TARMAC
Version 1.4
Contents
Overview .........................................................................................3
Introducing TARMAC ....................................................................4
Installation and Licensing ...........................................................5
Installing TARMAC on Mac OS X Client
Installing TARMAC on Mac OS X Server
Accessing TARMAC for the first time
Licensing TARMAC
5
5
6
6
Connecting to your directory service ......................................8
Configuring TARMAC with an Open Directory
Configuring TARMAC with an Active Directory
8
9
Using TARMAC without a directory service .........................10
Setting up your MySQL database
Inserting users into your database
Configuring TARMAC with your MySQL database
10
10
11
Creating iOS configuration templates ...................................12
Getting started with iPhone Configuration Utility
Configuration templates schema overview
Common Open Directory placeholders
Common Active Directory placeholders
Common MySQL placeholders
12
12
13
13
13
Assigning profiles to user groups...........................................15
Importing iOS device configuration templates
Signing profiles with a certificate
Setting Compliance Rules
15
15
16
Securing access to TARMAC .....................................................17
Enabling HTTPS
Distributing company certification authorities
Enrolling Microsoft Exchange certificates
17
17
18
Enrolling certificates using SCEP ............................................19
Setting up the initial SCEP profile
Using an existing external certificate authority
Using TARMAC’s built-in CA server
19
19
20
Control devices using Mobile Device Management ..........21
Creating a push certificate with the Apple iOS Developer Program
Install the push certificate in TARMAC
Configure Network Settings
Creating a MDM push profile
Enabling iOS configuration templates for automatic installation
Using the MDM console
21
22
22
23
23
24
Keeping track of users with Asset Management ................25
Getting an overview of provisioned users
25
Customizing your user experience .........................................26
Adding a custom logo
Displaying header and footer text
Informing users with the About Screen
26
26
27
Provisioning user devices .........................................................28
Navigating to the client interface on an iOS device
Installing a personalized user profile
28
28
Troubleshooting..........................................................................29
Accessing TARMAC Server when directory service is offline
Locating TARMAC’s server logs
Getting to know your directory service
Uninstalling TARMAC
29
29
29
30
Overview
The aim of an automatic iPhone and iPad provisioning
system is to automate the setup and minimize
administrative effort. TARMAC fulfills this aim.
Specialized for iPhone and iPad
Everything at a Glance
TARMAC fully supports your device, whether it is an iPhone, iPod touch or
iPad. Compliance rule management allows TARMAC to query devices and
restrict profile access based on OS version or device generation.
Get an instant overview of your users to see which have already provisioned
their devices. With the MDM console you have control over all devices at
your fingertips.
Front-Seat Security
Fast OTA Provisioning
No data leaves your internal infrastructure. SCEP enables device specific encryption for sensitive data. Centralized provisioning means important
changes can be deployed immediately.
Over-the-air (OTA) provisioning means administrators do not need physical
access to the end-user’s device.
Scales with your Company
All devices are efficiently configured to meet corporate IT policies. All but
eradicate the time spent configuring individual user devices.
Whether you are profiling a thousand devices or just one, TARMAC handles
them just the same. New users added to the directory service can benefit
from TARMAC straight away.
Future Proof
Easy Deployment
TARMAC uses Apple Standards. No special proprietary formats are involved,
guaranteeing future support for your device and securing your investment.
As TARMAC requires no additional software to be installed on the end-user’s
device, set up is a breeze. In no time at all, their device is fully configured.
Efficient Administration
Introducing TARMAC
Profiles
Licenses
Services
Customize
Import configuration templates and sign
them digitally. Assign profiles to directory groups and set Compliance Rules.
Manage your TARMAC licenses and get
an overview of licensed users.
Define and setup your directory service
and user groups here.
Customize the look and feel of TARMAC
for the end-user. Add company branding, helper text and more.
MDM
Asset Management
Secure Access
SCEP
Keep track of all provisioned devices.
Including device and iOS version information.
Encrypt all communication with the
TARMAC server, including enabling
HTTPS and setting a root CA.
Authenticate users and encrypt profiles
with Simple Certificate Enrollment Protocol (SCEP) using your certificate
authority.
Get detailed information and push
remote commands to devices bound
via Mobile Device Management (MDM).
4
Installation and Licensing
Installing TARMAC on Mac OS X Server
Double-click the Install TARMAC icon in the .dmg image file. This will initiate
the automatic TARMAC installer.
TARMAC is installed using a standard Mac OS X installer
package. This section steps you through this process and
helps you license your software making it ready to use.
As TARMAC is configured directly within a web browser, the installer should
only take a few minutes to complete.
Installing TARMAC on Mac OS X Client
Tip
Double-click the Install TARMAC icon in the .dmg image file. This will initiate
the automatic TARMAC installer.
TARMAC is installed into one self-contained directory. Find it here:
/Library/WebServer/tarmac/
In order to not interfere with any existing services, TARMAC does not automatically start any web services when installed on Mac OS X Server. Please
be sure to create a web host to the TARMAC Server using the Server Admin
tool.
