click Install to start the Afaria API Service installation set up and click Next on the
resulting welcome dialog.
10. On the Set Up complete dialog, select to start the service now or later.
The Afaria Administration console installation will stop the API Service automatically if
required.
11. On the Select Virtual Directory dialog, define the virtual directory for Afaria
Administration console in IIS. If you created a directory, select it from the list. If you have
not created a directory, type the name for the directory to create it.
The directory appears in the IIS directory under Default Web Site.
12. On the Select Physical Directory dialog, enter or browse to the Physical directory
to install Afaria Administration console files.
Installing Afaria API Service and Administrator
SAP Afaria Installation Guide 43
If you are installing Afaria Administration console on the same server as the Afaria Server,
install the administration console in a different directory.
13. Enter the account name and account password in the Service Account dialog. Click
Next.
14. Select one of the following authentication methods from the Authentication method
screen and click Next:
Windows (Integrated Authentication, Basic)
Active Directory
LDAP (Active Directory)
15. Enter the account name and password in the Default Administrator Account Name dialog.
Click Next.
16. On the Domain Selection dialog, enter the domain for selecting the administration console
users to administer the Afaria Server. To limit selection to only local users, keep <none> as
the domain. Click Next.
17. On the Ready To Start Installation dialog, click Install to begin the installation. The Setup
Complete dialog box opens at completion.
The Afaria Administration console installation will stop the API Service prior to
installation, if required.
18. If you receive a message that a file is in use, choose an appropriate action.
Abort quits the installation.
If you are reinstalling and you abort the installation, you may find that some of the files
have been updated and some have not, leaving the installation in an undesirable state.
Re-run the installation program to restore stability and normal operations. If normal
operations do not resume, uninstall the program and install it again.
Retry close the application using the file specified, and then select Retry to install the
file again. If the installation does not continue, select Ignore.
Ignore continues the process but requires you to restart the computer to complete the
installation.
You may be prompted to restart your computer when the file copying process is
completed. After the restart, the installation program continues from the point at which
it was interrupted.
19. On the Setup Complete dialog, and click Finish.
An Afaria Administration console shortcut appears on the desktop.
20. If you used a predefined virtual directory for this installation rather than allowing the setup
program to create one for you, verify the API Service and Afaria Administration console
settings in the directory before operating the administration console program.
Verifying Afaria Administrator IIS Settings
If you used a predefined virtual directory when installing Afaria Administration console
instead of allowing the setup program to create one for you, or if you are having problem
Installing Afaria API Service and Administrator
44 Afaria
accessing the administration console from a browser) verify the Afaria API Server and
Administrator and IIS settings.
1. From the Afaria Administration console, select Start > Administrative Tools > Internet
Information Services (IIS) Management.
2. Click the Basic Settings link on the right toolbar.
3. In the Edit Application dialog, verify that the physical path is the one you set during
installation.
4. Open Default Document and verify that default.aspx appears in the list.
5. Open Authentication and ensure that only Windows authentication is enabled.
6. Click Back and click Browse on the right toolbar.
Note: If you have stopped and restarted IIS at any time before opening Afaria
Administration console, ensure that when you restarted IIS that the WWW Publishing
Service also started. If it is not started, you can reset IIS, or you can restart it manually. This
service must be running for you to open the administration console.
Changing the IIS Connection Timeout Value
Change the IIS connection timeout value to prevent the Afaria Server from disconnecting with
an inactive browser user. Disconnected sessions can result in data loss.
1. From the Afaria Server home page, select Administrative Tools > Internet Information
Services (IIS) Manager.
2. Right-click Default Website on the left pane.
3. In the connections section, increase the timeout value to meet your needs, then click
OK.
When you change this value, it impacts all the Default Web Site members. Ensure you have
determined an acceptable value for all sites.
Installing Afaria API Service and Administrator
SAP Afaria Installation Guide 45
Installing Afaria API Service and Administrator
46 Afaria
Starting Operations and Server Configuration
To get started with Afaria after completing the installation, complete tasks that prepare for,
and validate, basic operations.
Logging in to Afaria Administrator
The process for logging in to Afaria Administration console depends on your environment
(Microsoft Windows NT Server or Microsoft Active Directory).
If you are using Microsoft Windows NT Server , use the default user credentials to log in to
Afaria Administration console. By default and after installation, the only user that can log in is
the user who installed the product. If you are in a different user context, you are prompted to
install the correct user credentials.
Note: If you are using Microsoft Windows NT authentication, enter the user name in Windows
NT style format (domain\user).
If you are using Microsoft Active Directory, enter the user name (subdomain.domain.com
\user or user@domain) and password in the Afaria Administration console Log In page and
click Log On.
Note:
Open your browser and enter the administration console address:
http://<AfariaAdministratorAddress>/
<AfariaAdministratorVirtualDirectory>
If your current user context differs from the user context for installing the product, the Enter
Network Password dialog opens. Enter the installing user name, password, and domain and
click OK.
Starting, Stopping, Restarting the Afaria Server
Use Start, Stop, or Restart commands to control the state of the Afaria Server.
Server/client sessions can run only when the server is started. You can conduct other
operations, such as reviewing logs or reports, performing server configuration, or performing
administration and user support tasks when the server is in a stopped or started state. Some
configuration changes require you to restart the server to take effect.
1. From the Afaria Homepage, click the role link that is associated with the server to start.
The Server Status page opens.
Starting Operations and Server Configuration
SAP Afaria Installation Guide 47
The page includes a dynamic link that changes between Start Server or Stop or Restart
Server, depending on the current state of the server.
2. Click the Start Server or Stop or Restart Server link to open the Current Status dialog.
The dialog is dynamic based on the current state of the server and the relevant actions.
Click on the appropriate action:
Start start a stopped server.
Stop stop a started server.
Restart stop then start a started server.
Verifying Afaria Server Settings for Device Communication
Verify server-device connection settings for connecting Android, BlackBerry, Windows
Mobile, and Windows devices for communications.
After you configure Afaria Server for device communications, review your settings for
correctness in Afaria Administration console.
1. On the Server page, click Configuration, expand the Communication list, and click
Device Communication.
2. Review the device communication settings for validity, namely: Protocols and ports,
Certificate settings, and the Address for Device communication.
Verifying Afaria Server Settings After Installation
After you install Afaria Server, review your security (NT, Active Directory, or LDAP) and
server farm settings in Afaria Administration console.
1. On the Server page, click Configuration, expand the Server list, and click Server
Farm.
Review the settings for the server farm you set up for validity, namely: name, state, IP
address, type, and replication address.
2. Select Security.
Review and validate the settings for the NT, Active Directory, or LDAP domain.
Server Configuration for Installation and Management
Documentation for Afaria Server configuration properties, as defined in the server
configuration page, are located in different documentation references, based on their purpose
as properties for general operations or for optional features.
Properties documented in the Installation Guide basic for core operations, such as for
configuration for the SMS Gateway or connectivity for the access control server:
Starting Operations and Server Configuration
48 Afaria
Device communication
Access control server
Enrollment code
Relay server
Security
SMS Gateway
SMTP
Enrollment server
iOS notification
Package server
Self-Service Portal
Properties documented in the Administration Reference optional based on the features
you license or choose to use, or performance optimizations, such as for defining access
control policies for users:
Tenants
Schedules
Logging option and cleanup
Adding account name for Afaria Cisco ISE server
Outbound notifications
Google GCM for Android
Device activity expense management
For session policies:
Bandwidth throttling
File compression
File differencing
User defined fields
iOS Afaria application
iOS branding
iOS volume purchase
For access control, options for known and unknown device policies
For device activity management:
General settings to enable and notify users
Roaming
Thresholds for data views
Device activity log cleanup
Windows Phone
Application Enrollment Token (AET) upload
Signed Afaria application upload
Starting Operations and Server Configuration
SAP Afaria Installation Guide 49
See also
Installing Enrollment Server - Basic on page 61
Configuring Afaria Server for Package Server on page 76
Configuring Relay Server for Access Control on page 97
Configuring the Relay Server for Certificate Authority and Enrollment Server
Connections on page 74
Afaria Managed Authentication
Afaria managed authentication for the Enrollment server and Package server can be set with
the Enable Authentication setting on the Server > Configuration> Security page in the Afaria
Administration console. This setting applies to individual tenants.
If Afaria managed authentication is configured for the Enrollment or Package server during
installation and setup, then disabling the Enable Authentication setting in the Afaria
Administration console turns off Afaria managed authentication for the devices associated
with the tenant.
User Role Management
The Afaria Administration console application uses role management to control access to the
application and its individual features and tenants. Use the installing user's credentials to
initially log in to the administration console.
By default, after installation, the only user that can log in is the user who installed the product.
If you are in a different user context, the application prompts you to install the appropriate user
credentials.
If you are using Microsoft Active Directory or Microsoft Windows NT Server, select a
predefined user role from the Role Selection page:
Administrators role for performing various administrative tasks and policies, including
role assignments, and adding and removing servers. By default, the Administrators role
allows unrestricted access to the server.
Help Desk role for server operations, such as for individuals who perform administrative
operations and provide support for users.
If your role is defined in Afaria Administration console, you can edit the predefined roles or
add new roles.
Permissions
Permissions determine the information and functionality that roles can access in SAP Afaria.
The SAP Afaria Administrator does not display information or functionality for an
administrator if the role of that administrator does not allow access to the information or
functionality.
Starting Operations and Server Configuration
50 Afaria
Device, Groups, and Policy Permissions
The Device, Groups, and Policy permissions determine which information roles can view and
which actions roles can perform on devices, groups, and policies in the SAP Afaria
Administration console.
Permission Description
Create The Create permissions allows the role to create groups and policies.
Dashboard The Dashboard permission allows the role to view dashboards in the SAP Afaria
Administration console.
Delete The Delete permission allows the role to remove devices, groups, and policies from
SAP Afaria Administration console.
Link View The Link View permission allows the role to load, filter, sort, and link/unlink devices,
groups, or policies in the link panel on pages in the SAP Afaria Administration
console.
For example, when a role includes the Link View permission for Policy:
The role can access the policy grid in the link panel on the Group page.
The role can access the policy grid in the link panel on the Device page.
List View The List View permission allows the role to view the list view on the Device, Group,
and Policy pages.
Update The Update permissions allows the role to edit devices, groups, and policies.
Data Views Permissions
The Data View permissions determine which data views and logs that a role can access in the
SAP Afaria Administration console.
Permission Description
Select The Select permission allows the role to select the data views that SAP Afaria displays
on the Device and Server log pages. The role can select data views from the list of
existing data views.
Update The Update permissions allows the role to create new data views.
Starting Operations and Server Configuration
SAP Afaria Installation Guide 51
Device Inspector Tabs Permissions
The Device Inspector Tabs permissions determine which information roles can view in the
Device Inspector in the SAP Afaria Administration console.
Permission Description
View The View permission allows the role to see the tabs in the Device Inspector that contain
inventory information and log files.
Remote Actions on Devices Permissions
The Remote Actions on Devices permissions determine which actions roles can perform on
devices in the SAP Afaria Administration console.
Permission Description
Access The Access permission allows users to perform remote actions on devices.
Server Actions Permissions
The Server Actions permissions determine which actions roles can perform on servers in the
SAP Afaria Administration console.
Permission Description
Access The Access permission allows the role to perform actions on servers.
Server Pages Permissions
The Server Pages permissions determine which information roles can view and which settings
roles can edit on the server pages in the SAP Afaria Administration console.
Note: The View permission for Configuration must be selected for the Server Configuration
Pages permissions to apply.
Permission Description
View The View permission allows the role to view server pages in the SAP Afaria Admin-
istration console.
Update The Update permissions allows the role to configure alerts and roles.
Server Configuration Pages Permissions
The Server Configuration Pages permissions determine which information roles can view and
which configuration settings roles can edit in the SAP Afaria Administration console.
Note: The Server Configuration Pages permissions apply only if the View permission is
selected for Configuration in the Server Pages permissions. If the View permission is not
Starting Operations and Server Configuration
52 Afaria
selected for Configuration in the Server Pages permissions, the server configuration pages are
not visible to the role.
Permission Description
View The View permission allows the role to view server configuration pages.
Update The Update permissions allows the role to edit the server configuration.
Viewing the Server Roles
View the server roles.
1. On the Home page banner, click Server to open the Server Dashboard page.
2. On the left toolbar, click Role to open the Server > Role page.
3. (Optional) To inspect a role's details, select a role and click Edit in the top toolbar, then
click Cancel after inspection.
Adding or Editing a User Role
Define features and tenants for a role, and assign users to it.
1. On the Home page banner, click Server.
2. On the left toolbar, click Role.
3. On the top toolbar, click Add, or select an existing role and click Edit.
4. On the Role tab, enter a new role name and assign access policies using the appropriate
sections and configuration pages.
5. On the Tenants tab, select all or specific tenants to which the users you add to the role are
allowed access.
Every Afaria installation has a default system tenant, but you can create additional tenants.
6. On the Assignments tab, you can:
(Microsoft Active Directory only) Set a filter value in the Filter for next expansion text
box to filter the contents that you see when you expand an organizational unit (OU) and
click Reload List.
Note: The Filter for next expansion text box does not appear if Microsoft Windows NT
is used in your environment.
To exclude seeing users within a group, select the group, click Excluded in next
expansion, and click Reload List. To see the users within a group again, select the
group, click Excluded in next expansion, and click Reload List.
Add a user or group by navigating the directory and selecting the user or group from the
assignments tree.
Starting Operations and Server Configuration
SAP Afaria Installation Guide 53
Add a user or group by entering an explicit descriptor for the group (DomainName
\GroupName) or user (UserName@Domain) in the Groups and Users for Role panel.
7. Click Save.
Logging in as Added User
Use your Windows user credentials to log in as an added user.
Log in second time using your Windows user credentials. You can switch your user context by
using the Logon As User feature.
1. From the Afaria Homepage, click Logon As User. The Connect To dialog opens.
2. Supply your Windows user credentials and click OK.
The default page opens with content appropriate for your user role. Your user context
appears on the banner.
Starting Operations and Server Configuration
54 Afaria
Afaria Server Messaging
Short Message Service (SMS) is configured on the Afaria Server for the delivery of SMS
messages from the Afaria Server to devices that may or may not be Afariadevices.
The Afaria Server supports SMS messaging protocols SMTP and SMS Gateway, including
SMPP and SMS Modem.
Afaria uses the SMS Gatewayfor devices and Afaria applications that support SMS
messagingto deliver outbound notifications and remote wipe commands.
Afaria uses SMTP to send e-mail communications and e-mail-based Short Message Service
(SMS) messages related to operations.
Addresses and Routing for SMS and SMTP Messages
Both the Afaria SMS Gateway and the SMTP server use addresses to deliver their respective
messages to recipients.
Addresses are used in multiple contexts, including but not limited to:
Notification messages to devices for message broadcasts, provisioning, or client
deployment
Alert notifications to an administrator contact
Security commands to Afaria managed devices
SMS and SMTP Message Address Syntax
The address determines how the Afaria Server routes the message.
Use this syntax to format addresses:
<prefix>[<routing information>]
where < > encloses a parameter value, and [ ] indicates an optional parameter.
SMSC address requirements your Short Message Service Center (SMSC) configuration
entities may have specific address requirements for successful routing. For example, a service
provider or carrier modem may require you to format all mobile numbers in their respective
international format and may stipulate that the leading + symbol is or is not part of the
requirement. It is your responsibility to understand the requirements for your SMSC entities,
and it is your responsibility to create your address entries appropriately.
SMSC name the name of your SMSC entity has a direct impact on how Afaria routes Afaria-
initiated messages.
Afaria Server Messaging
SAP Afaria Installation Guide 55
Prefix Routing Infor-
mation
Examples Afaria Routing Logic
Prefix = <mobile number>
<pre-
fix>
+ null = 5554122212
15554122212
+15554122212
+445555121212
IF any SMS Gateway SMPP
service is defined,
THEN send via SMPP service,
ELSE IF any SMS Gateway en-
tity is defined,
THEN send via SMS Gateway
entity,
ELSE discard message.
<pre-
fix>
+ <routing infor-
mation>
= +15554122212@allcel-
lular
5554122212@mobile-
today.com
IF <routing information> = an
SMS Gateway SMPP service
name,
THEN send via SMPP service,
ELSE IF <routing information>
= an SMS Gateway modem
name,
THEN send via modem,
IF any SMS Gateway SMPP
service is defined,
THEN send via SMPP service,
ELSE IF any SMS Gateway en-
tity is defined,
THEN send via SMS Gateway
entity,
ELSE send via SMTP server.
Prefix = <recipient identifier>
<pre-
fix>
+ null = john.doe
jdoe
Invalid, discard message.
Afaria Server Messaging
56 Afaria
Prefix Routing Infor-
mation
Examples Afaria Routing Logic
<pre-
fix>
+ <routing infor-
mation>
= john.doe@mobileto-
day.com
jdoe@allcellular
jdoe@egroup.gov
Send via SMTP server.
SMS Gateway
Afaria uses the SMS Gateway to deliver outbound notifications, remote wipe commands, and
any other communication that is addressed for SMS routing to supported devices.
The solution leverages the Cygwin product libraries and tools and other open source tools to
implement its SMS Gateway. The Cygwin product is a set of libraries and tools developed by
Cygnus Solutions that creates a Unix-emulating environment on a Windows operating
system.
Due to the nature of open source licensing practices, cited in the GNU General Public License,
SAP cannot distribute, install, or license the libraries and tools as part of a commercial product
delivery. Therefore, you must obtain and install the required items on behalf of your
organization to enable the SMS Gateway operations.
