Dell KACE VK3000Mobile Management Appliance

Setup Guide

March 2013

Dell KACE VK3000 Mobile Management Appliance Setup Guide

ii

2013 Dell Inc. All rights reserved.

Reproduction of these materials in any manner whatsoever without the written permis-sion of Dell Inc. is strictly forbidden. Dell and the DELL logo are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any propri-etary interest in trademarks and trade names other than its own.

Contents

Setting up the appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Installing the VK3000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Configuring the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Configuring SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Configuring EULA settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Getting support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Scheduling training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Dell KACE VK3000 Mobile Management Appliance Setup Guide iii

Dell KACE VK3000 Mobile Management Appliance Setup Guideiv

3 Obtain a static IP address for the appliance. If you use a private or non-routableIP address, be aware of the DNS requirements in step 4 and be aware of the portrequirements in step 7.

4 Ensure that your public DNS server is configured so that the IP address of your appliance is resolvable over the Internet.Setting up the appliance

About this guideThis guide explains how to set up the Dell KACE Virtual K3000 (VK3000) Mobile Management Appliance. The VK3000 runs as a virtual product and does not require dedicated hardware. It is a scalable solution that includes all of the features of the physical K3000 appliance. For information about setting up the physical K3000, see http://www.kace.com/support/resources/documentation.

System requirementsFor host system, managed device, and storage requirements, see http://www.kace.com/products/mobile-management-appliance/techs-specs.

Before you begin1 Purchase a VK3000 license from Dell KACE sales at

http://www.kace.com/about/contact.php.

2 Obtain a trusted SSL certificate so that you can enable trusted SSL communications over the appliance.

Unlike other Dell KACE K-series appliances, the K3000 requires SSL to work properly, because services such as the Apple Push Notification service and Google Cloud Messaging require it. Wildcard SSL certificates are acceptable. Password-protected certificates are not supported. For instructions on configuring SSL, see Configuring SSL on page 10. 5

Dell KACE VK3000 Mobile Management Appliance Setup Guide5 To manage Apple iOS devices:

Register as an Apple developer. This enables you to create an Apple Push Notification service certificate for iOS device management. For more information, go to https://developer.apple.com/programs/register/.

Ensure that your firewall permits outbound access to the IP address range used by Apple: 17.0.0.0/8.

6 To manage Android devices:

Create a business-related Google account to be used with Google Cloud Messaging.

Obtain a Google Cloud Messaging API key and product key from http://developer.android.com/google/gcm/gs.html.

7 Verify that your network and firewall settings permit access to the required inbound and outbound ports:

Inbound ports

Port Description

443 Inbound communication to the appliance from the Internet. This port is used for:

Secure communications between the appliance and devices

Enrolling devices with the appliance

Linking to Dell KACE K1000 or K2000 appliances (requires that SSL is enabled on the linked appliances)

Communications for Google Cloud Messaging

80 (Optional) Inbound communication to the appliance from the Internet. This port redirects inbound traffic to secure port 443. If port 80 is blocked, users need to use HTTPS to access the appliance Administrator Interface.

Outbound ports

Port Description

443 Outbound communication on port 443 from the appliance to google.com. This is required for writing client Android applications that use Google Cloud Messaging. For more information, see http://developer.android.com/google/gcm/gcm.html.6

Dell KACE VK3000 Mobile Management Appliance Setup GuideInstalling the VK3000Before you install the VK3000, you need to install the VMware vSphere Client or vSphere Web Client on your host system, and then install the VK3000 on ESX/ESXi.

1 Go to http://www.kace.com/support/customer/downloads/. To obtain your customer login credentials for this section of the website, email Dell KACE Technical Support at support@kace.com.

2 In the Virtual K3000 Series Management Appliance section, download the compressed OVF (Open Virtualization Format) file to your vSphere Client or vSphere Web Client host system.

3 Extract the files.

4 If you are using a version of VMware ESX released prior to version 4.0, convert the OVF file to a compatible format using the VMware vCenter Converter. For more information, see http://www.vmware.com/products/converter/features.html.

443/80 (Optional) If you are linking to Dell KACE K1000 or K2000 appliances, enable outbound communications on port 443 or port 80 from the K3000 appliance to linked appliances.

636 or 389 Outbound communications from the appliance to LDAP or Active Directory servers. For security, Dell KACE recommends using port 636.

2195 Outbound communications from the appliance to Apple Push Notification service. This is used to send notifications to managed devices.