Note The Apache configuration file can be found here:
/etc/apache2/sites/tarmac.conf
As TARMAC is configured directly within a web browser, the installer should
only take a few minutes to complete.
Tip
TARMAC is installed into one self-contained directory. Find it here:
/Library/WebServer/tarmac/
5
To change the admin password:
‣ Click Change Password
‣ Enter the current password (default: admin)
Accessing TARMAC for the first time
If you are installing TARMAC on Mac OS X Client, your default web browser
will automatically open and navigate to the TARMAC admin interface towards the end of the installation process.
‣ Enter a new password
‣ Click Change
On Mac OS X Server, you can manually navigate to this interface at any time,
either directly from the local server or remotely from a different computer.
Licensing TARMAC
Navigating to the TARMAC Server interface locally:
‣ Open your preferred browser
‣ Navigate to http://localhost/tarmac/admin
Launching the TARMAC Server web interface the first time will ask for licensing information. You should have received this information when you purchased TARMAC. Alternatively, all license information is stored in your
equinux License Manager.
Navigating to the TARMAC Server interface remotely:
‣ Open your preferred browser
‣ Navigate to http://<YourTARMACServer>/tarmac/admin
To look up your TARMAC license information online:
‣ Visit http://my.equinux.com
‣ Log in using your equinux ID and password
‣ Click TARMAC in your software products list
‣ Click the license and click “More”
On your first visit you will be asked to change the local admin login. The local admin user can be used to access the TARMAC server if you do not wish
to configure an admin group within TARMAC or if your directory service is
down.
6
Once you have the license code, this can be copied and pasted in the Licenses page of TARMAC. There are two categories of licenses associated with
TARMAC: base licenses and user licenses.
Base licenses define server modules, such as which directory service or features should be enabled. Multiple base licenses (such as additional modules)
can be added at any time.
To add a base license:
‣ Click Add Base License
‣ Paste base license code
‣ Click Add
User licenses define how many users can provision their device. Multiple
user licenses can be added at a future date to scale with your company.
To add a user license:
‣ Click Add User License
‣ Paste user license code
‣ Click Add
Once licenses have been added to TARMAC, the appropriate modules should
now be active.
7
Connecting to your directory service
Field
TARMAC requires access to your directory service to
personalize individual iOS configuration profiles. Use this
guide to get TARMAC connected with your directory service.
Host
IP or hostname of your OD. Multiple hosts
can be used as contingency.
Port
Port used for OD connections. Default 389.
TARMAC needs to connect to your company’s directory service to personalize mobile configuration templates and deliver them to end-user devices.
This is done from the Services page of the TARMAC Server.
Base DN
Fetch this automatically by clicking Fetch
Base DN. This is the base structure of your
directory tree.
Anonymous Bind
Check this if OD allows anonymous access
(i.e. does not require a service account to
gain access to user information)
Service Account DN
The following table details everything that is required to set up TARMAC
with an Open Directory (OD). Once all required information has been filled,
press Update. You will receive an error, should any information be incorrect.
8
Distinguished Name of the Service Account
which is used to connect to the Open Directory. This should be fully qualified, e.g. ‘uid=johnsmith, cn=users’ (not required if
Anonymous Bind is enabled).
Service Account Password
Password for the Service Account (not required if Anonymous Bind is enabled).
User DN Attribute
This is the attribute which defines a user
name in your OD. Commonly ‘uid’.
Display Name
If you have multiple domains (e.g. one for
the US office, another for the EU office) you
need to define them both here. The Display
Name need not be pre-defined and can be
created at this point (e.g. ‘US office’).
Distinguished Name (DN)
The DN is used to authenticate all users. This
specifies the domain where all users are
listed. If you have multiple domains, these
can be entered here too. E.g. ‘cn=users’. Enabling Append appends the Base DN (defined
above). Enabling Default makes this domain
the default when users log in to the TARMAC
client.
TARMAC can connect to a variety of different directory services. Which service is active depends on your base license.
Configuring TARMAC with an Open Directory
Description
Field
Description
Group DN
This is where you must define which users
can use TARMAC to provision their devices.
E.g. ‘cn=finance,cn=groups’ or ‘cn=vpnusers,cn=groups’. These values are defined by
your existing OD. Append appends the Base
DN (defined above). Enabling Admin gives
this user group TARMAC Server administration rights. They can then access the Admin
interface with their standard user login.
Field
Description
User DN Attribute
This is the attribute which defines a user
name in your AD. This attribute is used as the
log in for both the TARMAC server interface
and the client interface. Commonly ‘sAMAccountName’.
Display Name
If you have multiple domains (e.g. one for
the US office, another for the EU office) you
need to define them both here. The Display
Name need not be pre-defined and can be
created at this point (e.g. ‘US office’).