Installing SMS Gateway
Install SMS Gateway on the Afaria Server to deliver outbound notifications and remote wipe
commands.
1. Run the setup program (setup.exe).
2. On the setup menu, click Additional Installations and Resources > Access SMS
Gateway Resources.
3. On the Afaria third-party component dependency reference page, find version information
and download instructions for obtaining the Cygwin components.
SMS Gateway operations use only some of the Cygwin product components. Therefore,
these installation steps describe a manual process for installing only the component that
the SMS Gateway requires, rather than using the Cygwin installation program.
4. Use a decompression utility to decompress the BZ2 download packages from within the
<download folder> folder. For each installation package file with file extension
BZ2, the decompression yields one extracted file with file extension .tar.
5. Extract the decompressed packages into the same download folder. The file extraction
creates these folders:
<download folder>\usr contains additional, nested folders.
Afaria Server Messaging
SAP Afaria Installation Guide 57
<download folder>\etc contents are not used for SMS Gateway operations.
6. Modify the Afaria Server environment to include the required libraries and tools by either
including <download folder>\usr\bin in the default system path or by copying
these <download folder>\usr\bin files into the Afaria folder
<AfariaInstallation>\bin\SMSGateway:
cygcrypto-0.9.8.dll
cygiconv-2.dll
cygssl-0.9.8.dll
cygwin1.dll
cygxml2-2.dll
cygz.dll
The default value for <AfariaInstallation> is C:\Program Files\Afaria.
Configuring Afaria Server for SMS Gateway
SMS Gateway configuration settings and data elements establish connectivity between the
Afaria Server hosting the SMS Gateway and the Afaria SMS Gateway.
In a farm environment, Afaria is always the main server.
To successfully start the SMS Gateway, you must define SMS Gateway properties and at least
one SMSC server configuration entity.
1. On the Server page, click the Configuration icon on the left panel, expand the Server list,
and select SMS Gateway.
The SMS Gateway page appears with the Gateway tab enabled.
2. Enter the Port number for the first Afaria Server port number dedicated to SMS Gateway
communication. The server uses this port and the next two consecutive ports. For example,
if you select port 3000, then the SMS Gateway uses ports 3000, 3001, and 3002.
3. Enter the Access Phrase for all communications from an Afaria Server to the SMS
Gateway. SMS Gateway ignores all communications requests that do not include this
phrase.
4. Click the Character Set SMS Gateway uses to compose SMS messages. The appearance
of the message at the client depends on device support for a given character set. Devices
that support ASCII but are sent a Unicode-based message show messages padded with
extra characters.
5. (Optional) Click Enable HTTPS Support to enable HTTPS support for secure
communications from the Afaria Server to the SMS Gateway.
6. Enter the Certificate File path and file name on the main Afaria Server for the PEM-
formatted certificate file. The SMS Gateway uses this file to verify the identity of the
Afaria Server.
7. Enter the Key File path and file name on the main Afaria server for the PEM-formatted key
file. The SMS Gateway uses the file to verify the identity of the Afaria Server.
Afaria Server Messaging
58 Afaria
8. Define an SMSC server configuration entity.
Setting Up an SMS Modem
For each SMS modem from your providers, add and configure Afaria Server for
communication.
Prerequisites
Follow the instructions from your modem provider to connect the modem to the Afaria Server.
Task
SMS modems are typically carrier specific, as each modem uses a carriers Subscriber Identity
Module (SIM) card. They use the associated carrier's network to deliver SMS messages to an
SMSC; messages take an indirect path to the SMSC. Modems can often support basic SMS
message (example: text messages) delivery to different carrier networks.
1. On the Server page, click the Configuration icon, select the Modem tab, and click
Add.
You see a new line of configuration fields.
2. Select Enable to enable communications with this entity. Unselect the check box to
suspend communications but retain the configuration values.
3. Enter the Name.
The name you enter directly impacts how Afaria routes Afaria-initiated messages.
4. Select an Afaria Server COM port;
ports 116 are valid for the SMS Gateway operations.
5. Complete the required port, source, and destination properties guided by the definitions in
the SMPP Configuration Properties topic.
6. Click Save.
Setting Up an SMPP Service
You can configure Short Message Peer-to-Peer (SMPP) entities for use with SMS Gateway on
the Afaria Server.
Short Message Peer-to-Peer (SMPP) is a protocol for delivering SMS messages directly to a
Short Message Service Center (SMSC) or SMSC aggregator.
SMPP services are typically carrier agnostic. Message routing from the SMS Gateway is
direct to the SMSC, rather than over a carrier network. As a result, an SMPP service can
typically deliver most SMS messages to any carrier network.
Note: You can create multiple SMPP entities, but Afaria Server uses only those that you
enable.
1. On the Server page, click the Configuration icon, select the SMPP tab, and click Add.
Afaria Server Messaging
SAP Afaria Installation Guide 59
2. Select Enable to enable communications with this entity. Unselect the check box to
suspend communications but retain the configuration values.
3. Enter the Name of the service.
The name you enter directly impacts how Afaria routes Afaria-initiated messages.
4. As defined by your SMPP service provider, define the remaining property values.
5. Click Save.
Configuring SSL Connections for SMS Gateway
HTTPS support for SMS Gateway requires you to install a certificate that is known to both
Windows and Linux.
SMS Gateway runs on the Afaria Server and is encapsulated within an emulated Linux
operating system environment; the Afaria Server runs on a Windows operating system. A
certificate is required for proper communication between the two separate operating systems
on the same server.
1. Obtain a certificate and key that identify the Afaria server in PEM format.
Ensure that the common name attribute on the certificate is the name of the Afaria Server,
exactly as the name is defined in the Gateway Host field on the SMS Gateway
configuration page.
2. Certificate for Windows import the PEM-formatted certificate and its associated key as a
visible Windows Trusted Root Certificate Authority. The Windows Trusted Root is
accessible only to the Afaria Server.
3. Certificate for Linux complete the Cert file and Key file fields on the SMS Gateway
Interface configuration page to point to the certificate and key files. The files must reside
on the Afaria Server. The SMS Gateway uses these references to access the certificates, as
it cannot access certificates as imported into the Windows Trusted Root Certificate
Authority.
Setting Up SMTP
You can use the SMTP page to configure your SMTP server to send e-mail communications
and e-mail-based Short Message Service (SMS) messages related to Afaria operations.
1. On the Server page, click Configuration.
2. Enter the name of the SMTP Server.
This field can contain either the IP address or the host name of the SMTP server that you
use to send SMS messages.
3. Enter the user ID for the SMTP server account that you use to send SMS messages
4. Enter the reply address that appears on the SMS messages.
5. Click Restart Server for the changes to take effect.
Afaria Server Messaging
60 Afaria
Installation and Configuration for Enrollment
Components
To support device enrollment for Android, BlackBerry, iOS, Windows Phone, and Windows
Mobile devices, install and configure the Afaria Enrollment Server. In addition for iOS and
Windows Phone device support, configure a certificate authority (CA).
Before beginning any part of the install process, review the system requirements for all device
types and their associated components in the latest version of the product release notes
available on METS at http://frontline.sybase.com/support.
The enrollment server retrieves enrollment policies from the database for all device types, and
delivers payloads for iOS devices.
The certificate authority is a required part of Windows Phone and Apple-defined iOS MDM
management.
Installing Enrollment Server - Basic
To support device enrollment for Android, BlackBerry, iOS, Windows Phone, and Windows
Mobile devices, install and configure the Enrollment Server. Record the address and virtual
directory values as you complete the installation; you will need them for subsequent
configuration tasks.
Prerequisites
Review the system requirements for all device types and their associated components in the
latest version of the Afaria release notes available on METS at http://frontline.sybase.com/
support.
Task
Install the server first in its basic implementation, without enabling payload-signing.
1. On the installation image, start the setup program (setup.exe).
2. On the setup menu, click Additional Installations and Resources > Enrollment
Server.
3. On the Specify Credentials page, accept or define the account name and password used to
run the Afaria service on the Afaria Server.
The Enrollment Server uses these credentials to contact the Afaria Server for database
credentials.
4. On the Specify Virtual Directory Names page, accept or define these settings:
Installation and Configuration for Enrollment Components
SAP Afaria Installation Guide 61
Unauthorized virtual directory name user-defined name, populated with a default
value.
The unauthorized directory accepts an initial device connection and processes any
required user authentication.
Use authentication
Windows authentication access the Enrollment server. Authentication must be
enabled to utilize user groups for iOS.
Afaria server managed authentication authenticate the user name and password in
the Active Directory.
Authorized virtual directory name user-defined name, populated with a default
value.
The authorized directory accepts device connections in the connection series after the
device connects to the unauthorized directory.
5. On the Specify Server Address page, enter the IP or fully qualified domain name of the
Afaria Server.
6. On the Specify Certificates for Signing page, unselect Sign Messages; this option is not
part of the basic implementation.
7. If you are a self-signing entity and managing iOS devices, select the certificate that is
bound to IIS for SSL.
By selecting the certificate, Afaria Server. can traverse the certificate chain and ensure that
iOS devices that need intermediate certificate for operations, get them seamlessly from the
enrollment server.
Your Apple APNS certificate is not valid for this step.
8. Follow the setup wizard to completion.
The enrollment server installation is now complete, and you can observe service
AfariaiPhoneServer in the Windows service list. The installation process also populates the
Enrollment Server configuration page with corresponding values if the Afaria Server is on the
same server.
See also
Relay Server on page 119
Additional Afaria Components on page 9
Server Configuration for Installation and Management on page 48
Configuring Relay Server for Enrollment Server on page 140
Configuring Relay Server for Certificate Authority on page 141
Launching the Relay Server Outbound Enabler on page 144
Installation and Configuration for Enrollment Components
62 Afaria
Configuring Afaria Server for Basic Enrollment Server
Configure the Afaria Server for the Enrollment Server, as installed with payload-signing
disabled, without enabling SSL on the HTTPS port, and without enabling relay server.
1. On the Server page, click Configuration on the left toolbar, expand the Component list,
and click Enrollment Server.
2. Accept or define the IP or fully qualified server address devices use to connect to the
Enrollment Server.
The address must be externally accessible.
3. Accept or define the unauthorized and authorized virtual directory names, as defined
during the Enrollment Server installation.
The unauthorized directory accepts an initial device connection and processes any
required user authentication.
The authorized directory accepts device connections in the connection series after the
device connects to the unauthorized directory.
4. Only if you are required to use a proxy for the Apple APNS and feedback servers, click
APNS/Feedback Configuration and change the predefined settings to your proxy server.
APNS domain and port for sending notifications.
Feedback domain and port for soliciting feedback, as defined by Apple.
The feedback service is an aid for gaining feedback about devices that no longer have
MDM control installed. Afaria captures feedback data in the A_iphone_feedback_log
table. If feedback is received about a device having removed control, Afaria updates the
known device state and adds an entry to the Messages log identifying the device and
indicating that control is removed.
5. Click Save.
Configuring Afaria Server for Enrollment Codes
Enable at least one URL shortening service before creating enrollment policies.
Prerequisites
To enable the Google URL service, you need a Google API key, as issued by Google to your
enterprise, as part of the Google API program.
Task
Service terms are between your enterprise and the service provider. You must accept the terms
of service to enable a service.
Installation and Configuration for Enrollment Components
SAP Afaria Installation Guide 63
1. On the Server page, click the Configuration icon on the left toolbar, expand the Server list
and select Enrollment Code.
TinyURL service
Google URL service (including the API Key)
2. (Optional) Click the test links to verify connectivity and a call to the service.
3. To change how long an enrollment code is valid for iOS and Android device enrollment,
under Self-Service Portal enrollment requests, specify how long a user request is valid to
use for enrollment in days, hours and minutes.
Self-Service Portal enrollment for other device types does not include a validity time
window.
4. Click Save.
See also
Obtaining a Google API Key on page 32
Configuring Certificate Authority
Configure a Microsoft certificate authority (CA) as a required component for iOS or Windows
Phone device management.
Consult these essential references before and during configuration:
Afaria system requirements to learn about requirements for your CA operating system
and connectivity within the Afaria environment.
Microsoft documentation resources to learn about CAs and how to add roles and comply
with the Afaria system requirements. For example, the Microsoft SCEP Implementation
White Paper (www.microsoft.com/download/en/details.aspx?id=1607).
Configuring an Enterprise Root Certificate Authority
Configure the enterprise root CA by defining the Active Directory Certificate Service (ADCS)
and Network Device Enrollment Service (NDES) roles.
Prerequisites
The Server needs to be a member of a domain with an Active Directory Domain Controller.
You must also be logged on to the CA server as a user that is a member of the domain.
Task
1. Add the Active Directory Certificate Service (ADCS) Role.
2. Add the Network Device Enrollment Service (NDES) Role.
Installation and Configuration for Enrollment Components
64 Afaria
Adding the Active Directory Certificate Service (ADCS) Role
Add the ADCS role as part of the iOS or Windows Phone certificate authority (CA)
configuration.
1. On the CA, open the Server Manager Programs >Administrative Tools > Server
Manager > Roles.
2. Click Add Roles to launch a wizard.
3. On the Server Roles page, enable Active Directory Certificate Service.
4. On the Role Services page, enable Certification Authority Web Enrollment.
A pop-up window may open to prompt you to install IIS. If so, install it.
5. Click Add Required Role Services and click Next.
The Certification Authority Web Enrollment check box is now enabled.
6. On the Specify Set Up Type page, enable Enterprise.
7. On the Specify CA Type page, enable Root CA.
8. On the Set up Private Key page, enable Create a new private key.
9. Verify the pre-populated settings on the Configure Cryptography for CA settings.
10. On the Configure CA name page, confirm the Common Name for this CA and note it for
later.
11. On the Set Validity page, select the validity period for the certificate as appropriate your
enterprise.
12. On the Configure Certificate Database page, confirm the path of the certificate
database.
13. On the Web Server IIS introductory page, click Next to proceed to the setup.
14. On the Select Role Service page, click Next to confirm the default IIS settings.
15. On the Confirm Installation Selections page, review the details of the ADCS configuration
and IIS installation and then click Install.
16. Click Close to complete the wizard and restart the server.
Adding the Network Device Enrollment Service (NDES) Role
Add the NDES role as part of the iOS or Windows Phone certificate authority (CA)
configuration.
Prerequisites
Add the ADCS role to the CA.
Task
1. On the CA, open the Server Manager > Roles > Active Directory Certificate Services >
Add role services.
Installation and Configuration for Enrollment Components
SAP Afaria Installation Guide 65
2. On the Select Role Services page, enable Network Device Enrollment Service.
3. On the Specify User Account page, enable Specify a User Account, click Browse to find
the account in your local IIS users group, and click Next.
4. Enter your credentials in the Windows Security dialog and click OK and click Next.
If the user does not match the required IIS prerequisites, an error message displays.
5. On the Specify Registration Authority Information page, enter the applicable Registration
Authority Information, which will be required later during device configuration.
Do not use special or localized characters.
6. On the Configure Cryptography for Registration Authority page, accept the defaults and
click Install.
7. On the Confirm Installation Selections page, review the details of the NDES configuration
and click Install.
8. Click Close.
9. Under Role Services, verify that the following services appear in the installed list:
Certification Authority
Certification Authority Web Enrollment
Network Device Enrollment Service
Click the refresh link at the bottom if you installed a service but do not see it in the list.
Tuning the Certificate Authority for Afaria
Configure the SCEP challenge phrase and certificate request handling on the certificate
authority (CA) to increase security for iOS or Windows Phone connections and ensure that
certificates are issued automatically.
The challenge configuration changes allow Afaria to act as a proxy for requesting challenge
phrases and optimize challenge phrase properties for operations. The request handling change
allows the CA to issue certificates automatically, rather than putting them into a pending state
that would require administrator action.
Warning! The tuning registry changes impact all IIS operations.
1. On the CA, using Windows Server Manager, on the SCEP administrator virtual directory
(IIS Manager > Default Web Site > CertServ > mscep_admin), set authentication.
Anonymous authentication enabled and using the same credentials as the SCEP
application pool.
Windows authentication enabled.
2. Create a registry entry to change the challenge phrase default behavior to increase the
maximum number of passwords that are valid simultaneously to 100.
Installation and Configuration for Enrollment Components
66 Afaria
Key [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
\MSCEP1\PasswordMax]
Value "PasswordMax"=dword:100
3. Create a registry entry to change the challenge phrase default behavior to decrease the time
period that each password is valid to 10 minutes.
Key [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
\MSCEP1\PasswordValidity]
Value "PasswordValidity"=dword:0A
4. To configure certificate request handling in Server Manager, select your CA in the ADCS
node, right-click Properties > Policy Module > Properties and select to follow the
template or automatically issue, rather than to set it to pending.
Configuring Certificate Authority Profiles
Define up to 10 certificate authority (CA) profiles for each tenant. These profiles allow you to
provide different types of certificates such as SSL, VPN, and Wi-Fi to devices. You can also
define the information required to make SCEP requests to CA, to provide additional security.
Profiles are defined on a per-tenant basis. If you want to use the same profiles for multiple
tenants on the system, you must manually create CA profiles on each tenant and re-enter the
applicable configuration information.
The CA delivers certificates to iOS and Windows Phone devices during enrollment, and also
provides device certificates to facilitate certificate provisioning for application onboarding.
1. On the Afaria Administration console, click Configuration on the left toolbar, expand the
Server list, and click Certificate Authority.
2. Click Add and enter a name for the new certificate profile.
The previously defined CA profile details populate the fields; you can modify the details as
needed.
Note: You must specify a different profile name for a new CA profile on the same tenant,
but you can use a duplicate profile name on a different tenant.