2196 Outbound communications from the appliance to Apple feedback service.

5223 Outbound communications from devices. Devices use this port to connect to Apple Push Notification service over WiFi.

For more information about port requirements for Apple Push Notification service, see Apple Technical Note TN2265 at http://developer.apple.com/library/ios/#technotes/tn2265/_index.html.

5228, 5229, 5230

Outbound communications from Android devices to google.com for Google Cloud Messaging. For more information, see http://developer.android.com/google/gcm/gcm.html.

Outbound ports

Port Description 7

Dell KACE VK3000 Mobile Management Appliance Setup Guide5 In the vSphere Client or vSphere Web Client program, deploy the OVF template. The installation wizard appears.

6 Select the components that your implementation requires: data center, datastore, and so on.

7 Click Finish.

8 Confirm the appliance settings. Check for a valid network and any other settings you need.

Configuring the appliance1 In the VMware product, run the virtual machine to boot the appliance (this takes

5 to 10 minutes), and then proceed with the initial network configuration.

2 On a computer that is connected to subnet 10.10.10.0/24, open a web browser and enter the appliance Administrator Interface IP address: https://10.10.10.10The Initial Konfiguration page appears.

3 On the login page, enter:

Login: konfigPassword: konfig

4 Click LOGIN. The Configuration section appears.

5 In the Configuration > Licensing section, provide license information:

6 In the Configuration > Network Settings section, modify the default network settings to match your network requirements:

Option Description

End User License Agreement

Read the End User License Agreement, then select the check box to accept the agreement.

Enter license key

Enter the license key you received in the Welcome email from Dell KACE, including the dashes. If you do not have a license key, contact Dell KACE Technical Support athttp://www.kace.com/support/contact.php.

Option Description

IP address Enter the static IP address the appliance has in your network. For example, 192.168.1.1.8

Dell KACE VK3000 Mobile Management Appliance Setup Guide7 In the vSphere client program, change the network configuration settings to match your requirements.

8 In the Configuration > General Settings section, specify account settings:

Netmask Enter the subnet mask that appliance has in your network. For example, 255.255.255.0.

Default Router Enter the default router for the appliance.

Hostname Enter the hostname of the appliance.

Important: The hostname must match the hostname used in your DNS settings and SSL certificate.

Domain Enter the domain the appliance is on. For example, example.com.

Important: The domain must match the domain used in your DNS settings and SSL certificate.

DNS 1 Enter the IP address of the primary DNS server the appliance uses to resolve host names.

DNS 2 (Optional) Enter the IP address of the secondary DNS server the appliance uses to resolve host names.

Date/Time NTP server

The web address of the NTP (Network Time Protocol) server used by the appliance.

Option Description

Organization Enter the name of your company or group. This identifies the appliance in the Dell KACE data warehouse for Technical Support purposes.

Admin email Enter an email address to use as the point of contact for the appliance.

Email suffix Enter the domain used as the default for profiles. For example, if you enter kace.com, the default domain for profiles would be com.kace.profilename.

Change admin password

Change the password for the administration account named konfig to a new unique password. You use this account to log in to the appliance Administrator Interface. The default password is konfig.

Option Description 9

Dell KACE VK3000 Mobile Management Appliance Setup GuideConfiguring SSLTo configure SSL, you need to generate a CSR (Certificate Signing Request) and private key and use them to obtain an SSL certificate from a Certification Authority (CA). After you obtain an SSL certificate, you enter the certificate information in the K3000 appliance Administrator Interface.

1 To generate a private key and a CSR, do one of the following:

Use any software capable of generating an CSR, such as the free OpenSSL suite or Mac OS X server. Be sure to choose PEM format if you use a Microsoft tool, and do not use a passphrase.

If you have a Dell KACE K1000 or K2000, use the SSL wizard in the Administrator Interface of that appliance to generate a CSR and a private key. For more information, see the Administrator Guide for each appliance.

2 Download the private key for use in step 5.

3 Download or copy the CSR and send it to your CA, such as GoDaddy or VeriSign.

The CA returns to you a certificate in a .cer file, which should be PEM-encoded. In addition, the CA provides a ZIP file containing a number of intermediate certificates.

4 Save the certificate and intermediate certificates, to be used in step 5.

5 Enter the SSL key and certificate:

a In the K3000 Administrator Interface, click the K3000 Settings icon.

b Open to the Configuration > SSL Configuration section.

c Click SSL Configuration to expand the section.

d Enter the private key for your SSL certificate in the Key field.

e In the Certificate field, copy and paste the certificate text from the .cer file first, and then from the expanded intermediate certificates from the ZIP file. For each, be sure to include the BEGIN and END lines.