Distinguished Name (DN)
The DN is used to authenticate all users. This
specifies the domain where all users are
listed. If you have multiple domains, these
can be entered here too. E.g. ‘cn=users’. Enabling Append appends the Base DN (defined
above). Enabling Default makes this domain
the default when users log in to the TARMAC
client.
Group DN
This is where you must define which users
can use TARMAC to provision their devices.
E.g. ‘cn=finance,cn=users’ or ‘cn=vpnusers,cn=users’. These values are defined by your
existing AD. Append appends the Base DN
(defined above). Enabling Admin gives this
user group TARMAC Server administration
rights. They can then access the Admin interface with their standard user login.
Configuring TARMAC with an Active Directory
The following table details everything that is required to set up TARMAC
with an Active Directory (AD). Once all required information has been filled,
press Update. You will receive an error, should any information be incorrect.
Field
Description
Host
IP or hostname of your AD. Multiple hosts
can be used as contingency.
Port
Port used for AD connections. Default 389.
Base DN
Fetch this automatically by clicking Fetch
Base DN. This is the base structure of your
directory tree.
Anonymous Bind
Check this if AD allows anonymous access
(i.e. does not require a service account to
gain access to user information). Note: This is
not commonly the case with an AD.
Service Account DN
Distinguished Name of the Service Account
which is used to connect to the Active Directory. This should be fully qualified, e.g.
‘cn=johnsmith, cn=users’.
Service Account Password
Password for the Service Account.
9
Using TARMAC without a directory
service
Field
Port
If you do not have an existing directory service, TARMAC can
set up a configurable MySQL database. This database can
store your users and be used to personalize individual iOS
profiles.
Service Account
Service Account Password
A MySQL database can be used to provision end-user devices without a fullfledged directory service. TARMAC will pre-define a set of tables in this database and appropriate user fields (such as username, first name, last name,
etc).
Database
Setting up your MySQL database
Description
Port used for MySQL connections. Default
3306.
Enter the account name used to access the
database. This would have been defined
when creating the database and must have
the appropriate permissions to make
changes to the database.
Enter the the service account password.
Enter the name of the database TARMAC
should connect to (e.g. ‘tarmac’). This should
have previously been created on your database server.
Once the above information has been entered correctly into TARMAC, click
the Create DB Schema button. This will then create a basic set of tables
within your pre-created empty database.
Before TARMAC can connect to your database server, you need to create a
database to contain your user information.
Creating a basic database frame work:
‣ Create an empty database on your database server and make a note of
the name (e.g. ‘tarmac’).
‣ Configure TARMAC via the Services page
‣ Click Create DB Schema
Tip
Mac OS X includes a built-in MySQL server allowing you to run
your database on the same server as TARMAC if needed. For further
instructions on enabling MySQL, please consult Apple’s own
documentation.
Inserting users into your database
The following table will give you an overview of the required information to
set TARMAC up in conjunction with your new MySQL user database.
Field
Host
The basic database schema created by TARMAC consists of a ‘groups’ table, a
‘users’ table and a ‘user_groups’ junction table. You will need to create users
in order to provision unique profiles for your users.
Description
Creating users in your database:
‣ Connect to your database using your favorite MySQL admin tool
‣ Define one or more groups in the ‘groups’ table
‣ Insert new users in the ‘users’ table
IP or hostname of your database server
where the database is hosted
10
‣ Join specific users to a group in the ‘user_groups’ table
As MySQL saves records in plain-text, TARMAC will expect a hashed password in the user password field. MySQL can easily hash this password for
you on the command line. Simply enter the following command:
Once these groups are set up, you can start using configuring your iOS configuration templates, using the placeholders found in the section ‘Creating
iOS configuration templates’.
SELECT PASSWORD(‘password’)
Creating a password for your users:
‣ Insert a record in the ‘users’ table
‣ Use the above command to hash a chosen password
‣ Paste the hashed result into the user password field
The ‘users’ table can be modified with custom attributes if needed. For example, you may need additional fields to specify a user’s address. This can be
added to the database schema and TARMAC will automatically reference
these new attributes when provisioning user profiles.
Tip
Creating, navigating and inserting records into a MySQL database
is a whole lot easier using a nice GUI (e.g. Sequel Pro or phpMyAdmin).
Configuring TARMAC with your MySQL database
Once your database has been fully set up and users have been assigned
groups, you now need to tell TARMAC which groups users belong to.
TARMAC includes a feature that can automatically query your database and
display all available groups.
Managing user groups within TARMAC:
‣ Navigate to the Services page
‣ Click Manage Groups
‣ Select the groups you want to be provisioned
11
Creating a new configuration template:
‣ Choose Configuration Profiles from the Library column on the left
‣ Click New in the toolbar
‣ Start configuring your template, following the tooltips from Apple
‣ Use a placeholder in place of specific user information when you need
TARMAC to provision this information automatically
Creating iOS configuration templates
Use Apple’s iPhone Configuration Utility to create iOS
configuration templates which can be imported into
TARMAC. These templates are then personalized before
being delivered to end-user devices.