3. (Optional) Select Enable for HTTPS, to enable SSL connections for network security.
Before you enable SSL, you must have a valid SSL certificate for the CA's IIS server from
a known certificate authority. If you enable SSL on a port other than the default port 443,
update the server address to include the port suffix using the syntax <Address>
[:<port>].
4. Enter the IP or the fully qualified address that devices use to connect to the CA server.
The address must be externally accessible.
Installation and Configuration for Enrollment Components
SAP Afaria Installation Guide 67
5. (Optional) Enter information such as organization, unit, and city to populate the certificate
that the CA delivers to the device.
6. (Optional) Configure relay server to support certificate authority server.
7. (Optional) Select Enable for SCEP challenge and configure SCEP challenge Domain,
User, and Password for the account you used when you tuned the CA.
To use SCEP, you must have the SCEP challenge details configured on the CA server.
8. (Optional) Click Connectivity Test to test the CA connection from the testing server
location.
This test is valid only if the testing server can access the CA address. Accessing the CA
from the testing server may differ from accessing it from the connecting devices.
9. Click Save.
10. Restart the Afaria server service.
11. (Optional) To delete a CA profile, navigate to the profile and click Delete.
You cannot remove a CA profile that is being used by a policy.
See also
Associating Certificate Authorities for Enrollment and Package Servers on page 68
Configuring Relay Server for Certificate Authority on page 141
Associating Certificate Authorities for Enrollment and Package
Servers
Associate certificate authority (CA) profiles to the enrollment or Package Server to support
enrollment of iOS and Windows Phone devices, or to provide user or device certificates to
facilitate application onboarding.
If you are using relay server, the relay server settings of the enrollment or package server are
used for the initial communication to Afaria. The relay server settings of the CA profile
retrieve certificates for the enrollment or Package Server.
1. On the Server page, click Configuration on the left toolbar, expand the Server list, and
click Certificate Authority.
2. Select a CA profile for the Enrollment Server from the For Enrollment Server list.
3. Select a CA profile for the Package Server from the For Package Server list.
The lists show only the CA profiles defined for your tenant. The system tenant CA profiles
are visible to all tenants.
4. Click Save.
See also
Configuring Certificate Authority Profiles on page 67
Installation and Configuration for Enrollment Components
68 Afaria
Importing Apple Root and Intermediate Certificates for MDM
Management
Import Apple root and application integration certificates as trusted root certificates so that
any APNS certificates you install and configure for Afaria MDM management have a valid
chain to a trusted root.
1. Copy your Apple root and intermediate certificates to a location accessible from the Afaria
Server.
2. On the Afaria server desktop, launch the Microsoft Management Console (MMC) by
selecting Start > Run and entering MMC.
3. On the menu, add the certificate snap-in by clicking File > Add/Remove Snap-in to open
the snap-in dialog, and adding the "Certificates" snap-in, selecting the these options:
Computer account
Local computer
4. On the console root tree, select Certificates (Local computer) > Trusted Root
Certification Authorities > Certificates.
5. On the Certificates node, right-click All Tasks > Import to launch the import wizard and
import the Apple Inc. Root certificate (.CER).
6. Launch the import wizard again and import the Apple Application Integration certificate
(.CER).
7. Review the certificate list for the imported certificates.
Configuring Afaria Server for iOS Notifications
Add your Apple-issued push certificates for iOS device management to the Afaria Server,
define the text to send to devices for SMS-based outbound notifications, and select whether
managed applications collect diagnostic information. The Apple Push Notification Service
(APNS) certificate, as issued by Apple to your enterprise, uniquely identifies an Afaria Server
and its associated enterprise to the APNS.
Consider the configuration of your enterprise tenant environment before operating Afaria:
If you are an enterprise using only system tenant, install your Apple push certificate on the
system tenant.
If you are an enterprise, using multiple tenants to separate operations install your Apple
push certificate on the system tenant.
If you are a hosting enterprise using multiple tenants to separate multiple customers,
ensure each customer installs their own Apple push certificate on their tenant. Do not
Installation and Configuration for Enrollment Components
SAP Afaria Installation Guide 69
install a push certificate on the system tenant; it is the backup certificate for tenants that do
not have a certificate.
1. On the Afaria Administration console Server page, click the Configuration icon on the
left toolbar, expand the Component list and select iOS Notification.
2. In the APNS Push Certificate (for Mobile Device Management) pane, perform the
following tasks to add an APNS push certificate for mobile device management:
a) Click Browse to navigate to and select the certificate.
If you use an iPad for managing devices, the browse option does not work as there is no
file system support on iOS devices.
The certificate is installed to the local machine personal certificate store on the Afaria
Server. The MDM certificate name populates the page. The Current Push Service is the
topic name, as defined by Apple on the certificate.
(System tenant) If your Apple root and intermediate certificates are not installed, the
interface prompts you to install them.
(Non-system tenant) If Apple root and intermediate certificates are not installed, the
interface opens an error. Notify your system tenant administrator.
b) In the Password field, type the password for the certificate.
c) Click Install to install the certificate.
3. In the APNS Push Certificate (for Custom-Signed Afaria Application) pane, perform
the following tasks to add an APNS push certificate for custom-signed applications:
a) Click Browse to navigate to and select the certificate.
If you use an iPad for managing devices, the browse option does not work as there is no
file system support on iOS devices.
b) In the Password field, type the password for the certificate.
c) Click Install to install the certificate.
4. In the Notification Messages pane, perform the following tasks to include a customized
message on devices when Afaria delivers policies:
a) Select the Include following text check box.
b) Type the message.
5. In the Managed App Feedback pane, select whether managed applications collect
diagnostic information about the application and send the information to Afaria.
The application must include functionality to collect the diagnostic information.
6. Click Save.
See also
Apple Certificates for Managing Devices on page 27
Installation and Configuration for Enrollment Components
70 Afaria
Configuring SSL Connections for Enrollment Server
Configure the Afaria Server for enrollment server SSL connections when preferred or
required for network security.
Prerequisites
This task assumes that you have a valid SSL certificate from a known certificate authority for
your enrollment server's IIS server.
Task
1. On the Afaria Administration console Enrollment Server page, in the Enrollment Server
group, click Use HTTPS on Enrollment Server connections.
2. Ensure that the server address uses the fully qualified address or IP address, as declared on
the associated SSL certificate.
3. If you enabled the Enrollment Server's SSL on a port other than default port 443, update the
server address to include the port suffix using the syntax <Address>[:<port>].
Windows Phone device enrollment works only with HTTPS, when communicating with
the discovery service and the enrollment server. For Windows Phone devices, if you use
non-default port and HTTPS in a self-signed environment, you must specify the port in the
enrollment server address, for the enrollment to work. If you use default port in a self-
signed environment, the enrollment settings configured for HTTP will automatically
switch to HTTPS on the device.
4. Restart the Afaria Server service.
Adding iOS MDM Payload Signing for iOS
Add payload signing to ensure that payloads are not tampered with during delivery. You can
use your Apple APNS certificate for signing.
Prerequisites
Install, configure, and verify the iOS implementation before adding signing.
Task
1. Copy the Apple root and application integration certificates and your Apple Push
Notification Service (APNS) certificate to the enrollment server.
2. On the enrollment server, import your Apple root and application integration certificates
as trusted root certificates.
Installation and Configuration for Enrollment Components
SAP Afaria Installation Guide 71
3. Reinstall the enrollment server to enable signing and import your APNS certificate.
4. Use the Afaria Administration console Enrollment Server page to enable signing.
5. Restart Afaria Server.
6. Enroll one or more test devices and observe the user interface to determine whether the
certificate is untrusted or trusted.
The expected result, after a possible user authentication prompt, is either:
Signed, but untrusted the Apple Profile Service dialog is exposed to the user and
indicates status Not Verified.
Signed and trusted the Apple Profile Service dialog is exposed to the user and
indicates status Verified.
7. If untrusted and you require trust, deploy a root certificate to the client that matches the
root certificate that the enrollment server is using and retry the enrollment.
Importing Apple Root and Intermediate Certificates for MDM Payload
Signing
Import Apple root and application integration certificates as trusted root certificates so that the
APNS certificates you install for MDM payload signing has a valid chain to a trusted root.
1. Copy your Apple root and intermediate certificates to a location accessible from the
enrollment server.
2. On the enrollment server desktop, launch the Microsoft Management Console (MMC) by
selecting Start > Run and entering MMC.
3. On the menu, add the certificate snap-in by clicking File > Add/Remove Snap-in to open
the snap-in dialog, and adding the "Certificates" snap-in, selecting the these options:
Computer account
Local computer
4. On the console root tree, select Certificates (Local computer) > Trusted Root
Certification Authorities > Certificates.
5. On the Certificates node, right-click All Tasks > Import to launch the import wizard and
import the Apple Inc. Root certificate (.CER).
6. Launch the import wizard again and import the Apple Application Integration certificate
(.CER).
7. Review the certificate list for the imported certificates.
iOS MDM Payload Signing Certificate Requirements
The certificate must be an IP Security (IPSec) certificate in the x.509 standard and meet Afaria
requirements, regardless of whether you get your certificate from a known certificate
authority (CA) or if you operate as a self-signing entity and create your own signing
certificate.
The IPSec signing certificate must meet these property requirements:
Installation and Configuration for Enrollment Components
72 Afaria
Subject define the subject name as type common name.
General define the common name CN and record the value for future use.
Extensions for key usage, add options for digital signature and key encipherment; for
extended key (also known as application policies) usage, add all available options.
Private key select key size 2048 and make the private key exportable. The key type is
allowed for exchanges.
The Apple APNS certificate does meet requirements for signing.
Reinstalling the Enrollment Server for iOS MDM Payload Signing
Reinstall the Enrollment Server to enable signing for all iOS MDM payloads.
Prerequisites
Copy your Apple Push Notification Service (APNS) certificate to the Enrollment Server.
Task
1. On the enrollment server, close all running programs.
2. On the installation image, start the setup program (setup.exe).
3. On the setup menu, click Additional Installations and Resources > Enrollment
Server.
4. On each setup page before the Specify Certificates for Signing page, accept current
values.
5. On the Specify Certificates for Signing page, click Sign Messages to enable the feature
and define the signing attributes:
Certificate Filename the path and file name for the Apple root certificate.
Signing Certificate Filename the path and file name to the Apple Push Notification
Service (APNS) certificate.
Signing Certificate Password enter and confirm the password associated with the
APNS certificate.
6. Follow the setup wizard to completion.
Data is validated at the conclusion of the setup program as the process attempts to install the
certificate and modify access permissions to the certificate for ongoing operations. If you
encounter errors at this point, retry the installation.
Configuring Afaria Server for iOS MDM Payload Signing
Configure the Afaria Server to enable signing for all iOS MDM payloads.
Prerequisites
Complete the basic enrollment installation and configuration, and reinstall the Enrollment
Server for iOS MDM payload signing.
Installation and Configuration for Enrollment Components
SAP Afaria Installation Guide 73
Task
1. On the Server page, click Configuration on the left toolbar, expand the Component list,
and click Enrollment Server.
2. Enter the signing certificate name, which is the common name for the signing certificate,
as defined on the certificate and during enrollment server installation.
3. (Optional) Click Encrypt payload to encrypt the signed payloads.
4. Click Save.
5. Restart Afaria Server.
6. Provision one or more test devices and observe the user interface to determine whether the
certificate is untrusted or trusted.
The expected result, after a possible user authentication prompt, is either:
Signed, but untrusted the Apple Profile Service dialog is exposed to the user and
indicates status Not Verified.
Signed and trusted the Apple Profile Service dialog is exposed to the user and
indicates status Verified.
7. If untrusted and you require trust, deploy a root certificate to the device that matches the
root certificate that the enrollment server is using and retry the provisioning.
Configuring the Relay Server for Certificate Authority and
Enrollment Server Connections
(Optional) Set up relay server to increase your enterprise network security. A relay server is
installed in the DMZ and operates as a proxy for HTTP and HTTPS sessions between two
components.
The enrollment server acts as a proxy for all certificate requests coming from devices. The
devices connect to the enrollment server and then the enrollment server connects to the
certificate authority (CA). You can configure a relay server connection between the
enrollment server and the CA, and a separate relay server connection between the devices and
the enrollment server.
See also
Relay Server on page 119
Additional Afaria Components on page 9
Server Configuration for Installation and Management on page 48
Installation and Configuration for Enrollment Components
74 Afaria
Package Server
The Afaria enterprise Package Server serves packages not hosted by another entity to iOS,
Android, and Windows Phone devices, and serves certificates for application onboarding to
iOS, Android, and BlackBerry devices.
Installing Package Server
Install the Package Server to deliver Afaria enterprise application packages to Android, iOS,
and Windows Phone devices.
Prerequisites
Before beginning any part of the install process, review the system requirements for all device
types and their associated components in the latest version of the release notes available on
METS at http://frontline.sybase.com/support.
Task
Record values as you complete the installation; you will need them for subsequent
configuration tasks.
You can install the package server on the same server as the Afaria Administration console
server or on a separate server.
1. On the installation image, start the setup program (setup.exe).
2. Click Install.
3. On the setup menu, click Additional Installations and Resources > Package Server.
4. On the Directory Selection page, accept the default location or click Browse to navigate to
a new location.
5. On the Welcome page, click next, accept the default location or click Browse to navigate
to a new location.
6. On the Specify Credentials page, specify the account name and password used to run the
Afaria service on the Afaria server.
The Package Server uses these credentials to contact the Afaria server for database
credentials. Authentication must be enabled on the Enrollment Server and/or Package
Server in order to create user group assignments for Android, iOS, and Windows Phone.
Refer to the SAP Afaria Installation Guide document for details about how to configure the
Enrollment Server and the Package Server.
7. On the Specify Virtual Directory Name, accept the default virtual directory name or type in
a new virtual directory name.
Package Server
SAP Afaria Installation Guide 75
Use Windows Authentication select Windows Authentication for access to the
Package Server.
Note: Authentication must be enabled to utilize user groups for Android, iOS, and
Windows Phone.
8. On the Ready to Start Installation page, click Install.
9. Follow the wizard to completion.
See also
Creating a Domain User Account for Operating Afaria on page 23
Configuring Relay Server for Package Server on page 143
Launching the Relay Server Outbound Enabler on page 144
Configuring Afaria Server for Package Server
Configure the Afaria Server for the Package Server, without enabling SSL on the HTTPS port
and without enabling relay server.
1. On the Server page, click Configuration on the left toolbar, expand the Component list,
and click Package Server.
2. Accept or define the virtual directory name, as defined during the package server
installation.
3. In the Package Server Direct Access group, accept or define the IP or fully qualified server
address devices use to connect to the Package Server.
The address must be externally accessible.
4. Click Save.
See also
Relay Server on page 119
Additional Afaria Components on page 9
Server Configuration for Installation and Management on page 48
Configuring SSL Connections for Package Server
Configure the Afaria server for package server SSL connections when preferred or required
for network security.
Prerequisites
This task assumes that you have a valid SSL certificate from a known certificate authority for
your package server's IIS server.
Package Server
76 Afaria
Task
1. On the Afaria Administrator Package Server page, in the Package Server group, click Use
HTTPS on Package Server connections.
2. Ensure that the server address uses the fully qualified address or IP address, as declared on
the associated SSL certificate.
3. If you enabled the package server's SSL on a port other than default port 443, update the
server address to include the port suffix using the syntax <Address>[:<port>].
4. Restart the Afaria server service.
Package Server
SAP Afaria Installation Guide 77
Package Server
78 Afaria
Access Control for E-mail
Access Control for E-mail adds a layer of protection to your enterprise e-mail platforms by
filtering mobile device synchronization requests according to your access control policies.
Access control discards any synchronization requests that do not meet the policies you define
on the Afaria server and save on the Afaria database. Access control policies include the list of
known devices, their associated policies, any remediation actions, and any defined polices for
unknown devices.
There are two implementations for Access Control for Email in Afaria:
Hosted email e-mail services are hosted by a third-party and are available to users from
the Internet, without any e-mail servers or related components inside the enterprise
network or DMZ. Set up access control for hosted email using Exchange PowerShell
cmdlets from Server > Configuration > MS Exchange page.
Local email e-mail server and related components are installed within the enterprise
network and the DMZ. Set up access control for local email by choosing one of the
following options:
Setting up access control for email filter from the installation setup.
Setting up access control for local email using Exchange PowerShell cmdlets from
Server > Configuration > MS Exchange page.
For Access Control for local e-mail, in addition to mobile device synchronization requests,
access control can prevent synchronization requests initiated by alternate means, such as:
Web browser client
E-mail client installed on a companion PC
iAnywhere Mobile Office client
See also
Configuring Relay Server for Access Control on page 97
Access Control for E-mail
SAP Afaria Installation Guide 79
Setting Up Access Control for Email using Exchange
PowerShell Commandlets
Set up access control for hosted email by configuring Office 365 or local email using
Microsoft Exchange PowerShell commandlets. For more information, refer to Afaria 7
System Requirements of the required service pack.
Prerequisites
Ensure that the Access Control for Email filter is not installed.
The PowerShell virtual directory is created when you install Exchange. Enable the
powershell remoting by enabling Basic Authentication on the virtual directory in IIS.
Task
E-mail services are available locally, where a local Exchange server is used. E-mail services
are also hosted by a third-party and are available to users from the Internet, without any e-mail
servers or related Afaria components inside the enterprise network or DMZ. Afaria server
communicates with Exchange for updating device status.
Note: From Afaria 7 SP3 release, you can configure access control for local email by either
using the Exchange PowerShell commandlets or by installing the Access Control for Email
filter. If you have installed the filter, then do not follow this procedure.