For example:

-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----

6 Click Apply.10

Dell KACE VK3000 Mobile Management Appliance Setup GuideConfiguring LDAP authenticationLDAP authentication makes it possible for users to log in to the Administrator Interface using their domain credentials.

1 In the K3000 Administrator Interface, click the K3000 Settings icon.

2 In the Configuration > LDAP Configuration section, specify the following settings:

To enable appliance linking for single sign-on for all your K-series appliances, you must set up LDAP authentication for each appliance and use a suitably privileged LDAP account. For more information, see each appliances Administrator Guide.

Option Description

Server friendly name

(Optional) Enter a descriptive name to identify the LDAP or Active Directory server.

Server hostname (or IP)

(Required) Enter the IP address or hostname of the LDAP server or Active Directory server.

LDAP port number (Required) Enter the port number the appliance uses to connect to the LDAP or Active Directory server. Use port 636 for secure LDAP and port 389 for LDAP.

SSL (Optional) Enable Secure Sockets Layer (SSL) cryptographic protocol. Using SSL is necessary to prevent passwords being transmitted in clear text in certain instances.

Search base DN (Required) Enter the criteria used to search for accounts. This criteria specifies a location or container in the LDAP or Active Directory structure, and the criteria should include all the users that you want to authenticate. Enter the most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general).

For example, this path leads to the container with users that you need to authenticate: OU=end_users,DC=company,DC=com.

Search filter (Optional) The search filter. For example, the default filter is: (|(samaccountname=[login])(mail=[login])(cn=[login])). 11

Dell KACE VK3000 Mobile Management Appliance Setup Guide3 Click Save.

4 (Optional) Test the LDAP settings:

a Expand User login test (optional).

b Enter the credentials of a user.

c Click Test LDAP settings.

Configuring EULA settingsWhen users enroll devices, they must accept a EULA (End User License Agreement). You can configure the EULA to state your security policy and notify users that the system operator can perform various actions. These actions include tracking the location of the users device, wiping the operators data, remotely installing and removing software, and so on.

1 In the K3000 Administrator Interface, click the Mobile Management icon, then click Settings.

2 Click User Portal (Device enrollment page and EULA) to expand the section.

3 In the End User License Agreement field, enter the text of the agreement you want users to accept.

4 Click Save.

LDAP login (Required) Enter the credentials required for an admin account to log in to the LDAP server to read accounts.

Note: The appliance does not write to the LDAP server, so this account does not need write privileges.

For example: LDAP Login: CN=service_account,CN=Users,DC=company,DC=com.

LDAP password (Required) Enter the password for the LDAP login account.

Default Domain (Optional, except as noted) Enter the domain used as the default.

Note: For pushing Exchange ActiveSync profiles properly to iOS devices, this field cannot be left blank and must contain the domain associated with the LDAP server.

Option Description12

Dell KACE VK3000 Mobile Management Appliance Setup GuideNext stepsConfigure additional appliance settings and Mobile Management settings. For more information about these tasks, click the Help button in the upper right of the Administrator Interface to display context-sensitive Help. To open the Help system, click any related topic in the Help panel.

For printable documentation, go to the first topic in the Help system.

Getting supportThe Dell KACE Support website, http://www.kace.com/support/contact.php, has a customer section where you can access training videos, documentation, the Help Desk User Portal, and product updates. To obtain your customer login credentials for this section of the website, email Dell KACE Technical Support at support@kace.com. To provide product feedback, go to http://kace.uservoice.com/forums/187596-k3000.

For additional information and support, go to http://www.ITNinja.com/k3000. 13

Dell KACE VK3000 Mobile Management Appliance Setup GuideScheduling trainingTo help you begin using the appliance, Dell KACE provides a fixed number of online training sessions called JumpStart. To understand the scope of your JumpStart purchase, please review the JumpStart Datasheet at http://www.kace.com/support/training.

To schedule training, email the Dell KACE training team at jumpstart@kace.com. You must complete your JumpStart training within 60 days of the initial product shipment. Additional training sessions can be purchased separately as needed.14

Dell KACE VK3000 Mobile Management Appliance Setup Guide 15

www.dell.com | support.dell.com

Setting up the applianceAbout this guideSystem requirementsBefore you beginInstalling the VK3000Configuring the applianceConfiguring SSLConfiguring LDAP authenticationConfiguring EULA settingsNext stepsGetting supportScheduling training