Repeat these steps creating templates for the required number of user
groups. For example, one template for the finance department, another for
the marketing department. These will be assigned to your user groups in the
next section.
Getting started with iPhone Configuration Utility
The iPhone Configuration Utility is used to create all iOS device configuration templates ready for TARMAC provisioning. This tool is available for free
from Apple’s Support website at http://support.apple.com/kb/DL851.
Note You can configure as little or as much as you want. Only activate
features you intend to provision. Leaving required fields blank may
prevent the profile being installed successfully on the end-user
device.
Configuration templates schema overview
In order for TARMAC to personalize iOS configuration templates, it needs to
know where this information can be found in your directory service. Special
placeholders can be used in the fields which would normally be filled with
specific user data.
Defining a TARMAC placeholder:
‣ Enter $$ + attribute + $$
‣ E.g. $$uid$$ would commonly be used in place of a username when using an Open Directory server
Tip
After downloading and installing the iPhone Configuration Utility, you can
start creating your iOS device configuration templates.
12
If you need a little help remembering the structure of your directory service, try using an LDAP browser. Try ADSI Edit on Windows
and Apache Directory Studio available for Mac OS X or Linux available from http://directory.apache.org/studio/.
Common Open Directory placeholders
Item
Most Open Directories use a standard set of attribute names. Here is a list of
common features used in the iPhone Configuration Utility and what placeholder would need to be used in order for TARMAC to provision the profile
per user.
Item
Company
$$company$$
Department
$$department$$
Office Phone
$$telephoneNumber$$
Common OD Attribute
Account / Username
$$uid$$
Email Address
$$mail$$
User Display Name
$$cn$$
First Name
$$givenName$$
Surname
$$sn$$
Office Phone
$$telephoneNumber$$
Common MySQL placeholders
TARMAC creates the schema for MySQL databases during MySQL set up, including the creation of the following standard set of attributes that can be
used to provision personalized user profiles.
Item
Note This is not a definite list. Please check your directory service with
an LDAP browser to check all attributes are correct. If attribute is
defined within a configuration template but is not available on the
directory service for every user in that group, provisioning will fail.
Common Active Directory placeholders
Item
Common AD Attribute
$$sAMAccountName$$
Email Address
$$mail$$
User Display Name
$$cn$$
First Name
$$givenName$$
Surname
$$sn$$
Username
$$user_name$$
Email Address
$$mail$$
First Name
$$firstname$$
Surname
$$lastname$$
Cell Phone
$$cellphone$$
As discussed in the section ‘Using TARMAC without a directory service’, the
MySQL database schema can be changed to include custom information. If
you have defined additional fields, for example “Department”, then the column header can be used to form a placeholder. The same principle always
applies: $$ + columnheadername + $$.
Common AD Attribute
Account / Username
Common MySQL Attribute
Provisioning passwords in iOS profiles
User passwords are often encrypted on the directory service which prevents
TARMAC from being able to provision them using a simple attribute placeholder.
13
TARMAC can however provision user passwords if SCEP is enabled by using a
special placeholder.
Item
Password
Provisioning attribute
$$TARMAC:password$$
Note In order to provision user passwords, SCEP must be enabled for
this placeholder to work.
This feature is currently not supported when pushing profiles with
MDM
Exporting iOS device configuration templates
Once you have created a configuration template, you can export it ready to
be imported into TARMAC.
Exporting configuration templates from iPhone Configuration Utility:
‣ Select the configuration profile to export
‣ Click Export in the toolbar
‣ Choose ‘None’ from the security pop-up menu
‣ Save to your preferred location
Your iOS device configuration templates are now ready to be imported into
TARMAC.
14
Assigning profiles to user groups
After your iOS device configuration templates have been
created in Apple’s iPhone Configuration Utility, they can be
imported into TARMAC and assigned to user groups. This
section shows you how.
Importing configuration templates from iPhone Configuration Utility:
‣ Navigate to the Profiles page on the TARMAC Server interface
‣ Click Import in the ‘Access’ section
‣ Choose a .mobileconfig configuration template
‣ Click import
The Profiles page of TARMAC Server allows you to upload and assign user
groups to your configuration templates. Additionally you can use this section to set compliance rules, restricting profile download access only to
those who have permission.
The template will now show in the table below, ready for you to assign user
groups. These user groups correspond to the group DNs in the ‘Access’ section of the Services page (see section: Connecting to your directory service).
Assign user groups to configuration templates:
‣ Click an uploaded configuration template in the table
‣ Select the check box next to the group you wish to assign this template
These changes are made dynamically and you do not need to save each
time. More than one group can be assigned to each template. For example,
you may have one template called VPN Access among several other departmental templates. VPN Access may need to be assigned to several different groups giving permitted end-users access to this profile regardless of
which department they are in.
Tip
Using Mobile Device Management allows TARMAC to automatically
push and install iOS device configuration profiles to devices bound
via MDM. See section Control devices using Mobile Device Management for more information.