Afaria uses the following API calls on the Exchange server:
Get-ActiveSyncDevice
Get-CASMailbox
Set-CASMailbox
For more information on these Microsoft Exchange server API calls, refer to Microsoft
Exchange documentation.
In addition to the API calls on the Exchange server, Afaria also issues some setup commands
to initiate the remote PowerShell session with the Exchange server.
1. Log in to the Afaria Administration console.
2. Navigate to the Server > Configuration > MS Exchange page.
Note: Devices with ISAPI account and MS Exchange account cannot co-exist in a tenant
as this configuration is not supported. Ensure that this page is empty if the tenant is
supposed to be used for local exchange.
3. Click New.
4. Enter the following information:
Access Control for E-mail
80 Afaria
URL Enter the URL of the hosted or local Exchange server.
Account Username Enter the hosted or local Exchange Admin User ID. Create a user
that is a member of the Exchange Organization Managers group so that the user will
have minimum permission to execute PowerShell commands.
Password Enter the hosted or local Exchange Admin password.
Note: Ensure that MS Exchange account credentials have Administrator privileges.
5. Click Test connection to authenticate the account credentials and test connectivity for the
local Exchange or hosted accounts.
If the account credentials are valid, you see a success message; otherwise, you see an error
message.
6. Click Save.
When MS Exchange triggers e-mail blocking using access control, it may take as long as
10 minutes for Exchange to block e-mail messages.
7. To specify local or hosted service Exchange ActiveSync Access Settings, select one of:
Always allow allow users who have enrolled in Afaria management to access hosted
or local MS Exchange.
Always block or quarantine prevent all users who are not enrolled in Afaria
management from accessing hosted or local MS Exchange.
Note: Afaria sends a device enablement message when it is enrolled in the Always allow
mode for enhanced security.
8. Click Save.
9. (Optional) Change or delete a record by selecting it and clicking Edit or Delete.
After a device is enrolled in Afaria, it will use the access policy that is set for the device.
Access Control for Local Email using Filter
Access Control for local e-mail has the e-mail server and related Afaria components installed
within the enterprise network and the DMZ. Set up access control by installing and
configuring the Afaria components.
Access control for local email using filter is supported on Microsoft Exchange Server 2007
and Microsoft Exchange Server 2010. For more information, refer to Afaria 7 SP4 System
Requirements.
Note: If you want to set up access control for local email by installing the filter, do not set up
access control for local email by using PowerShell commandlets from the Server >
Configuration > MS Exchange page.
Access Control for E-mail
SAP Afaria Installation Guide 81
Access Control Components
Access control uses a filter, Data Handler services, and the Afaria filter listener. You can install
access control components on a single machine behind the corporate firewall. You can also
install some components in the DMZ and some components behind the firewall.
Afaria access control filter includes the Internet Server Application Programming
Interface (ISAPI) filter and Data Handler services
Filter accepts inbound synchronization requests from mobile clients and passes
details from incoming requests to the Data Handler which determines whether to allow
or block the incoming request
The filter must reside on the server that accepts inbound client requests on the Client
Access System (CAS). For greater security, install the filter on a proxy server located in
your DMZ.
Data Handler services includes:
HttpsClient a PowerShell component that queries the Afaria server at defined
intervals to obtain updated details about the device
Pipeserver a C# multithreaded component that decides whether to allow or block
the incoming request by parsing data from the device list
Data Handler services must reside on a server that can initiate a connection to either the
Afaria server or its optional relay server proxy and the filter host. For greater security,
install it on a separate server within your enterprise firewall, as it requests user and
device data from the Afaria environment.
Afaria filter listener resides on the Afaria server. When requested by the PowerShell
service (HttpsClient), the listener queries the Afaria database to obtain an updated access
control policy list and forwards it to the PowerShell service.
Note: The Afaria server service starts the filter listener.
ISAPI Filter Components
ISAPI filter components include:
Filter (XSISAPI.dll) XSIAPI.dll is either on the IIS or ISA box and watches the
ActiveSync traffic as it comes through on the way to the Exchange CAS.
Data Handler Proxy (XSISAPIReversePipe.exe) XSISAPIReversePipe connects to
PipeServer and sends incoming request details to get the device state. Based on data
available in Device.xml, PipeServer returns the Allowed or Not Allowed flag to
XSISAPIReversePipe.
Data Handler includes:
Httpsclient.ps1 This script contains two areas of functionality. First, the
script contacts the Afaria server and requests, based on the e-mail domain, the lists of
Access Control for E-mail
82 Afaria
devices, and their respective Allow/Block status, for that domain. Second, the script
specifies how to handle an "unknown" device attempting to conduct an ActiveSync
session.
PipeServer.exe The XSISAPI.dll talks to the PipeServer using a named
pipe. XSISAPI.dll sends to the PipeServer the following information, which is
collected from the connection headers sent by a device contacting the Exchange CAS:
Device ActiveSync ID (ASID)
Users email account, USER
Device Type, TYPE
The label at the end of each item matches how it is logged in the
XSISAPIPipe_Log . The PipeServer attempts to match these three items to a record
in the Devices.xml file. PipeServer looks for the ASID and tries to match the GUID
value from Devices.xml. The e-mail account is matched against the ExchangeID
data in Devices.xml.
Finally, the device type is also considered. Device type is determined by the device
manufacturer and can actually be anything.
When the PipeServer sends a response code, it uses the following response values to
tell XSISAPI.dll how to handle the pending connection:
0 - Device is known but is not permitted to get email
1 - Device is known and is permitted to get email
2 - Device is not known and is not permitted to get email
3 - Device is not known, add to the new device list and allow to get email
4 - Device is not known, add to the new device list but do not permit to get email
Afaria Filter Listener (XSISAPIServer.exe) resides on the Afaria server.
XSISAPIServer.exe extracts the list of devices that the ISAPI filter should, or should
not, allow to sync with the Exchange server.
Installing Access Control Components on a Single Machine
You can install access control components on one server behind the corporate firewall.
If all the components are installed on a single machine behind the corporate firewall, you can
select the Filter and data handler option while running the Access Control for Email
installation program on the IIS/ISA machine behind the firewall.
Access Control for E-mail
SAP Afaria Installation Guide 83
Figure 2: Components on a single IIS/ISA machine behind the corporate
firewall
If all the components are installed on multiple IIS machines behind the corporate firewall and
load balancer, you can select the Filter and data handler option while running the Access
Control for Email installation program on each IIS/ISA machine.
Figure 3: Components on multiple IIS/ISA machines behind the corporate
firewall and load balancer
Access Control for E-mail
84 Afaria
1. To install the Access Control filter, run the setup program (setup.exe) as administrator
to launch the Afaria 7 Setup wizard.
2. From the first screen of the wizard, click Install.
3. From the second screen, click Additional Installations and Resources.
4. From the third screen, click Install Access Control for Email.
The wizard prompts you to choose the appropriate version of the filter for your operating
system. Click 32-bit (x86) or 64-bit (x64) as required.
The setup wizard launches the Afaria 7 ISAPI Filter Setup wizard.
Access Control for E-mail
SAP Afaria Installation Guide 85
5. Click Next.
6. Select Filter and data handler and click Next.
Access Control for E-mail
86 Afaria
7. From the Blocking Option screen, Do the following and then click Next:
a) Select Allow all traffic but Microsoft-Active-Sync to allow all traffic to the email
server except from handheld devices. If this option is selected, it will allow all traffic
and does not block anything. If this option is unselected, only ActiveSync traffic is
allowed, all other traffic is blocked. If there are any other Websites on the same IIS, it
will block accessing those websites as well.
b) Select an ISAPI installation method - Install ISAPI filter for IIS Server or Install
ISAPI for ISA Server.
Note: The ISAPI filter affects Outlook Web Access (OWA) if the Allow all traffic but
Microsoft-Active-Sync option is not selected and OWA is being accessed from CAS on
which the filter is installed.
8. From the Server Settings screen, enter the following and click Next:
URL of the Afaria server
Relay Server (RS) Prefix
Relay Server (RS) Farm ID
9. From the Ready to Start Installation screen, click Install.
The filter (XSISAPI.dll) and data handler (httpsclient.ps1 and
PipeServer.exe) components are installed on one server behind the firewall.
Access Control for E-mail
SAP Afaria Installation Guide 87
Installing Access Control Components on Multiple Machines
When installing access control components on multiple machines, you can install the Filter
and Data Handler Proxy service (Query Forwarder) on an IIS or ISA box in the DMZ. You can
then install the data handler (Query Processor) on one or more CAS boxes behind an enterprise
firewall.
Installing the Filter and the Data Handler Proxy Service
If an IIS or ISA machine is located in the DMZ and rest of the servers are hidden behind the
inner firewall, you can select the Filter and Data Handler Proxy Service option while
running the Access Control for Email installation program. It installs XSISAPI.dll and
XSISAPIReversePipe.exe on an IIS/ISA server.
The Access Control List process flow is described below:
1. A mobile device submits an ActiveSync request.
2. The filter (XSISAPI.dll) intercepts the request and forwards it to the data handler
proxy (XSISAPIReversePipe.exe).
3. The data handler proxy connects to the PipeServer and sends incoming request details to
get back the device state. Based on data available in Device.xml, the PipeServer returns
either the Allowed" or "Not Allowed flag to the data handler proxy.
4. The Data handler (HTTPSClient) requests Device.xml from the Afaria filter
listener. It also uploads the newDevices.xml file to the Afaria filter listener in case
ActiveSync ID is not available for the device.
Figure 4: Components on the ISA Server in the DMZ and on multiple CAS
behind the corporate firewall
Perform the following steps to install the filter and data handler proxy service on an IIS/ISA
box in the DMZ:
Access Control for E-mail
88 Afaria
Note: Run the procedure on each IIS/ISA box.
1. To install the Access Control filter, run the setup program (setup.exe) as administrator
to launch the Afaria 7 Setup wizard.
2. From the first screen of the wizard, click Install.
3. From the second screen, click Additional Installations and Resources.
4. From the third screen, click Install Access Control for Email.
The wizard prompts you to choose the appropriate version of the filter for your operating
system. Select 32-bit (x86) or 64-bit (x64) as required.
The setup wizard launches the Afaria ISAPI Filter Setup wizard.
Access Control for E-mail
SAP Afaria Installation Guide 89
5. Click Next.
6. Select Filter and data handler proxy service and click Next.
Access Control for E-mail
90 Afaria
7. From the Proxy Settings screen, type the Hostname and Port for the Powershell proxy
server and click Next.
8. From the Blocking Option screen, Do the following and then click Next:
a) Select Allow all traffic but Microsoft-Active-Sync to allow all traffic to the email
server except from handheld devices.
b) Select an ISAPI installation method - Install ISAPI filter for IIS Server or Install
ISAPI for ISA Server.
9. From the Ready to Start Installation screen, click Install.
The filter and data handler proxy (XSISAPI.dll and XSISAPIReversePipe.exe)
components are installed on an IIS or ISA box in the DMZ.
Installing the Data Handler Only
After installing the filter and data handler proxy service on an IIS or IAS box in the DMZ, you
can install the data handler on a CAS behind the firewall.
Note: If there are multiple CAS servers, run the procedure below on each CAS.
1. To install the Access Control filter, run the setup program (setup.exe) as administrator
to launch the Afaria 7 Setup wizard.
Access Control for E-mail
SAP Afaria Installation Guide 91
2. From the first screen of the wizard, click Install.
3. From the second screen, click Additional Installations and Resources.
4. From the third screen, click Install Access Control for Email.
The wizard prompts you to choose the appropriate version of the filter for your operating
system. Select 32-bit (x86) or 64-bit (x64) as required.
The setup wizard launches the Afaria ISAPI Filter Setup wizard.
Access Control for E-mail
92 Afaria
5. Click Next.
6. Select Data handler only and click Next.
Access Control for E-mail
SAP Afaria Installation Guide 93
7. From the Proxy Settings screen, type the Hostname and Port for the Powershell proxy
server and click Next.
8. From the Server Settings screen, enter the following and click Next:
URL of the Afaria server
Relay Server (RS) Prefix
Relay Server (RS) Farm ID
9. From the Ready to Start Installation screen, click Install.
The data handler (httpsclient.ps1 and PipeServer.exe) files are installed on
the CAS box behind the enterprise firewall.
Afaria Filter Files
This section lists the files installed with the Afaria filter or generated during access control
operations.
Files Installed with the PowerShell Service Component
If you are using the 32-bit version of the PowerShell component, the files are installed in C:
\WINDOWS\system32\inetsrv.
If you are using the 64-bit version of the PowerShell component, the files are installed in C:
\Windows\SysWOW64\inetsrv.
Installing the PowerShell service component of the Afaria filter adds these files:
Access Control for E-mail
94 Afaria
AfariaISAPIFilterUninstall.ini
AfariaIsapiSetup.exe
XSISAPIReversePipe.exe
XSSrvAny.exe
PipeServer.ps1
HTTPSClient.ps1
Files Installed with the ISAPI Filter Component
Installing the ISAPI filter component of the Afaria filter adds these files in C:\WINDOWS
\system32\inetsrv:
AfariaISAPIFilterUninstall.ini
AfariaISAPIFilter.exe
XSISAPI.dll
XSISAPIReversePipe.exe
XSSrvAny.exe
If you installed both components of the Afaria filter on the Exchange Server's IIS Server, the
files are added to IIS_InstallDir and IIS_InstallDir\bin.
Files Generated During Access Control operations
Executable XSSrvAny.exe launches PipeServer.ps1and HTTPSClient.ps1. In
turn, each of these create an event in the Windows Application Event log. The entries indicate
the start action and its log file location. Consider this example event log entry:
XSISAPI PowerShell HTTPS Client was successfully started. Logfile is
C:\Documents and Settings\Default User\Application Data\XSISAPI
\XSISAPIHTTPS_Log.txt.
Afaria filter operations use and generate the following files on your IIS Server. The path for the
files is described in the PiPServer.ps1 and HTTPSClient.ps1 start-up Windows
Application Event log entries.
<ApplicationDataPath>\XSISAPI\ Devices.xml the list of Afaria
Exchange access control clients known and managed by Afaria synchronization policies.
This file is created by the Afaria server at the request of the PipeServer and is transferred to
the PipeServer via HTTP/HTTPS. This file includes a series of XML records: one for each
device the ISAPI filter is likely to see trying to access the Exchange CAS.
The data you see in the Devices.xml file tells you what Afaria has stored in the database.
<client GUID="SAMSUNG1351822059308603" User="user" SP="1"
ExID="sy-alphaqa.com\xoom" Type="-10" status=0 />
<client GUID="APPLDLXH20UKDKNW " User=" sy-alphaqa.com\mangesh01"
SP="66" ExID="SY-ALPHAQA.COM\USR0000" Type="-8" status="1" />
<client GUID="APPLDN50001EDKPJ" User="USR0001" SP="66" ExID="SY-
ALPHAQA.COM\USR0001" Type="-8" status="0" />
<client GUID="APPLDN50002EDKPJ" User="USR0002" SP="66" ExID="SY-
ALPHAQA.COM\USR0002" Type="-8" status="0" />
Access Control for E-mail
SAP Afaria Installation Guide 95
The GUID is what Afaria considers as the ActiveSyncID, ASID. The ExID is the
Exchange Identity for the user account on the device. Status indicates whether a device
should (1) or should not (0) be allowed to receive e-mail.
<ApplicationDataPath>\XSISAPI\XSISAPIPipe_Log.txt - a trace file
that is generated by the PipeServer. You should see a series of text lines that look similar
to:
13-05-14 06:41 Responding '0' to request:
ID='SAMSUNG1351822059308603', USER='sy-alphaqa.com\xoom',
TYPE='SAMSUNGGTI9100'
13-05-14 06:41 Responding '1' to request: ID='APPLDLXH20UKDKNW',
USER='sy-alphaqa.com\mangesh01', TYPE='iPad'
13-05-14 06:41 Responding '2' to request: ID='APPLC38GPXGVDT9V',
USER='sy-alphaqa.com\deepa1', TYPE='iPhone'
Problems are indicated by messages such as PipeServer timed out or Cant open named
pipe. The example above shows the information that is being sent by the XSISAPI.dll and
how the PipeServer is responding to that data.
(Temporary file) NewDevices.xml Devices that are connected to the Exchange
Server for synchronization must send a unique Exchange identifying value to the Afaria
server. If the ISAPI filter sees a device attempting to connect that it cannot identify, it
reports that it may have already identified the device, and the account information it sees
for the device, and adds the device to the NewDevices.xml file. This allows the filter to
tell the Afaria server everything it knows about the device. Afaria may then be able to
update the database with the complete and correct ASID to allow for successful
identification on a future connection.
HTTPS.txt log file for HTTPSClient.ps1 operations. List of connections from the
IIS Server by the Afaria polling agent, back to the Afaria server to refresh the
Devices.xml list.
Pipe.txt log file for PipeServer.ps1 operations. List of client synchronization
requests indicating synchronization status 1 for allowed or 0 for denied.
Configuring Afaria for Access Control
This section describes how to configure Afaria to use Access Control. It includes topics on
configuring the Afaria Filter Listener, the Relay Server, and Exchange ActiveSync. It also
provides examples of using substitution variables and configuring e-mail on the Afaria client.
Configuring the Afaria Filter Listener
This section describes how to set parameters for the Afaria filter listener, including protocol
type and port number used for connections.
The Afaria filter listener resides on the Afaria Server and, upon request, provides the
PowerShell service component of the Afaria filter with a refreshed client and policy list.
1. From the Afaria Administration console, select Configuration in the Server tile and
navigate to the Server > Access Control Server page.