Signing profiles with a certificate
TARMAC profiles can be signed during the provisioning process by a custom
certificate and private key that matches your root CA. This way, end-users
can rest assure that the profile they are installing is indeed from their company. Certificates are added globally and not to individual profiles.
Importing iOS device configuration templates
Once iOS device configuration templates have been created in the Apple
iPhone Configuration Utility they need to be imported into TARMAC.
15
To add a certificate and private key:
‣ Click Set Signature
‣ Choose a certificate
‣ Choose a private key
‣ Click Import
TARMAC supports certificate files in PEM or DER format, encoded in Base64.
They must not be encrypted.
Profiles can also be signed individually using an automated SCEP service
(see section Enrolling certificates using SCEP)
Setting Compliance Rules
TARMAC allows you to restrict access to profiles based on device or iOS version. It may be that you do not want to allow certain devices access to provisioning profiles due to security concerns or any other reasons. At present,
Compliance Rules are set globally and cannot be assigned to individual profiles.
To set compliance rules:
‣ Check the box next to each allowed device
‣ Click Save
If an unauthorized device attempts to download a profile, the user will receive an error message saying no profile is available.
Tip
Enabling SCEP allows TARMAC to differentiate between iPhone
models with greater accuracy and therefore allows additional
compliance rules to be set.
16
Securing access to TARMAC
Distributing company certification authorities
It is best practice to sign all profiles with a trusted public authority such as
VeriSign or Thwate to ensure peace of mind for your end users that the profile comes from a trusted source.
TARMAC keeps security on the front-seat. These sections
help you to encrypt communication with the TARMAC
Server on both server and client side.
Tip
However, it is possible with TARMAC to authenticate with own internal CA. In
such cases, the .mobileconfig file containing the root CA should be signed
by the external public authority.
Use SCEP to enroll device and user specific certificates and encrypt
configuration profiles for a specific device. See section Enrolling
certificates using SCEP for more details.
If certain services, such as CalDAV or your Mail server, have a certificate
which cannot be verified against a root CA, the end-user will be asked to
trust each certificate manually. A root CA can be quickly deployed to endusers so all certificates signed by the root CA are trusted automatically.
Enabling HTTPS
Enabling HTTPS will encrypt all information between your end-users and the
TARMAC Server. Access to the TARMAC Server Admin will also go over SSL.
The root CA can either be embedded directly in to the configuration template or in it’s own .mobileconfig file created with Apple’s iPhone Configuration Utility.
If you have installed TARMAC on Mac OS X Server and have not yet set up
HTTPS credentials, you may lock yourself out. Please consult Apple’s Server
Management manual for help on encrypting http connections to your
server.
To create a .mobileconfig file with signed root CA:
‣ Open the iPhone Configuration Utility
‣ Create a new configuration profile
‣ Add a certificate under ‘Credentials’
If TARMAC has been installed on Mac OS X Client, it is possible for TARMAC
to manage the HTTPS connection itself.
‣ Export the profile
Activating HTTPS on Mac OS X Client:
‣ Check the box Activate HTTPS
‣ Click HTTPS
‣ Choose a certificate and private key
‣ Click Import
The .mobileconfig file can now be imported into TARMAC via the Secure Access page of TARMAC.
To import a certificate profile:
‣ Click Set Profile
‣ Choose the .mobileconfig file created in the steps above
Note All URLs will use the https:// prefix if HTTPS is enabled. Be sure to
update your users.
‣ Click Import
17
End-users will now be asked to secure their connection before downloading
their user specific profile. This will download and install the root CA profile
on to their devices, allowing them to authenticate against internal services.
Item
Exchange Certificate Template Name
Provisioning attribute
$$CERT:NameOfTemplate$$
Activating exchange certificate enrollment in TARMAC:
‣ Enter the URL of your certificate authority under ‘CA Server’
‣ Import a configuration profile that contains the certificate placeholder
Downloads the mobileconfig
with root CA
During the provisioning process an enrolled user specific certificate will be
inserted into the configuration profile. The user’s device will then authenticate itself with your MS Exchange Server without needing the user to enter
any specific passwords.
Continues to the user log
in
Tip
Enrolling Microsoft Exchange certificates
TARMAC can use your existing certificate authority to enroll user certificates,
allowing users to be authenticated with their Microsoft Exchange server. This
is necessary for installations that use certificate authentication instead of
user passwords.
In order to use this feature, TARMAC needs to know when it must provision
the user certificate. This is done by entering a special placeholder in the
‘Password’ field of the Exchange ActiveSync settings in the iPhone Configuration Utility.
18
If enrollment fails, check whether the user has enrollment rights
and the correct template name has been defined in the placeholder.
Enrolling certificates using SCEP
TARMAC allows automated certificate enrollment during the
device provisioning process. Certificates can be enrolled
using an existing certificate authority or via TARMAC’s own
built-in CA.