Access Control for E-mail
96 Afaria
2. If using HTTP, select Use HTTP on port and enter the port number for listening to
requests.
Ensure that the port does not conflict with any other ports that the Afaria server uses.
3. If using HTTPS, select Use HTTPS on port and define the parameters of the HTTPS
connection.
a) Enter the port number for listening to requests.
Ensure that the port does not conflict with any other ports that the Afaria server uses.
b) Enter the HTTPS host name or the IP address that the PowerShell service component
of the Afaria filter uses to reach the Afaria server.
c) Click Browse to select the host's SSL certificate.
The certificate must reside in the Afaria server's personal certificate store.
4. Click Save and restart the Afaria server service.
Configuring Relay Server for Access Control
To configure the Relay Server to support the Afaria filter used in Access Control for Email,
define the relay server configuration file, configure settings on the Afaria Administration
console, and reinstall the PowerShell component of the Afaria filter.
Prerequisites
The Relay Server is configured for basic operations.
Note: You must configure the Relay Server for your Afaria server, regardless of whether
you plan to use it for device connections.
The two components of the Afaria filter are installed and Access Control has been
configured on the Afaria Administration console.
Task
The following steps describe how to add the relay server to your current configuration for
Access Control for Email.
Access Control for E-mail
SAP Afaria Installation Guide 97
1. Configure the relay server configuration file rs.config to support the Afaria filter.
In the [backend_farm] section, define the Afaria filter's farm ID by using
<AfariaServerFarmID>-IS, where <AfariaServerFarmID> is the same farm ID
you defined for the Afaria server.
For example, if you define your Afaria server farm ID as Afariafarm, then define your
filter's farm ID as Afariafarm-IS.
2. On the Server > Configuration > Access Control Server page of the Afaria
Administration console, select Use Relay Server, then click Save.
3. Reinstall the PowerShell component of the filter. In the Server Settings page of the
installation wizard, enter the relay server address and farm ID.
The farm ID you enter must match the farm ID you defined for the Afaria server in the relay
server configuration file. The installation wizard automatically appends -IS to match the
farm ID defined for the filter.
4. Restart the machine on which you reinstalled the PowerShell component.
5. Restart the relay server host.
6. In the Afaria Administration console, restart the Afaria server service.
See also
Relay Server on page 119
Additional Afaria Components on page 9
Server Configuration for Installation and Management on page 48
Access Control for E-mail on page 79
Configuring Exchange ActiveSync for iOS Devices
Configure an Exchange ActiveSync account with a Microsoft Exchange server. You can
create a policy for users by specifying the user name, host name, and e-mail address, or only
the host name.
Note: This task is applicable for hosted e-mail and local e-mail environments.
1. From the Afaria Administrator Web Console, click the Policy tab.
2. Do one of the following:
To create a new iOS Configuration policy, click New > Configuration > iOS and
provide information on the Summary page.
To edit an existing iOS Configuration policy, select the policy from the list and click
Edit.
3. Expand the MDM Payload menu and select Exchange ActiveSync.
4. Click Add.
Access Control for E-mail
98 Afaria
5. Provide the following information:
Name: Enter a unique name.
Host: Enter the host. For example, m.outlook.com.
Domain Host: Leave this field blank or add an administrative e-mail address.
User: Enter an Exchange 365 e-mail address. For example,
BlockMe@afaria13.onmicrosoft.com.
Password: Enter your password.
If you want to use substitution variables, click the Substitution link next to the following
boxes and select the variables indicated below:
Domain Host: Use the variable %S.ExchangeDomain%.
Note: If you use the %S.ExchangeDomain% variable, configure the enrollment policy
so that either the domain is specified on the General page or the Exchange Domain
device prompt is selected on the Variable page.
User: Use the variable %S.ExchangeUser%.
E-mail Address: Use the variables %S.ExchangeUser% and %S.ExchangeDomain
%.
The format is %S.ExchangeUser%@%S.ExchangeDomain%.
Password: Use the variable %S.ExchangePassword%.
Access Control for E-mail
SAP Afaria Installation Guide 99
Editing the Registry to Create Extra Logs
If Afaria 7 SP2 Hotfix 14 is installed, create a loginfo (DWord) registry key at
HKEY_LOCAL_MACHINE\SOFTWARE\AFARIA\AFARIA\ISAPI and set it to 1.
If you need the XSISAPI.DLL log, create an ISAPIDebug (DWord) registry key at
HKEY_LOCAL_MACHINE\SOFTWARE\AFARIA\AFARIA\ISAPI. Set it to > 1 and run
Debugview as administrator.
Required Variables While Creating/Editing an iOS or Android Enrollment Policy
When you are creating and editing an iOS or Android enrollment policy, add the following
variables:
ExchangeDomain (for Exchange and Domino environments)
ExchangePassword (for Exchange and Domino environments)
ExchangeUser (for Exchange and Domino environments)
UserName
Examples for Using Substitution Variables When Creating/Editing an Android
or iOS Configuration Policy
This section provides examples of how to use substitution variables when creating or editing
an Android or iOS configuration policy.
Example 1
When creating or editing a configuration policy for built-in email on a Samsung device from
Policy > Edit > Android Configuration > Samsung > Exchange account policy page, you
can use substitution variables for:
Domain %S.ExchangeDomain%
Email Address %S.ExchangeUser%@%S.ExchangeDomain%.
Note: In case of built in email account, configuration policy fetches ASID for Android devices
are supported to MDM 2.0 or 2.0 + devices.
Access Control for E-mail
100 Afaria
Example 2
While creating or editing a configuration policy for NitroDesk from Policy > Edit > Android
Configuration > Account configuration page, you can use substitution variables for:
User ID %S.ExchangeUser%
Password %S.ExchangePassword%
Email Address %S.ExchangeUser%@%S.ExchangeDomain%
Domain - %S.ExchangeDomain%
Example 3
While creating or editing a configuration policy for iOS from Policy > Edit > iOS
Configuration > Exchange ActiveSync page, you can use substitution variables for:
Host subcas. %S.ExchangeDomain%, where subcas is a sample CAS server name.
Domain Host Do not include %S.ExchangeDomain% for Domain Host. However, if you
choose to use the substitution variable %S.ExchangeDomain%, ensure that the domain is
specified on enrollment policy General page or Exchange domain prompt is selected on
Enrollment policy Variable page.
User %S.ExchangeUser%
Email Address %S.ExchangeUser%@%S.ExchangeDomain%
Password %S.ExchangePassword%. You can also choose to leave the Password field
blank.
Access Control for E-mail
SAP Afaria Installation Guide 101
Required E-Mail Formats for Android Devices
For Android devices, the e-mail user name requirement for Access Control for Email varies
according to your enterprise environment.
Ensure that users enter the information correctly. On the device's configuration page (Afaria >
Configuration), the e-mail user name must comply with your e-mail server's requirement for
user name. The format, as observed in table A_ANDROID_DEVICES, is:
domain\user
user@domain
Manually Configuring an E-mail Application for Android Devices While Using
an Access Control Policy
Configure an e-mail application for Android devices manually for access control policy.
Afaria has no way of identifying incoming devices as Android devices and therefore cannot
map the Android default policy to the device. After an Android device type is listed in the
Afaria database table as a known Android device, use data from the Afaria access control filter
logs to configure the Android e-mail user name property.
1. Try to configure e-mail on the device.
2. On the server that hosts the Afaria access control filter, capture the Android device type
reported by the device in C:\Windows\System32\config\systemprofile
\AppData\Roaming\XSISAPI\XSISAPIPipe_Log.txt.
Access Control for E-mail
102 Afaria
3. Open the A_CONFIGURATION_PROPERTY table in your database management
console and update the ISAPIAndroidDeviceTypes row to add the new device type
reported in XSISAPIPipe_Log.txt.
If the device type reported by the device is not in the Devices.xml file, the Android device
cannot be managed by Access Control. If the device type is in Devices.xml, no further
action is required.
For example, the device may report itself with a device type value such as TOUCHDOWN,
MotoDROID2v451, htcholiday.
The following is a sample entry from XSISAPIPipe_Log.txt:
12-09-27 08:43 Responding '2' to
request:ID='31333438373436343439323238353835', USER='domain-name
\droid',TYPE='TouchDown'
4. Using the Afaria Administration Client, restart the Afaria service.
Allow sufficient time for the Afaria server to update the devices list, according to the
polling period defined on the Server > Configuration > Component > Access Control
Option page.
5. Try to configure email on the device again.
As unknown policy is set to block, you will not be allowed to configure e-mail but this step
is required to generate the file C:\Windows\System32\config
\systemprofile\AppData\Roaming\NewDevices.xml on the server that
hosts the Afaria access control filter.
6. Wait for the polling period defined on the Server > Configuration > Component >
Access Control Option page.
7. Install the Afaria application on the device.
8. Enroll the device in Afaria management using an enrollment policy that includes a user-
facing prompt for the device user name.
If the MS Exchange user name prompt is not used, go to the Afaria application on the
device and select Configuration > Exchange User Name.
9. Connect to Afaria.
10. Go to the Afaria Administrator Web Console and navigate to Server > Configuration >
Component > Access Control Option page. The Android device appears with the correct
Device ID and Exchange ID in the Devices tab. You can now manage Android devices
using separate, per-device policies, rather than having to use the default policy.
Access Control for E-mail
SAP Afaria Installation Guide 103
Access Control for E-mail
104 Afaria
Support for Network Access Control
Afaria Network Access Control (NAC) manages the access of Android and iOS devices to
corporate WiFi networks by ensuring the devices are under Afaria control before WiFi access
is granted. This ensures that devices are kept in compliance with Afaria MDM control,
enforcing inventory collection and security policies on the device before permitting access to
enterprise networks.
The process flow for a NAC-managed connection to corporate WiFi is described below.
1. User's device attempts to access company network via WiFi.
2. NAC queries Afaria via REST API to validate if the device is known and secure.
3. NAC allows the connection if the device is under Afaria MDM control. If the device is not
under Afaria control, the NAC service re-directs the device user to a customizable web
page that indicates the device is not recognized by Afaria, and to contact the Afaria
administrator to learn how to enroll in device management.
You can change the redirect URL for NAC on the system, where NAC service is installed
by editing the file C:\Program Files
(x86)\AfariaNetworkAccessControlService\Bin
\AfariaNACAPIService.exe.config and changing the URL value.
<appSettings>
<add key="RedirectUrl" value="http://localhost/
NetworkAccessControl/UnmanagedDevicePage.htm"/>
</appSettings>
Support for Network Access Control
SAP Afaria Installation Guide 105
The various components of NAC getting information from Afaria is depicted in the diagram
below.
The NAC router makes a request to Afaria NAC service on the Afaria Administration server.
The request is passed to the Afaria APIs, through the Afaria Data Access Layer (DAL), and to
the database. The Afaria NAC service then sends the appropriate response to the NAC router
making the request.
If Afaria server is hosted, and a device is trying to connect to a corporate server at a tenant
customer site, the NAC router at the tenant site first authenticates the device and then contacts
the Afaria NAC service at the hosting site. After Afaria responds to the NAC server request,
the NAC server can then allow the compliant device to access the corporate server at the tenant
customer site.
Installing and Starting Afaria NAC Service
Install Afaria Network Access Control (NAC) services to respond to NAC router requests to
enforce device compliance.
Prerequisites
Install the Afaria API service and Administrator.
Support for Network Access Control
106 Afaria
Task
1. On the Afaria Administrator server, start the setup program (setup.exe).
2. Click Install.
3. On the setup menu, click Additional Installations and Resources > Install Afaria
Support for Network Access Control.
4. Click Next on the Welcome dialog.
5. On the Directory Selection page, accept the default location, or click Browse to navigate to
a different location. Click Next.
If the directory you specify does not exist, you can create it.
6. Enter an account name and password the same you used to install the Afaria API to set
up the service. Click Next.
7. Click Install.
When the installation has finished, you see the Setup Complete screen.
8. To start the NAC service, click START the service now.
Afaria Network Access Control Service appears in both the services list and in the
Microsoft Add/Remove Programs utility.
Adding an Account Name on Afaria NAC Server
Add an account name for Afaria to authenticate incoming requests from Network Access
Control (NAC) services to provide information or perform action through Afaria.
Prerequisites
Install Afaria API Service and Afaria Administration console.
Task
1. On the Home page Server tile, click Configuration.
2. Navigate to the Server > Network Access Control page.
3. Click Add.
4. Enter an account name and a note. If the Afaria installation is standalone, enter a Windows
account name. If Afaria is installed using Active Directory (AD) authentication, enter an
AD account name.
5. Click Save.
Support for Network Access Control
SAP Afaria Installation Guide 107
Support for Network Access Control
108 Afaria
Self-Service Portal
(Optional) Self-Service Portal allows end users to enroll their device in Afaria management,
view their device information and issue commands, such as password reset.
The portal is for deployment inside the enterprise network with a Microsoft Forefront Threat
Management Gateway instance in the DMZ configured to accept device connections and pass
traffic to the portal.
Note: For iOS devices using a non-custom version of the Afaria application (obtained from
the App Store), the portal is the only method of obtaining iOS Enterprise Applications marked
as Optional. The Afaria application does not display iOS Enterprise Applications on the apps
tab, but will prompt the user to install any Required Enterprise Applications.
To use a signed and certified custom version of the Afaria application, contact Afaria technical
support.
Preparing to Install Self-Service Portal
Configure tenants and enrollment policies prior to installing the Self-Service Portal.
1. Refer to document Administration Reference Guide for tenant and enrollment policy
configuration information.
2. Add and configure the applicable tenants.
3. Set up enrollment policies for tenants.
The portal displays enrollment codes and associated information during the installation.
Expired and/or disabled codes do not display.
See also
Creating a Domain User Account for Operating Afaria on page 23
Installing the Self-Service Portal
Install one or more portals in the enterprise network. To separate tenants, or to associate
different enrollment codes with different groups of users, install more than one portal on a
server.
Prerequisites
Prepare your Afaria server configuration and environment, including defining tenants and
configuring enrollment policies.
Self-Service Portal
SAP Afaria Installation Guide 109
Task
Consider these items when installing the portal:
The portal is for deployment inside the enterprise network with a Microsoft Forefront
Threat Management Gateway instance in the DMZ configured to accept device
connections and pass traffic to the portal.
You can install the portal on a server without any other Afaria components.
The portal can coexist with the Afaria server, Afaria Administration console, package
server, or enrollment server.
If you plan to install using LDAP authentication, rather than other authentication options,
the installing domain user account must have Active Directory access account permissions
for ongoing operations.
The server where you install and run the portal should be configured to use only HTTPS
connections (SSL required).
1. On the planned server, from the release image's EUSSP folder, start the setup program
(setup.exe).
2. Select a method for authenticating users that connect to the portal.
Windows has two options
Windows integrated authentication
Windows basic authentication
Both authentications are properties of IIS operations. The user is prompted on the
device for user credentials. The appropriate entry may vary by network environment,
but is often formed as <Domain>\<UserName> or just <UserName>. Valid for
connecting Android, iOS, and Windows Mobile devices.
Active Directory the user is prompted on the portal default page for user name and
password. Valid for connecting Android, BlackBerry, iOS, and Windows Mobile
devices.
You can use a Windows computer to enroll a Windows Mobile device, but you cannot
connect a Windows Mobile device to the portal.
LDAP (Active Directory) the user is prompted on the portal default page for user
name and password. Valid for connecting Android, BlackBerry, iOS, and Windows
Mobile devices. You can use a Windows computer to enroll a Windows Mobile device,
but you cannot connect a Windows Mobile device to the portal.
This option does not support port 445. Using this option requires that the installing
domain user account must have Active Directory access account permissions for
ongoing operations.
3. (Optional) On the Active Directory Setup page or the LDAP Setup page , enter the Active
Directory server address, the account name, and password to access the server.
Self-Service Portal
110 Afaria
Warning! Ensure that you provide valid information here. The installation can continue
even if you provide invalid credentials, but the portal will indicate an error when you log in
using valid credentials.
4. On the Specify Server Address page, define the address for the Afaria server.
5. On the Afaria API Server page, define the address and port of the API server, the login
credentials, and the binding type used to obtain the enrollment code.
If "Credentials" is unselected, you must specify a user name for login. The default binding
type for a new Self-Service Portal installation is NetTcp. For upgrades, the existing
binding type is the default.
6. (Optional) Click Test Connection to test the connection to the API server.
Click Next to automatically validate the connection to the API server.
7. On the Specify Tenant and Self-Service Portal Name screen, select a tenant from the drop-
down list and specify a name for the Self-Service Portal.
The portal name will be auto-populated with the <domainmachinename>
\<virtualdirectoryname>. You can edit the auto-populated/default name, if
required.
8. Follow the setup wizard to completion.
Afaria Self-Service Portal Address
The address for end-users to access the portal uses the portal's server address and the virtual
directory you define during installation. To use a different enrollment code, you can add the
code to the address.
The portal address for using an enrollment code that you selected in the Afaria Administration
consoleuses this syntax:
<protocol>://<PortalAddress>/ <VirtualDirectory>
For example:
HTTP://portal.company.com/ssp
HTTP://63.176.1.74/ssp14
HTTPS://portal.company.com/sspsales
The portal address for using an enrollment code other than the one you selected in the Afaria
Administration console uses this syntax:
<protocol>://<PortalAddress>/ <VirtualDirectory>/<TypeCode><EnrollmentCode>
Using these device type codes:
a Android
b BlackBerry
Self-Service Portal
SAP Afaria Installation Guide 111
i iOS
p Windows Mobile Pro
s Windows Mobile Standard
w Windows Phone
For example:
For an Android code HTTP://portal.company.com/ssp/agclpfzjs
For an iOS code HTTP://portal.company.com/ssp14/itc8bnyvk
For a Windows Mobile Smartphone code HTTPS://portal.company.com/sspsales/
stcthxyrk
For a Windows Phone code - HTTPS://portal.company.com/aips2/Discovery.svc?
ID=wKKERQuN&ClientType=-11
Configuring Enrollment Codes for Self-Service Portal
Configure enrollment codes for different device types, and associate with an instance of the
Self-Service Portal.
Prerequisites
Ensure that the enrollment policies or codes are already created before you can associate them
with the Self-Service Portal.
Task
1. On the Home page Server tile, click Configuration to open the Server Configuration
page.
2. Navigate to the Component > Self-Service Portal page.
3. On the Codes tab, click Add to add an instance of the Self-Service Portal.
4. Select the name of the portal from the SSP Name drop-down list.
5. Select the enrollment codes for the required device types from the corresponding drop-
down lists.
For a device type, all the enrollment policies having enrollment codes enabled for the
portal appear in the list. For an iOS device, the enrollment policy also has an auto-
generated enrollment URL, in addition to the enrollment codes, if configured.
6. Click the Save icon, and then click Save at the top of the page.
Self-Service Portal
112 Afaria
Configuring Afaria Server for Self-Service Portal
Acceptance Message
Configure Afaria server to set up an optional acceptance message for the Self-Service Portal,
in any of the languages supported by the system.
Prerequisites
Verify that the acceptance message in the required language is available for upload in HTML
or text format.
Task
The end users can view, review, and accept the message, while accessing and enrolling devices
using the Self-Service Portal.
1. On the Home page Server tile, click Configuration to open the Server Configuration
page.
2. Navigate to the Component > Self-Service Portal page.
3. On the Acceptance tab, select the options for the acceptance message prompt on theSelf-
Service Portal.
First time the user logs in to the Self-Service Portal
Each time the user enrolls a device using Self-Service Portal
Each time the acceptance message changes
Note: You cannot select the first and the second options at the same time.
4. Click Add to browse and select the acceptance message in the required language.
The date and the time the file is uploaded is appended to the file name and appears in the
Acceptance Message text box.
If you cancel the changes after uploading the acceptance file, the acceptance file is not
deleted. Delete the file manually by clicking Delete.
5. Click Preview to view the acceptance message, as it will appear on the Self-Service
Portal.
6. Click Save.
Self-Service Portal
SAP Afaria Installation Guide 113
Configuring Afaria Server for Self-Service Portal Request
Timeout
Configure the Afaria server to limit the amount of time Self-Service Portal users have to
complete device enrollment, once started.
You may have already configured this setting when configuring for enrollment server. This
setting applies only for Android, iOS, and Windows Phone devices.
1. On the Home page Server tile, click Configuration to open the Server Configuration
page.
2. Navigate to the Component > Self-Service Portal page.
3. On the Requests tab, specify the duration for the validity of the enrollment request.
The default timeout is set to one hour.
4. Click Save.
Editing Enrollment Codes for Self-Service Portal
Add new enrollment codes or edit existing enrollment codes for the Self-Service Portal in the
Afaria Administration console, without uninstalling the portal.
1. On the Home page Server tile, click Configuration to open the Server Configuration
page.
2. Navigate to the Component > Self-Service Portal page.
3. Select the portal instance for which you need to add or edit the enrollment code details.
4. Click Edit to modify the details as required.
All enrollment codes available for a device type appear in the corresponding drop-down
list.
Removing Association of Enrollment Codes from Self-
Service Portal
Remove the association of an enrollment code from an instance of the Self-Service Portal.
1. On the Home page Server tile, click Configuration to open the Server Configuration
page.
2. Navigate to the Component > Self-Service Portal page.
3. Select the portal instance you wish to disassociate from the enrollment code.
Self-Service Portal
114 Afaria
4. Click Delete to remove the association.
Removing the association does not delete the enrollment policy or code; it only de-links
the association between the enrollment code and the portal instance.
Configuring Self-Service Portal iOS Consolidated
Authentication
Configure Afaria to use Self-Service Portal credentials for iOS device authentication during
enrollment, when enrolling iOS 7 device via MDM-first enrollment.
If this setting is turned on (default value is on), the end-user enters credentials and
authenticates with the Self-Service Portal, and will not be requested to enter credentials to
authenticate with enrollment server during enrollment. If this setting is turned off, the end-
user enters credentials and authenticates with the portal and will be requested to enter
credentials to authenticate with enrollment server during enrollment.
1. On the Home page Server tile, click Configuration to open the Server Configuration
page.
2. Navigate to the Component > Self-Service Portal page.
3. On the Requests tab, in the Self-service portal iOS consolidated authentication section,
turn on or off the setting to use the portal credentials for iOS device authentication during
enrollment.
This setting is turned on, by default.
4. Click Save.
Using iOS Consolidated Authentication with User Group Assignments
An advanced capability of the iOS consolidated authentication setting is to leveraging user
group assignments for iOS 7 devices based on the authenticated Self-Service Portal user
name.
In addition to enabling this setting, the authentication methods of your Afaria components and
user group assignments also must be set up and configured properly.
Note: After completing MDM-first enrollment with iOS 7 device, the policies linked to the
user group assignments will be delivered to the device prior to the end-user launching the
Afaria application on the device. If the end-user launches the Afaria application before
receiving the polices linked to the user group assignments, the Afaria application will prompt
the end-user for credentials, based on the authentication setup for enrollment server and
package server.
The authentication setup combinations supported are:
1. Self-Service Portal and Afaria using Active Directory and user name format is User
Principle Name:
Self-Service Portal
SAP Afaria Installation Guide 115
Self-Service Portal configured to use Active Directory and use User Principle Name
(UPN) format for user name to login to the portal.
Enrollment server and package server configured to use Afaria Managed
authentication.
Afaria configured to use Active Directory with User Name Attribute set to User
Principle Name (UPN) format. (Directory configurations are located on Server >
Configuration > Server > Security page.)
User group defined to use Active Directory Group. (For information on creating user
group, refer to Afaria Administration Reference documentation.)
2. Self-Service Portal using LDAP, Afaria using Active Directory, and user name format is
SamAccountName:
Self-Service Portal configured to use LDAP and use SamAccountName format for
user name to login to the portal.
Enrollment server and package server configured to use Afaria Managed
authentication.
Afaria configured to use Active Directory with User Name Attribute set to Sam
Account Name format. (Directory configurations are located on Server >
Configuration > Server > Security page.)
User group defined to use Active Directory Group. (For information on creating user
group, refer to Afaria Administration Reference documentation.)
3. Self-Service Portal using LDAP, Afaria using Active Directory, and user name format is
User Principle Name:
Self-Service Portal configured to use LDAP and use User Principle Name format for
user name to login to the portal.
Enrollment server and package server configured to use Afaria Managed
authentication.
Afaria configured to use Active Directory with User Name Attribute set to to User
Principle Name format. (Directory configurations are located on Server >
Configuration > Server > Security page.)
User group defined to use Active Directory Group. (For information on creating user
group, refer to Afaria Administration Reference documentation.)
4. Self-Service Portal using Windows basic, enrollment server and package server using
Afaria Managed, Afaria using NT:
Self-Service Portal configured to use Windows basic.
Enrollment server and package server configured to use Afaria Managed
authentication.
Afaria configured to use NT with NT default authentication, and NT assignments
domains set to local machine name or left blank/none; allows the accepted user name
formats for end-users to be username and machinename\username. (Directory
configurations are located on Server > Configuration > Server > Security page.)
User group defined to use Local Windows Group. (For information on creating user
group, refer to Afaria Administration Reference documentation.)
Self-Service Portal
116 Afaria
Local virtual machine server not on domain.
5. Self-Service Portal using Windows basic, enrollment server and package server using
Windows:
Self-Service Portal configured to use Windows basic. Allows the accepted user name
formats for end-users to be username and machinename\username.
Enrollment server and package server configured to use Windows authentication.
User group defined to use Local Windows Group. (For information on creating user
group, refer to Afaria Administration Reference documentation.)
Local virtual machine server not on domain.
6. Self-Service Portal using Windows integrated, enrollment server and package server
using Afaria Managed, Afaria using NT:
Self-Service Portal configured to use Windows integrated.
Enrollment server and package server configured to use Afaria Managed
authentication.
Afaria configured to use NT with NT default authentication, and NT assignments
domains set to local machine name or left blank/none; allows the accepted user name
formats for end-users to be username and machinename\username. (Directory
configurations are located on Server > Configuration > Server > Security page.)
User group defined to use Local Windows Group. (For information on creating user
group, refer to Afaria Administration Reference documentation.)
Local virtual machine server not on domain.
7. Self-Service Portal using Windows integrated, enrollment server and package server using
Windows:
Self-Service Portal configured to use Windows integrated. Allows the accepted user
name formats for end-users to be username and machinename\username.
Enrollment server and package server configured to use Windows authentication.
User group defined to use Local Windows Group. (For information on creating user
group, refer to Afaria Administration Reference documentation.)
Local virtual machine server not on domain.
Note: If authentication is disabled on the enrollment and package servers, and the Self-
Service Portal iOS consolidated authentication setting is turned on, the portal authenticated
user name will be set for the user group assignment. If authentication is disabled on the
enrollment and package servers, and the iOS consolidated authentication setting is turned off,
the portal authenticated user name will not be set for the user group assignment.
Self-Service Portal
SAP Afaria Installation Guide 117
Self-Service Portal
118 Afaria
Relay Server
The Afaria solution supports using a relay server to operate as a proxy for HTTP and HTTPS
sessions between Afaria server components and devices.
Note: Use of a relay server is not a requirement; it is bundled with the Afaria product on the
product installation image as an optional component.
A relay server lets you further secure your enterprise network by moving the session
connection point from within your firewall to your demilitarized zone (DMZ).
When you use a relay server, devices and Afaria server components never make a direct
connection. The relay server transfers session traffic from devices to the component, and from
the component to the devices. The Afaria server component initiates an outbound connection
through the enterprise firewall to the relay server, then waits for the relay server to send session
traffic. Devices can initiate a connection to the relay serveras if it were an Afaria server
componentand maintain their session with the relay server, which continues to relay traffic
until the session is complete.
The relay server component may be a single server or it may be a load-balanced server farm.
Afaria supports using the relay server with any of these Afaria server components:
Afaria server
Enrollment server
iOS certificate authority
Afaria filter used in Access Control for Email
Package server
Application Onboarding certificate authority
An Afaria server component may be a single server or a farm. You can configure relay servers
to support more than one Afaria server component.
The SQL Anywhere Relay Server is designed as a scalable solution to support a number of
Sybase server-based solutions. Afaria is just one example of a supported solution.
See also
Installing Enrollment Server - Basic on page 61
Configuring Afaria Server for Package Server on page 76
Relay Server
SAP Afaria Installation Guide 119
Configuring Relay Server for Access Control on page 97
Configuring the Relay Server for Certificate Authority and Enrollment Server
Connections on page 74
Relay Server Executable Components
Relay server operations include two main executable components: the relay server host and
the relay server outbound enabler.
Relay server host (rshost.exe) the host resides on the relay server, and is
responsible for, accepting a single, inbound connection from the outbound enabler;
accepting multiple, inbound connections from Afaria devices; handling the associated
processes that occur on the relay server for Afaria sessions. Install the relay server using
files available on the Afaria product image. Define its configuration settings by modifying
a sample configuration file.
Relay server outbound enabler (rsoe.exe) the outbound enabler is the relay agent
on the Afaria server component, and is responsible for initiating an outbound connection
with the relay server. The Afaria setup program automatically installs the outbound
enabler on the Afaria server. To support components other than the Afaria server, copy the
binary for the rsoe.exe on the components. Define the relay server outbound enabler
configuration settings using the Afaria Administration console.
Afaria devices include configuration settings for using a relay server but do not require a
separate, executable component.
Setting Up the Relay Server for Basic Operations
To use the relay server to increase your enterprise network security, you must set up the relay
server for basic operations before you configure it to support any server components.
Setting Up the Relay Server for Basic Operations with IIS 7.5
For planned relay servers running Windows Server 2008 R2 (x64) with Internet Information
Services (IIS) 7.5, set up the relay server for basic operations before you configure it to support
any server components.
1. Copying Relay Server Files
Copy the relay server files from the Afaria product image to the machine where the relay
server will be installed.
2. Configuring IIS 7.5 for Relay Server Basic Operations
Relay Server
120 Afaria
To setup the relay server for basic operations, configuring IIS on your relay server.
3. Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
4. Installing the Relay Server Host as a Windows Service
Install the relay server host as a Windows service by running a service utility available in
the relay server installation folder.
Copying Relay Server Files
Copy the relay server files from the Afaria product image to the machine where the relay
server will be installed.
1. On the machine where you plan to install the relay server, create a new folder named
RelayServer. Its path will became your relay server installation path, for example,
C:\Program Files\RelayServer.
2. On the Afaria product image, navigate to:
<product image>\relay_server\64 Bit\ias_relay_server.
3. Copy the folder ias_relay_server from the product image to your relay server
installation path. Ensure that you copy the folder, rather than just the files in the folder.
Configuring IIS 7.5 for Relay Server Basic Operations
To setup the relay server for basic operations, configuring IIS on your relay server.
Prerequisites
From the server manager utility of your relay server, verify that these roles and features are
installed:
IIS
Web Server Service
Common HTTP Features
Static Content
Default Document
Directory Browsing
HTTP Errors
ISAPI Extensions
HTTP Logging
Request Monitor
Request Filtering
Static Content Compression
IIS Management Console
IIS Management Scripts and Tool
IIS 6 Management Compatibility
Relay Server
SAP Afaria Installation Guide 121
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
IIS 6 Scripting Tools
IIS 6 Management Console
Install any missing items.
Task
Complete the following tasks to configure IIS 7.5 for relay server basic operations:
See also
Editing the Relay Server Configuration File on page 125
Creating a Relay Server Application Pool on IIS 7.5
Use your relay servers IIS manager utility to create an IIS application pool for relay server
operations.
1. Navigate to Start > Control Panel > System and Security > Administrative Tools and
double-click Internet Information (IIS) Manager.
2. From the Connections pane of the IIS manager utility, navigate to MachineName >
Application Pools.
3. Right-click Application Pools and select Add Application Pool.
4. Add an application pool with these attributes:
Name RelayServer
.NET Framework version .NET Framework v2.0.50727
Managed pipeline mode integrated
Start application pool immediately selected
The list of application pools shows the RelayServer application pool.
5. Right-click the newly created application pool and select Advanced Settings. Set these
properties:
General > Queue Length 65535
CPU > Limit Interval (minutes) 0
Process Model > Identity ApplicationPoolIdentity
Process Model > Idle Time-out (minutes) 0
Process Model > Maximum Worker Processes 20
Process Model > Ping Enabled false
Process Model > Ping Maximum Response Time (seconds) 90
Process Model > Ping Period (seconds) 30
Rapid-Fail Protection > Enabled false
Recycling > Disable Overlapped Recycle true
Relay Server
122 Afaria
Recycling > Regular Time Interval (minutes) 0
Creating a Web Application for the Relay Server on IIS 7.5
Use the IIS 7.5 manager utility to create a Web application for the relay server.
You can create the Web application for your relay server under the root directory of either the
default Web site or a custom web site. The custom Web site must use a different port than the
default Web site.
1. Navigate to Start > Control Panel > System and Security > Administrative Tools and
double-click Internet Information Services (IIS) Manager.
2. From the Connections pane of the IIS manager utility, navigate to MachineName >
Sites.
3. Right-click the Web site you want to use (either default or custom) and selectAdd
Application.
4. Add a web application with these attributes:
Alias ias_relay_server
Application pool RelayServer
Physical path <relay server installation path>
\ias_relay_server
The web application ias_relay_server will be listed under the root directory of the Web site
you chose.
5. Edit the Request Filtering Settings for the ias_relay_server Web application.
a) In the Connections pane, highlight the ias_relay_server application.
b) In the IIS group, double-click Request Filtering.
c) In the Actions pane, click Edit Feature Settings and edit these attributes:
Maximum allowed content length (bytes) 2147483647
Maximum query string (bytes) 65536
6. Edit the permissions for the ias_relay_server Web application.
a) In the Connections pane, highlight the ias_relay_server application.
b) In the IIS group, double-click Handler Mapping.
c) In the Actions pane, click Edit Feature Permissions and ensure that only Script and
Execute are selected.
7. Verify that the ias_relay_server web application does not require SSL.
a) In the Connections pane, highlight the ias_relay_server application.
b) In the IIS group, double-click SSL Settings and ensure that Require SSL is not
selected.
Relay Server
SAP Afaria Installation Guide 123
Adding ISAPI extensions for Relay Server Operations
Use the IIS 7.5 manager utility to add two ISAPI extensions to your server to handle requests
from devices and the Afaria server.
1. Navigate to Start > Control Panel > System and Security > Administrative Tools and
double-click Internet Information (IIS) Manager.
2. On the Connections pane of the IIS manager utility, highlight the machine name where the
relay server resides.
3. In the IIS group, double-click ISAPI and CGI Restrictions.
4. In the Actions pane, click Add to add two ISAPI restrictions with these settings:
ISAPI or CGI Path <relay server installation path>
\ias_relay_server\server\rs_server.dll
Description RS Server DLL
Allow extension path to execute selected
ISAPI or CGI Path <relay server installation path>
\ias_relay_server\client\rs_client.dll
Description RS Client DLL
Allow extension path to execute selected
The two ISAPI restrictions you added are listed in the ISAPI and CGI restrictions list of your
server.