The simple certificate enrollment protocol (SCEP) allows certificate enrollment based on a user’s unique identity and device. The certificate is then
used to authenticate the provisioning profile and encrypt the .mobileconfig
file.
Setting up the initial SCEP profile
Before provisioning an end-user’s device, TARMAC queries the device and
returns this information to the certificate authority. As this step will require
the user to accept and install this pre-enrollment profile, it is important to
provide TARMAC with clear information to show the user.
There are four required fields, organization, base ID, title and description.
Using an existing external certificate authority
Attribute
What’s needed
Organization
Your company name
Base ID
A base ID which will be used to generate the IDs of
the SCEP configuration profiles (e.g.
‘com.yourcompanyname’)
Title
Title of the profile
Description
Any descriptive text which will be displayed in the
configuration
TARMAC can connect to your existing certificate authority, such as a Microsoft Windows 2008 Server running Certificate Services, to enroll user certificates. In order to set this up you will need to provide TARMAC with access to
your SCEP-compatible certificate authority server.
Giving TARMAC access to your external certificate authority:
‣ Select ‘Use external certificate authority’
‣ Set a root certificate from your CA
‣ Fill in the access details of your CA
‣ Press Save
19
Attribute
What’s needed
SCEP URL
Enter the URL of the SCEP service here. For example, ‘http://scepserver.example.com/certsrv/mscep/mscep.dll' (Windows Server 2003 CA with MSCEP add-on or a Windows Server 2008 CA with the NDES role). This is the location of
the SCEP service and will be used to enroll the certificate.
SCEP Admin URL
Enter the URL of the SCEP service admin interface here. For example:
'http://scepserver.company.com/certsrv/mscep/' for a Windows Server 2003 CA with the MSCEP Add-On or
'http://scepserver.company.com/certsrv/mscep_admin/' for a Windows Server 2008 CA with the NDES role. This will
be used before enrollment to obtain an enrollment challenge password for each new SCEP request which is passed
to the SCEP service above.
SCEP Service Account
This is the user name of the service account which has permission to obtain an enrollment challenge password
from the SCEP admin interface. The service account requires ‘Enroll’ permissions on the Certificate Template used for
SCEP. The user principle name (UPN) needs to be entered in this box, for example: ‘account1@example.com’.
SCEP Service Account Password
Service account password which be used to gain access to the SCEP admin interface.
Using TARMAC’s built-in CA server
If your infrastructure does not already have an existing certificate authority,
TARMAC can enroll certificates by using its built-in CA.
Enabling the built-in CA requires a root CA certificate and private key. The
root CA can either be self-signed or signed by a third-party verification
agency.
Enabling TARMAC’s built-in certificate authority:
‣ Select ‘Use TARMAC as SCEP certificate authority’
‣ Set a certificate and private key and click import
‣ Click Save
Once initiated, all users will be enrolled using the simple certificate enrollment protocol.
20
Control devices using Mobile Device
Management
Creating a push certificate with the Apple iOS Developer
Program
A push certificate signed by Apple is required to communicate with devices
through the Apple Push Notification Service. To create a push certificate,
login to the Apple iOS Dev Center
(http://developer.apple.com/devcenter/ios/) and go to the iOS Provisioning
TARMAC provides Mobile Device Management to allow
system administrators to get detailed information and push
remote queries and commands to iPhone, iPad, and iPod
Touch devices running iOS 4 and later.
Portal.
Mobile Device Management (MDM) binds your end-user devices with iOS 4
or later to you TARMAC installation. These devices can then be queried for
detailed device information like roaming information and installed applications using the Apple Push Notification Service. Commands can be pushed
to the devices e.g. to install additional configuration profiles or to erase the
device remotely.
In order to use MDM, a special MDM push profile has to be installed on each
device and TARMAC needs to be able to send push notifications through the
Apple Push Notification Service. It is therefore required to be a member of
the Apple iOS Developer Program.
Note SCEP is required to use Mobile Device Management in TARMAC.
Configure SCEP first to enable MDM.
Configuring TARMAC to use Mobile Device Management:
‣ Create and download a production Push Certificate with the Apple Developer Program
‣ Upload the Push Certificate in TARMAC
‣ Configure the external TARMAC URL
‣ Upload a MDM configuration profile
‣ Activate regular iOS configuration templates to be automatically distributed via MDM
Select ‘App IDs ‘ and create an App with a bundle identifier which starts with
‘ com.apple.mgmt.‘. Enable the App ID for production use with the Apple
Push Notification Service and download the ‘Production Push SSL Certificate‘.
21
Install the push certificate in TARMAC
In order to push notifications to devices, the push certificate signed by Apple needs to be added to TARMAC. Open the TARMAC administration web
interface, select ‘General Preferences ‘, upload the certificate and save the
settings.
Configure Network Settings
When devices are queried via a MDM notification through the Apple Push
Notification service, they need to connect to the TARMAC server via HTTP(S).
It is therefore required that your TARMAC installation is reachable from your
devices. Enter the external URL of your TARMAC server in the network settings and save. This is the address your device will communicate with for all
MDM requests or commands.
22
Creating a MDM push profile
Enabling iOS configuration templates for automatic installation
Create a configuration profile with the iPhone Configuration Utility with only
one Payload “Mobile Device Management”. Make sure the Server and Check
In URL match your installation and that the Topic is the same as the bundle
identifier (starting with ‘com.apple.mgmt.‘) you used in the Apple iOS Provisioning Portal.
iOS configuration profiles can be automatically pushed to devices after MDM
check in. To enable the automatic installation of certain configuration profiles via MDM, enable the checkbox ‘MDM Push‘ next to these profiles.
Export the device configuration profile containing the MDM payload.
Select ‘Profiles‘ in the TARMAC administration web interface and upload the
MDM push configuration profile like a regular device configuration profile.
Assign the authorized user groups to the MDM push configuration profile to
finish the Mobile Device Management setup.
23
Using the MDM console
The MDM console is the central cockpit for managing your MDM-controlled
iOS devices. Select ‘MDM‘ in the TARMAC administration web interface to
access it.
The device list can be narrowed down by using the search field. It is possible
to search for a specific device of a user, for a specific user itself or for a group
of users. All devices selected in the Results list can be added to the Device
Control List on the right to execute commands on several devices at once.
To interact with a specific device, locate it in the device list on the left side.
Select the grey info button to open the device information overlay which
displays specific information about the device and allows to execute remote
commands.
The selected commands are queued on the TARMAC server and TARMAC
sends a push notification to the specific device. When the device receives
the push notification, it connects to the TARMAC server and executes the
command queue. TARMAC displays the number of ‘Pending MDM commands‘ in the device information overlay. A ‘History‘ of all current and past
commands is also displayed in the overlay. Pending MDM commands can be
cancelled by selecting the grey X button.
24
Keeping track of users with Asset
Management
Getting an overview of provisioned users
The Asset Management page in TARMAC displays a list of TARMAC provisioned devices. There are two fields immediately available: user and last provisioning date.
TARMAC keeps track of all activities, giving you an overview
of provisioned devices in the field.
More information about the user, such as device type and iOS version, can
also be seen.
TARMAC Asset Management allows quick access to user device information
such as device type, iOS version, which profile provisioned and the date of
provisioning by utilizing information captured using the Simple Certificate
Enrollment Protocol (SCEP). This tool is useful to see who has and who has
not yet provisioned their device.
Tip
Getting more information about user devices:
‣ Click on the user name in the ‘Provisioned Users’ table
‣ All extra information will collapse under their username
Tip
Use Mobile Device Management (MDM) to collect more detailed
device information. See section Control devices using Mobile Device Management for further information.
25
To find out more information, such as a IMEI number or MAC address, take a look at TARMAC’s ‘Logs’ page. Here you will find the
user’s log in name and extra information such as UDID, device type
and profile installed.
Supported image file formats include: PNG, GIF and JPEG. For a seemless fit
on the iPhone, we recommend dimensions of 320x79px and a transparent
background.
Customizing your user experience
TARMAC allows admins to customize the end-user
experience, so that users feel right at home. This section
explains how.
Displaying header and footer text
Header and footer text is displayed throughout the end-user interface and
can be used to aid the user or provide additional information.
Adding a custom logo
Custom logos, such as your company logo, give users the look and feel they
expect from your company.
Header
Footer
To add a header and footer to the end-user interface:
‣ Navigate to the Customize page of the TARMAC Server interface
‣ Type a header and a footer
‣ Click Save
To add a custom logo to the end-user interface:
‣ Navigate to the Customize page on the TARMAC Server interface
‣ Click Upload Image
This text will now be shown on the end-user’s device when they access the
TARMAC service.
‣ Choose an image file
‣ Click Upload
Note At present, the same header and footer is shown on each page.
26
Adding Links
Links can help direct end-users to external pages if required.
Informing users with the About Screen
The TARMAC end-user interface is designed to be as straightforward as possible for the end-user. If the more inquisitive user wishes to learn more
about TARMAC, they can tap the ‘?’ on their device.
TARMAC includes a short introduction by default, which can be customized
by the TARMAC admin at any time.
Links
To add custom links to the end-user interface:
‣ Navigate to the Customize page on the TARMAC Server interface
‣ Give the Link a user-friendly name
‣ Enter the URL
‣ Click Save
To customize About Screen text:
‣ Navigate to the Customize page of the TARMAC Server interface
‣ Edit the text
Tip
‣ Click Save
This text will now be shown when the user taps ‘?’ on any of the end-user
interface pages.
Note The About Screen edit field accepts basic HTML tags such as <p>
and <br />.
27
TARMAC also allows you to link phone numbers here. In the Link
field type ‘tel:’ plus the number. This number will then be dialed if
the end-user taps the link.
figuration has already been prepared by the IT administrator, the user need
not enter any additional information other than their log in details.