Updating the Relay Server IIS Configuration
Run the adsutil.vbs script to update the IIS server configurations.
1. From a command prompt running with administrator privileges, navigate to the directory
where the adsutil.vbs script is located, for example, C:\Inetpub
\AdminScripts.
2. To run the script, issue:
cscript adsutil.vbs set w3svc/<Web Site ID>/
uploadreadaheadsize 0
where <Web Site ID> is the ID of the Web site used for the relay server. If you use the
default Web, the ID is 1.
The command returns the current value of the <uploadreadaheadsize> variable and updates
the IIS configurations.
See also
Adding Web Service Extensions on IIS 6.0 on page 131
Relay Server
124 Afaria
Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
A sample configuration file is provided with the relay server files that you copied from your
Afaria product image.
1. Find the sample configuration file rs.config, located in <relay server
installation path>\ias_relay_server\server.
2. Use a text editor to make appropriate changes to the [options] and [relay_server] sections
in the configuration file.
Note: The configuration file can contain only ASCII characters.
3. Save the edits.
4. Restart the relay server host.
See also
Configuring IIS 7.5 for Relay Server Basic Operations on page 121
Installing the Relay Server Host as a Windows Service on page 127
Configuring IIS 6.0 for Relay Server Basic Operations on page 128
Configuration File Definitions for Basic Operations with IIS 7.5
The relay server configuration file rs.config consists of several sections. Use sections
[options] and [relay_server] for relay server basic operations. The remaining sections are for
supported server components.
[options] general options for relay server operations.
start set value to auto to automatically start the relay server engine when an Afaria
server connects successfully.
For Windows Server 2008 R2 (IIS 7.5), this value is normally set to =NO when the
Relay Server is installed as a Windows Service.
verbosity controls the level of logging. Logs always include errors. Log levels 1 5
always include warnings.
0 no logging.
1 session-level logging.
2 request-level logging.
3 packet-level logging, terse.
4 packet-level logging, verbose.
5 transport-level logging.
[relay_server] identifies your relay server and its respective ports for HTTP and HTTPS
communications. The relay servers ports must match the IIS server ports.
enable controls whether the relay server operates.
Relay Server
SAP Afaria Installation Guide 125
yes operate.
no do not operate.
host relay server IP address or host name. The IP address must be the internal IP
address or DNS name that can be reached by the Afaria server or other supported server
components.
http_port TCP port matching the relay servers IIS setting for HTTP
communications. The port must be the internal TCP port that can be reached by the
Afaria server or other supported server components.
https_port set value to match the relay servers IIS setting for SSL communications.
description user-defined description.
Note: Values are case-sensitive.
Sample section of a relay server configuration file showing settings for basic operations.
#-------------------------------------
# Relay server
#-------------------------------------
[options]
start = no
verbosity = 1
# Note: When auto start is used, the default log file is
# <tmpdir>\ias_relay_server_host.log while rshost is active.
# The value of <tmpdir> is filled using the following
environment
variables
# searched in this order:
# SATMP
# TMP
# TMPDIR
# TEMP
#--------------------
# Relay server
#--------------------
[relay_server]
enable = yes
host = 123.45.6.78
http_port = 80
https_port = 443
description = Machine #1 in RS farm
Restart the relay server engine (rshost.exe) any time you make changes to the
configuration file.
Relay Server
126 Afaria
Installing the Relay Server Host as a Windows Service
Install the relay server host as a Windows service by running a service utility available in the
relay server installation folder.
Prerequisites
In the [options] section of the relay server configuration file, set the value of start to =no.
Task
The relay server installation folder includes dbsvc.exe, a service utility that installs the
relay server host as a Windows service. Use the same utility to uninstall the service.
1. On the machine where you installed the relay server, execute this command at a command
prompt running with administrator privileges:
"<installation directory>\ias_relay_server\server
\dbsvc.exe" -as -s auto -sn RelayServer -w RelayServer
"<installation directory>\ias_relay_server\server
\rshost.exe" -q -f "<installation directory>
\ias_relay_server\server\rs.config" -o "<installation
directory>\ias_relay_server\server\log.txt".
For a complete list of the service utility's command line switches, execute:
"<installation directory>\ias_relay_server\server
\dbsvc.exe".
The command prompt displays a line confirming that the "RelayServer" service was
successfully created.
The RelayServer service is listed in the list of Windows services.
2. Change the login account of the newly created "RelayServer" service from Local System
to an account that is a member of the local Administrator group.
Next
To uninstall the "RelayServer" Windows service, execute this command at a command prompt
running with administrator privileges:
<installation directory>\ias_relay_server\server\dbsvc.exe"
d RelayServer.
See also
Editing the Relay Server Configuration File on page 125
Relay Server
SAP Afaria Installation Guide 127
Setting Up the Relay Server for Basic Operations with IIS 6.0
For planned relay servers running Microsoft Internet Information Services (IIS) 6.0, set up the
relay server for basic operations before you configure it to support any server components.
1. Copying Relay Server Files
Copy the relay server files from the Afaria product image to the planned relay server to
make them available for use.
2. Configuring IIS 6.0 for Relay Server Basic Operations
Setting up the relay server for basic operations requires configuring the IIS of your relay
server.
3. Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
Copying Relay Server Files
Copy the relay server files from the Afaria product image to the planned relay server to make
them available for use.
1. On the Afaria product image, navigate to:
<product image>\relay_server\ias_relay_server.
2. Copy the folder ias_relay_server from the product image to the directory of the default
web site of your IIS server.
Directory path of IIS default web site: C:\Inetpub\wwwroot.
Ensure that you copy the folder, rather than just the files in the folder.
Configuring IIS 6.0 for Relay Server Basic Operations
Setting up the relay server for basic operations requires configuring the IIS of your relay
server.
Complete the following tasks to configure IIS 6.0 for relay server basic operations:
1. Registering the IIS User Account with ASP.NET on IIS 6.0
Register the IIS user account on the planned relay server with ASP.NET to assign it
appropriate rights for Afaria operations.
2. Creating a Server Application Pool on IIS 6.0
Create a server application pool and a server application directory on the planned relay
server to process requests from Afaria server components.
3. Creating a Client Application Pool on IIS 6.0
Create a client application pool and a client application directory on the planned relay
server to process requests from Afaria devices.
4. Adding Web Service Extensions on IIS 6.0
Relay Server
128 Afaria
Add Web service extensions to identify and allow requests from servers and devices.
5. Updating the Relay Server IIS Configuration
Run the adsutil.vbs script to update the IIS server configurations.
See also
Editing the Relay Server Configuration File on page 125
Registering the IIS User Account with ASP.NET on IIS 6.0
Register the IIS user account on the planned relay server with ASP.NET to assign it
appropriate rights for Afaria operations.
Afaria operations use the relay servers IIS built-in user account named
IUSR_<MachineName> for gaining anonymous access to IIS. This account must:
Have access to the IIS metabase and other directories used by IIS.NET
Be a member of the IIS built-in user group IIS_WPG
1. From the command prompt of the relay server, navigate to:
C:\Windows\Microsoft.Net\Framework\<Version>
If you are operating your IIS server with more than one version of ASP.NET, choose the
version that you are using to run your Web site.
2. Execute the ASP.NET registration command with the grant access option:
aspnet_regiis.exe -ga IUSR_<MachineName>
The command is an example of the registration command with the grant access option that
is valid for ASP.NET 4.0. The command for your version of ASP.NET may differ.
Creating a Server Application Pool on IIS 6.0
Create a server application pool and a server application directory on the planned relay server
to process requests from Afaria server components.
1. Create the server application pool.
a) On the IIS manager utility of your relay server, navigate to Internet Information
Service > MachineName > Application Pools.
b) Right-click the Application Pools folder and select New > Application Pool.
c) Define the pool ID and click OK.
d) Assign these properties to the newly created server application pool:
Recycling > Recycle worker processes (in minutes) disabled.
Performance > Idle timeout disabled.
Performance > Request queue limit disabled.
Performance > Web garden a minimum of twice the number of servers making
requests.
Health > Enable pinging disabled.
Relay Server
SAP Afaria Installation Guide 129
Health > Enable rapid-fail protection disabled.
2. Create the server application directory.
a) On the IIS manager utility of your relay server, navigate to Internet Information
Service > MachineName > Web Sites > Default Web Site > ias_relay_server.
b) Right-click the Server folder and select Properties > Directory.
c) Click Create and select these application settings:
Execute permissions Scripts and Executables.
Application pool use the ID of the server application pool you created.
d) Click OK.
Creating a Client Application Pool on IIS 6.0
Create a client application pool and a client application directory on the planned relay server to
process requests from Afaria devices.
1. Create the client application pool.
a) On the IIS manager utility of your relay server, navigate to Internet Information
Service > MachineName > Application Pools..
b) Right-click the Application Pools folder and select New > Application Pool.
c) Define the pool ID and click OK.
d) Assign these properties to the newly created application pool:
Recycling > Recycle worker processes (in minutes) disabled.
Performance > Idle timeout disabled.
Performance > Request queue limit disabled.
Performance > Web garden at least twice the number of servers making requests,
but not fewer than five. You may want to increase the value if device connections
are frequently dropped or if devices experience bad throughput during sessions.
Health > Enable pinging disabled.
Health > Enable rapid-fail protection disabled.
2. Create the client application directory:
a) On the IIS Manager utility of your relay server, navigate to Internet Information
Service > MachineName > Web Sites > Default Web Site > ias_relay_server.
b) Right-click the Client folder and select Properties > Directory.
c) Click Create and select these application settings:
Execute permissions Scripts and Executables.
Application pool use the pool ID of the client application pool you created.
d) Click OK.
Relay Server
130 Afaria
Adding Web Service Extensions on IIS 6.0
Add Web service extensions to identify and allow requests from servers and devices.
1. Add the Afaria server Web service as a valid extension:
a) In the IIS Manager utility's left pane, right-click the Web Service Extensions folder.
b) Select Add a new Web service extension.
c) Define the Web service extension settings:
Extension name user-defined name for the server extension.
Required files <installation directory>\ias_relay_server
\server\rs_server.dll.
Set extension status to Allowed enabled.
d) Click OK.
2. Add the Afaria Client Web service as a valid extension:
a) In the IIS Manager utilitys left pane, right-click the Web Service Extensions folder.
b) Select Add a new Web service extension.
c) Define the Web service extension settings:
Extension name user-defined name for the client extension.
Required files <installation directory>\ias_relay_server
\server\rs_client.dll.
Set extension status to Allowed enabled.
d) Click OK.
Updating the Relay Server IIS Configuration
Run the adsutil.vbs script to update the IIS server configurations.
1. From a command prompt running with administrator privileges, navigate to the directory
where the adsutil.vbs script is located, for example, C:\Inetpub
\AdminScripts.
2. To run the script, issue:
cscript adsutil.vbs set w3svc/<Web Site ID>/
uploadreadaheadsize 0
where <Web Site ID> is the ID of the Web site used for the relay server. If you use the
default Web, the ID is 1.
The command returns the current value of the <uploadreadaheadsize> variable and updates
the IIS configurations.
See also
Adding Web Service Extensions on IIS 6.0 on page 131
Relay Server
SAP Afaria Installation Guide 131
Editing the Relay Server Configuration File
Edit the relay server configuration file to configure the relay server's basic operations.
A sample configuration file is provided with the relay server files that you copied from your
Afaria product image.
1. Find the sample configuration file rs.config, located in <relay server
installation path>\ias_relay_server\server.
2. Use a text editor to make appropriate changes to the [options] and [relay_server] sections
in the configuration file.
Note: The configuration file can contain only ASCII characters.
3. Save the edits.
4. Restart the relay server host.
See also
Configuring IIS 7.5 for Relay Server Basic Operations on page 121
Installing the Relay Server Host as a Windows Service on page 127
Configuring IIS 6.0 for Relay Server Basic Operations on page 128
Configuration File Definitions for Basic Operations
The relay server configuration file rs.config consists of several sections. Use sections
[options] and [relay_server] for relay server basic operations. The remaining sections are for
supported server components.
[options] general options for relay server operations.
start set value to auto to automatically start the relay server engine when an Afaria
server connects successfully.
verbosity controls the level of logging. Logs always include errors. Log levels 1-5
always include warnings.
0 no logging.
1 session-level logging.
2 request-level logging.
3 packet-level logging, terse.
4 packet-level logging, verbose.
5 transport-level logging.
[relay_server] identifies your relay server and its respective ports for HTTP and HTTPS
communications. The relay servers ports must match the IIS server ports.
enable controls whether the relay server operates.
yes operate.
Relay Server
132 Afaria
no do not operate.
host relay server IP address or host name. The IP address must be the internal IP
address or DNS name that can be reached by the Afaria server or other supported server
components.
http_port TCP port matching the relay servers IIS setting for HTTP
communications. The port must be the internal TCP port that can be reached by the
Afaria server or other supported server components.
https_port set value to match the relay servers IIS setting for SSL communications.
description user-defined description.
Note: Values are case-sensitive.
Sample section of a relay server configuration file showing settings for basic operations.
#-------------------------------------
# Relay server
#-------------------------------------
[options]
start = auto
verbosity = 1
# Note: When auto start is used, the default log file is
# <tmpdir>\ias_relay_server_host.log while rshost is active.
# The value of <tmpdir> is filled using the following
environment
variables
# searched in this order:
# SATMP
# TMP
# TMPDIR
# TEMP
#--------------------
# Relay server
#--------------------
[relay_server]
enable = yes
host = 123.45.6.78
http_port = 80
https_port = 443
description = Machine #1 in RS farm
Restart the relay server engine (rshost.exe) any time you make changes to the
configuration file.
Relay Server
SAP Afaria Installation Guide 133
Restarting the Relay Server Host
Restart the relay server host any time the relay server is already running and you change the
relay server configuration file or have another reason to restart the relay server engine.
The relay server starts automatically when configured to do so as part of its basic operations.
The automatic start feature is defined when you use the start=auto attribute in the relay
servers configuration file [options] section. IIS must be running before the automatic start
feature can take effect.
Restarting the relay server does not require that you restart IIS and does not cause any
disruption to other IIS applications.
1. From a command prompt running with administrator privileges, navigate to
<installation directory>\ias_relay_server\server.
2. Issue this command:
rshost.exe -u -qc -f rs.config
For a complete list of command line switches and their meaning, enter rshost at the
command prompt and press Enter.
Restarting the relay server updates its configuration, as defined in the configuration file.
Next
You may want to create a batch file for the commands and store it in a convenient location in
your relay server environment.
Relay Server Support for Server Components
To configure the relay server to support an Afaria server component, define the relay server
configuration file and configure settings on the Afaria Administration console.
Afaria supports using the relay server with any of these server components:
Afaria server
Enrollment server
iOS certificate authority server
Afaria filter used for Access Control for Email
Package server
Application Onboarding certificate authority
The relay server configuration file rs.config consists of several sections. Use
[backend_farm] and [backend_server] for each supported server component.
Relay Server
134 Afaria
[backend_farm] creates a single, case-sensitive identifier for a component server
environment, regardless of whether you are operating a single component server or a farm
of component servers.
enable controls whether the farm operates.
yes operate.
no do not operate.
id user-defined, case-sensitive value for identifying a server farm. Each farm in the
relay server configuration file must have a unique ID.
description user-defined description.
client_security specifies the secure communication protocol requirement for clients
connecting to the relay server. This is an optional section that is not represented in the
sample configuration file. Omitting the section results in the relay server enforcing the
default value.
on HTTPS is required.
off default. HTTPS is not required; HTTP and HTTPS are both valid connection
protocols.
backend_security specifies the secure communication protocol requirement for
component servers connecting to the relay server. Omitting the section results in the
relay server enforcing the default value.
on HTTPS is required.
off default. HTTPS is not required; HTTP and HTTPS are both valid connection
protocols.
[backend_server] identifies a single component server to the relay server. You must
have one [backend_server] section for each component server in your component server
environment.
enable controls whether the server operates.
yes operate.
no do not operate.
farm the case-sensitive farm value is the same for each server. Use the same farm ID
as from [backend_farm].
ID the ID value is unique for each server in the farm. If a server hosts more than one
supported server component, then all server IDs on the host must be unique. For
example, if a server hosts both an Afaria server and a package server, and both are
defined in separate farms in the relay server configuration file, then the server IDs used
for the two server components must be must be different.
mac mac address of the server component.
token the token is any string that you create. Use the same token value for each server
in a farm.
Note: Values are case-sensitive.
Relay Server
SAP Afaria Installation Guide 135
Restart the relay server engine (rshost.exe) any time you make changes to the
configuration file.
Relay Server Configuration FileExamples
Examples of the structure of the relay server configuration file based on the Afaria
environment supported.
Single Afaria server in an environment with a single relay server supporting a single Afaria
server, the configuration file includes these sections:
[options] one instance.
[relay_server] one instance.
[backend_farm] one instance.
[backend_server] one instance.
Afaria server farm with four servers in an environment with a single relay server supporting
an Afaria server farm with four servers, the configuration file includes these sections:
[options] one instance.
[relay_server] one instance.
[backend_farm] one instance.
[backend_server] four instances.
Afaria server farm with four servers plus a package server in an environment with a single
relay server supporting an Afaria server farm with four servers and a package server, the
configuration file includes these sections:
[options] one instance.
[relay_server] one instance.
[backend_farm] two instances.
[backend_server] five instances.
This is a sample section of a relay server configuration file showing settings for a single Afaria
server. Settings includes an instance of the [backend_farm] section and an instance of the
[backend_server] section. The sample does not include the sections for the relay server basic
operations.
#---------------
# Backend farms
#
# Notice that the case sensitive farmID must match the farmID set in
the
Afaria Administrator's
# relay server configuration page. Default value in Afaria is
farmID=Afaria.
#---------------
[backend_farm]
enable = yes
Relay Server
136 Afaria
id = farmID
description = Afaria Farm
#-----------------
# Backend servers
#
# id must match regKey HKLM\Software\Afaria\Afaria\Server
\TransmitterId
# on your afaria server
#-----------------
[backend_server]
enable = yes
farm = farmID
id = sc
token = zyyxpj22p
Configuring Relay Server for Afaria Server
To configure the relay server to support one or more Afaria servers, define the relay server
configuration file and configure settings on the Afaria Administration console.
Prerequisites
As all relay server communications must use HTTP or HTTPS protocol, configure the
Afaria server and devices to use HTTP or HTTPS.
Set up the relay server for basic operations.
Task
1. Configure the relay server configuration file rs.config to support one or more Afaria
servers.
Consider these items when defining the [backend_farm] and [backend_server] sections.
[backend_farm]
id user-defined, case-sensitive value for identifying the server farm. The farm ID you
define must match the farm ID you define on the Afaria Administration console
Server > Configuration > Relay Server page. On the Relay Server page, the default
value is afaria.
[backend_server]
id define the server ID value to match the TransmitterID value defined in each
Afaria servers registry key HKLM\Software\Afaria\Afaria\Server
\TransmitterId.
Token the farm token you define must match the farm token you define on the
Afaria Administration console Server > Configuration > Relay Server page.
2. On the Server > Configuration > Relay Server page of the Afaria Administration
console, configure settings for communications between the relay server and the Afaria
server component.
Relay Server
SAP Afaria Installation Guide 137
Start the outbound enabler select this option to apply an automatic start-up
attribute to the outbound enabler service. Afaria logging captures the outbound
enablers restart and failure events.
Farm ID and Farm token a pair of case-sensitive, ASCII text strings that your relay
server uses to direct incoming client communication to your Afaria Server, either a
standalone server or server farm. The combination of the strings must be unique for a
given Afaria instance.
Farm ID value must match the corresponding value in your relay servers
configuration file and in your device configuration settings.
Farm token value must match the corresponding value in your relay servers
configuration file.
Server address and Server port the Afaria server IP address or localhost and
HTTP port that the Afaria server is using for communications. In a server farm
environment, you must enable HTTP on each Afaria server in the farm and use
"localhost" rather than the IP address.
RS address and RS port the relay server IP address or fully qualified domain name
and port that the outbound enabler service uses to connect to the relay server.
RS URL suffix text string used as an IIS parameter for invoking the relay servers
Afaria Server Web services, as per the relay server installation instructions for creating
the IIS application pool.
Maximum restarts the maximum number of times the outbound enabler attempts to
start if it stops unexpectedly.
Client URL prefix text string used as an IIS parameter for invoking the relay servers
Afaria client Web services, as per the relay server installation instructions for creating
the IIS application pool. This value is also required as a configuration value on Afaria
devices.
Use HTTPS enable the outbound enabler to communicate via SSL to the relay server.
Certificate path the path and file name on the Afaria server for the relay servers
certificate file. The certificate contains the relay servers identity and public key.
3. Restart the relay server host.
4. Restart the Afaria server service.
Relay Server
138 Afaria
Relay Server Bypass
Even after your relay server is operational, the Afaria Server continues to support direct device
connections. If it is appropriate for your environment, you may allow devices to continue to
connect to the Afaria server directly, bypassing the relay server.
Figure 5: Bypass Relay ServerSample 1
As the above diagram illustrates, if you have Afaria devices that are inside your organizations
firewall and want to connect, you can allow these devices to make direct connections with the
Afaria server using any of Afaria supported session protocols. These connections need not to
pass through the firewall, so the firewall can support higher security.
Figure 6: Bypass Relay ServerSample 2
As the above diagram illustrates, if you have devices that are outside your organizations
firewall and want to connect, you can allow these devices to make direct connections with the
Afaria server using any of Afaria supported session protocols as long as your firewall permits
the traffic.
Relay Server
SAP Afaria Installation Guide 139
Configuring Relay Server for Enrollment Server
To configure the relay server to support one or more enrollment servers, define the relay server
configuration file and configure settings on the Afaria Administration console.
Prerequisites
Set up the relay server for basic operations.
Ensure that IIS is running on your enrollment servers.
Task
1. Configure the relay server configuration file rs.config to support one or more
enrollment servers
Consider this item when defining the [backend_farm] section:
id user-defined, case-sensitive value for identifying the server farm.
2. Configure settings for communications between the relay server and the enrollment server
component.
a) In the Afaria Administration console, open the Server > Configuration > Enrollment
Server page.
b) In the Enrollment Server group, select Use Relay Server.
c) In the Relay Farm ID field, enter the farm ID identifying your enrollment server farm.
The value you enter must match the ID value you defined in the [backend_farm]
section.
d) In the relay server group, define these settings:
If using HTTPS, select Use HTTPS on Relay Server connections
Server address address of the relay server
Client URL prefix IIS path to rs_client.dll, as defined in the machine
hosting the relay server. The default value may differ from your relay server's IIS
path.
e) Click Save.
3. Restart the relay server host.
4. (Optional) Restart the Afaria server service from the Afaria Administration console.
5. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler and import it to each machine
where you installed an enrollment sever.
6. On each machine where you installed an enrollment server, launch the relay server
outbound enabler from the command prompt.
See also
Installing Enrollment Server - Basic on page 61
Relay Server
140 Afaria
Configuring Relay Server for Certificate Authority
To configure the Relay Server to support one or more certificate authority servers, define the
relay server configuration file and configure settings on the Afaria Administration console.
Prerequisites
Set up the relay server for basic operations.
Ensure that IIS is running on your certificate authority.
Task
1. Configure the relay server configuration file rs.config to support one or more
certificate authority servers.
Consider this item when defining the [backend_farm] section:
id user-defined, case-sensitive value for identifying the server farm.
2. Configure settings for communications between the relay server and the certificate
authority.
a) In the Afaria Administration console, open the Server > Configuration > Certificate
Authority page.
b) Select the Enable check box for relay server and define these settings:
Server address address of the relay server
Farm ID farm ID identifying your iOS certificate authority farm.
Note: The value you enter must match the ID value you defined in the
[backend_farm] section.
Device URL prefix IIS path to rs_client.dll, as defined in the machine
hosting the relay server. The default value may differ from your relay server's IIS
path.
c) Click Save.
3. Restart the relay server host.
4. (Optional) Restart the Afaria Server service from the Afaria Administration console.
5. On your Afaria Server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler and import it to each machine
where you installed a certificate authority server.
6. On each machine where you installed a certificate authority server, launch the relay server
outbound enabler from the command prompt.
See also
Installing Enrollment Server - Basic on page 61
Relay Server
SAP Afaria Installation Guide 141
Configuring Relay Server for Access Control
To configure the Relay Server to support the Afaria filter used in Access Control for Email,
define the relay server configuration file, configure settings on the Afaria Administration
console, and reinstall the PowerShell component of the Afaria filter.
Prerequisites
The Relay Server is configured for basic operations.
Note: You must configure the Relay Server for your Afaria server, regardless of whether
you plan to use it for device connections.
The two components of the Afaria filter are installed and Access Control has been
configured on the Afaria Administration console.
Task
The following steps describe how to add the relay server to your current configuration for
Access Control for Email.
1. Configure the relay server configuration file rs.config to support the Afaria filter.
In the [backend_farm] section, define the Afaria filter's farm ID by using
<AfariaServerFarmID>-IS, where <AfariaServerFarmID> is the same farm ID
you defined for the Afaria server.
For example, if you define your Afaria server farm ID as Afariafarm, then define your
filter's farm ID as Afariafarm-IS.
2. On the Server > Configuration > Access Control Server page of the Afaria
Administration console, select Use Relay Server, then click Save.
3. Reinstall the PowerShell component of the filter. In the Server Settings page of the
installation wizard, enter the relay server address and farm ID.
The farm ID you enter must match the farm ID you defined for the Afaria server in the relay
server configuration file. The installation wizard automatically appends -IS to match the
farm ID defined for the filter.
4. Restart the machine on which you reinstalled the PowerShell component.
5. Restart the relay server host.
6. In the Afaria Administration console, restart the Afaria server service.
See also
Relay Server on page 119
Additional Afaria Components on page 9
Server Configuration for Installation and Management on page 48
Access Control for E-mail on page 79
Relay Server
142 Afaria
Configuring Relay Server for Package Server
To configure the relay server to support one or more Package Servers, define the relay server
configuration file and configure settings on the Afaria Administration console.
Prerequisites
Set up the relay server for basic operations.
Ensure that IIS is running on your package servers.
Task
1. Configure the relay server configuration file rs.config to support one or more
Package Servers.
Consider this item when defining the [backend_farm] section:
id user-defined, case-sensitive value for identifying the server farm.
2. Configure settings for communications between the relay server and the package server
component.
a) In the Afaria Administration console, open the Server > Configuration > Package
Server page.
b) In the Package Server (Direct Access) group, select Use HTTPS on Package Server
connections and enter the server address for the package server.
c) In the Package Server (Indirect Access) group, select Use Relay Server and enter the
farm ID identifying your Package Server farm.
The value you enter must match the id value you defined in the [backend_farm]
section.
d) In the Indirect Access (Relay Server) group, define these settings:
If using HTTPS, select Use HTTPS on Relay Server connections.
Server address address of the relay server
Device URL prefix IIS path to rs_client.dll, as defined in the machine
hosting the relay server. The default value may differ from your relay server's IIS
path.
e) Click Save.
3. Restart the relay server host.
4. (Optional) Restart the Afaria Server service from the Afaria Administration console.
5. On your Afaria Server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler and import it to each machine
where you installed a Package Server.
6. On each machine, launch the relay server outbound enabler from the command prompt.
Relay Server
SAP Afaria Installation Guide 143
See also
Installing Package Server on page 75
Launching the Relay Server Outbound Enabler
Launch the relay server outbound enabler (RSOE) from the command prompt of the server
component.
Prerequisites
1. On your Afaria Server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler.
2. Import the folder to the machine hosting the server component.
Task
The RSOE is the relay servers agent on a server component, such as the package server
and the enrollment server. It initiates an outbound connection with the relay server.
The executable file for the RSOE is rsoe.exe.
SAP recommends matching the versions of the RSOE and the relay server.
1. From the command prompt of the machine hosting the server component, navigate to the
RSOutboundEnabler directory that you copied from the Afaria Server.
2. To launch the RSOE, use the command line:
rsoe -cr param -f farm -id id [options]
-cr parameters for the relay server connection.
-f server component farm ID, as defined in the relay server configuration file.
-id unique ID identifying the server component, as defined in the relay server
configuration file.
For a complete list of command line switches and their meanings, enter rsoe at the
command prompt and press Enter.
If you include the security token when you define the [backend_server] section in the relay
server configuration file, you must use the -t switch when launching the RSOE.
When using the -cs switch, do not use localhost for the server address and do not use
spaces in the name.
This is a sample command line to launch the RSOE on a machine hosting the iOS certificate
authority:
rsoe.exe -cr "host=www.rs.com;port=80" -cs "host= <IP
Address>;port=80" -f CAFarmName -id CAID -t CAToken
Relay Server
144 Afaria
Next
(Optional) Install the RSOE as a Windows service.
Installing the Relay Server Outbound Enabler as a Windows Service
Install the relay server outbound enabler (RSOE) as a Windows service by running the
dbsvc.exe service utility at the command prompt.
Prerequisites
1. On your Afaria server, copy the entire directory <Afaria Server Installation
Directory>\Server\bin\RSOutboundEnabler.
2. Import the folder to the machine hosting the server component.
Task
Each instance of the RSOE can be installed as a Windows service.
The RSOutboundEnabler folder includes dbsvc.exe, a service utility that installs the
RSOE as a Windows service.
On the machine hosting the server component, execute this command at a command prompt
running with administrator privileges:
dbsvc.exe -as -s auto -sn "AfariaRSOE" -w AfariaRSOE "<full
path>\RSOutboundEnabler\rsoe.exe" @"<full path>
\RSOutboundEnabler\rsoe.config"
For a complete list of the service utility's command line switches, enter dbsvc.exe at the
command prompt and press Enter.
The command prompt displays a line confirming that the "AfariaRSOE" service was
successfully created.
The "AfariaRSOE" service is listed in the list of Windows services of the machine hosting
the server component.
Relay Server with SSL
To configure the relay server to use SSL, you must install a trusted certificate on the server that
is running the relay servers Microsoft Internet Information Services (IIS) Server and the relay
server engine, rshost.exe.
You can configure Afaria devices to connect securely using the relay server address and
HTTPS protocol after you have installed the certificate. Connecting to the relay server with
SSL ensures that the traffic from devices to the relay server is encrypted. If your Afaria Server
and relay server are behind the same firewall, this configuration is all you need to secure your
data.
Relay Server
SAP Afaria Installation Guide 145
Encrypting traffic between the relay server and the Afaria Server requires that you export the
relay servers public key and copy the resulting file to the Afaria Server, then use the Afaria
Administration console relay server page to enable HTTPS and specify the location of the
public key file. All traffic is encrypted after you restart the Afaria Server.
Relay-Server-Related Logging
Relay-server-related logging allows you to retrieve connections and restart attempts occurred
both on the Afaria Server and the relay server.
Afaria-side logging captures the outbound enabler restart attempt events; it does not
capture relay server start events when started by the Afaria service, as occurs when the
"Start the outbound enabler" setting is selected.
Relay-server-side logging relay server logging captures events while rshost.exe is
active. When started using the relay servers configuration file setting for auto start, the log
is stored in the following relay server path:<tmpdir>
\ias_relay_server_host.log. The value of <tmpdir> is populated with the first-
available environmental variable, according to the search order SATMP, TMP, TMPDIR,
TEMP.
The relay server log captures connections from the Afaria Server to the relay server and
successful device connections. The log does not capture unsuccessful client connections.
1. To retrieve logging from the relay server to the Afaria server, unselect Start the outbound
enabler to prevent the outbound enabler from starting during the next restart.
2. Restart the Afaria Server service.
3. On the Afaria Server, open a command prompt and navigate to <Afaria Server
Installation Directory>\bin\RSOutboundEnabler.
4. Restart the outbound enabler using this single, continuous command:
rsoe.exe -id <AfariaServerID> -f <FarmID> -t <Farm token> -
cs "host=localhost;port=<AfariaHTTPPort>;" -cr
"host=<RelayServerIP>;port=<RelayServerHTTPPort>;url_suffi
x=<RsURLSuffix>;url_prefix=<ClientURLPrefix>" -v
<LogVerbosity> -o <LogOutputPathFile>
<AfariaServerID> the Afaria server ID value. The ID value is defined in the Afaria
Server registry key HKLM\Software\Afaria\Afaria\Server\TransmitterId.
<FarmID> farm ID, as stored on the Relay Server configuration page.
<Farm token> farm token, as stored on the Relay Server configuration page.
<AfariaHTTPPort> Afaria HTTP port, as stored on the Client Communications
configuration page.
<RelayServerIP> relay server IP address.
<RelayServerHTTPPort> relay server HTTP port.
Relay Server
146 Afaria
<RsURLSuffix> RS URL suffix, as stored on the Relay Server configuration page.
<ClientURLPrefix> client URL Prefix, as stored on the Relay Server configuration
page.
<LogVerbosity> controls the level of logging. Logs always include errors. Logs
always include warning for levels 1-5.
0 no logging.
1 session-level logging.
2 request-level logging.
3 packet-level logging, terse.
4 packet-level logging, verbose.
5 transport-level logging.
<LogOutputPathFile> Afaria Server path and file name for the log file.
For a complete list of command line switches and their meanings, enter rsoe at the
command prompt and press Enter.
This sample writes the log file to c:\outbound.log on the Afaria Server.
rsoe.exe -id got -f AfariaFarm -t Token_00 -cs
"host=localhost;port=80;" -cr
"host=10.14.229.21;port=80;url_suffix=/ias_relay_server/
server/rs_server.dll;url_prefix=/ias_relay_server/client/
rs_client.dll" -v 5 -o c:\outbound.log -af
Relay Server
SAP Afaria Installation Guide 147
Relay Server
148 Afaria
Uninstalling Afaria Components
Remove Afaria software components as needed by using the Microsoft Add/Remove
Programs utility.
For Afaria Administration console, Enrollment Server, and Package Server, uninstalling any
of these servers also uninstalls all Self-Service Portal instances at the same time.
Uninstalling Afaria Server
Uninstalling an Afaria server also uninstalls the Afaria Administration console, if installed on
the same server. Removing the Afaria Server deletes the software component and all defined
channels but preserves the Afaria database.
1. If you are uninstalling a farm server, on the Afaria Administration console go to Server >
Configuration > Server Farm and set the state to hidden.
Hiding the farm server removes it from the server selector list.
2. On the server to uninstall, close all Afaria programs.
3. Stop all Afaria-related services.
4. Using the Microsoft Add/Remove Programs utility, select the component and remove
it.
The most common reasons for the step to fail are:
An Afaria program or related service is still running. Stop the programs and related
services and retry the step.
Windows Explorer or some other program is using at the Afaria installation directory.
Close all programs, then restart the machine and retry the step.
Afaria system folders are shared with device users. Remove the share from the folder
and run the retry the step.
5. If uninstalling a farm server, delete the server entry from the A_SERVER database
table.
If you do not delete this server from the database, it continues to appear on Server >
Configuration > Server Farm page as an available server.
Uninstalling Afaria Components
SAP Afaria Installation Guide 149
Uninstalling Afaria Components
150 Afaria