Provisioning user devices
User devices are fully configured with TARMAC through one
easy-to-use interface.
Provisioning an end-user’s iOS device can be done in a matter of minutes.
Simply direct your users to the standard TARMAC client interface, included as
part of every TARMAC Server installation.
Navigating to the client interface on an iOS device
In order to download a personalized profile, the user must log in via the
TARMAC client interface.
Navigating to the TARMAC client interface locally:
‣ Open your preferred browser
‣ Navigate to http://localhost/tarmac/
Installing the personalized profile:
‣ Log in using your standard directory service username and password
‣ Choose the profile you wish to install [optional, depending on config]
‣ Tap install
Navigating to the TARMAC client interface remotely:
‣ Open your preferred browser
‣ Navigate to http://<YourTARMACServer>/tarmac/
Tip
Once provisioning is complete, the user will be redirected to the TARMAC
client user interface once again. They may then close Mobile Safari and use
all pre-configured services such as VPN, email access or calendar management.
This URL can be distributed to users. To ensure easy deployment,
why not send the URL via SMS or alternatively choose a base URL
which is easy to enter using the iOS keyboard.
Installing a personalized user profile
Depending on your configuration of TARMAC server, the user will be requested to log in using their standard directory service username and password. As soon as the user does so, TARMAC provisions the user profile onthe-fly and delivers it to iOS devices ready for the user to install. As all con28
Alternatively you can access the production log directly within the TARMAC
directory. This directory can be found at /Library/WebServer/Tarmac/log/
and can be opened using any plain text reader such as TextEdit or vi.
Troubleshooting
Some hints and tips in case something goes wrong…
Getting to know your directory service
Accessing TARMAC Server when directory service is offline
Knowing your way round your directory service is key to troubleshooting
TARMAC. Correct directory service attributes need to be used not only for
valid iOS device configuration but also to connect TARMAC successfully to
your directory service.
TARMAC admins are defined by selecting Admin next to the Group DN on
the Services page of TARMAC server (see section: Connecting to your directory service). If your directory service is offline or has changed, these users
will be unable to log in to the TARMAC Server admin interface.
You can troubleshoot issues related to your directory service by reviewing
the TARMAC production.log and your LDAP server logs. These both contain
data on successful and unsuccessful connection attempts along with a multitude of other useful information.
TARMAC includes a local login feature which allows a local user to log in at
all times. This username is admin, the password should have been changed
during initial TARMAC set up.
To log in locally:
‣ Navigate to the TARMAC Server admin interface
‣ Choose Local Login from the domain pop-up menu
‣ Enter the username (admin) and password (default: admin)
You can then manage the TARMAC Server and change directory service details if necessary.
Locating TARMAC’s server logs
TARMAC’s logs are easily accessible via the Logs page on the TARMAC Server
web interface. You can export these logs giving you access to the following
files:
‣ production.log (an extensive general log)
‣ access_log (Apache access log)
‣ error_log (Apache error log)
‣ apngateway_production.log (Apple Push Notification gateway log)
29
Uninstalling TARMAC
To uninstall TARMAC, stop your Apache web server and delete the following
files.
Unload and delete the following LaunchDaemons:
/Library/LaunchDaemons/com.equinux.tarmac.webconfig.plist
/Library/LaunchDaemons/com.equinux.tarmac.purgetmp.plist
/Library/LaunchDaemons/com.equinux.tarmac.rake.purgesessions.plist
/Library/LaunchDaemons/com.equinux.tarmac.rake.purgescep.plist
/Library/LaunchDaemons/com.equinux.tarmac.mongrel.30080.plist (>30083)
/Library/LaunchDaemons/com.equinux.tarmac.laika.plist
/Library/LaunchDaemons/com.equinux.tarmac.apngatewayd.plist
/Library/LaunchDaemons/com.equinux.tarmac.rabbitmq.plist
Delete the following folder:
/Library/WebServer/Tarmac/
Delete the following files:
/etc/apache2/other/tarmac.conf (10.5, 10.6 Client)
/etc/apache2/sites/tarmac.conf (10.5, 10.6 Server)
30
equinux AG and equinux USA, Inc.
© 2011 equinux USA, Inc. All rights reserved.
Under the copyright laws, this manual may not be copied, in whole or in
part, without the written consent of equinux AG or equinux USA, Inc. Your
rights to the software are governed by the accompanying software license
agreement.
The equinux logo is a trademark of equinux AG and equinux USA, Inc., registered in the U.S. and other countries.
Other product and company names mentioned herein may be trademarks
and/or registered trademarks of their respective companies.
equinux shall have absolutely no liability for any direct or indirect, special or
other consequential damages in connection with the use of the quick setup
guide or any change to the router generally, including without limitation,
any lost profits, business, or data, even if equinux has been advised of the
possibility of such damages.
Every effort has been made to ensure that the information in this manual is
accurate. equinux is not responsible for printing or clerical errors.
Manual revision 1.4
Created using Apple Pages.
www.equinux.com
31