Product Documentation

How Key Management Works

Sep 27, 2015
There are two components that make up key management in XenMobile:
  • Device key management within the XenMobile Device Manager. Device Manager is responsible for management of device keys. This includes the generation and revocation of a key pair unique to each device and the distribution of the key pair to the device, as well as distribution of the associated public key to Secure Mobile Gateway. When a device is successfully enrolled, a key pair is generated and delivered to the device. The device's public key and its associated ActiveSync Device ID is then delivered to Secure Mobile Gateway, along with whitelist and blacklist rules governing email access. The serial number of the device public key is viewable by using the Policy tab in the Secure Mobile Gateway configuration utility. You can configure Device Manager so that email access is not enabled until the device is enrolled.
  • Secure Mobile Gateway key management. Secure Mobile Gateway is responsible for periodically initiating communication with Device Manager to retrieve configuration information pertaining to attachment encryption, including device public keys and their associated ActiveSync Device IDs. The device public keys are stored in the Secure Mobile Gateway config folder in an .xml file associated with the Device Manager.

    Secure Mobile Gateway is also responsible for generating its own set of assymetric keys so that it can be a recipient of ZSA containers. These keys are cryptographically protected and stored in the Secure Mobile Gateway KeyStore (ArraySharedData.xml). An initial key is automatically created when attachment encryption is first enabled on the Encryption tab of the configuration utility. Secure Mobile Gateway uses the most recent key in its KeyStore to create ZSA containers, and may use any of the keys in the KeyStore for decrypting (because attachment containers may have been created with earlier keys). A single key is sufficient for normal operation. If you want to create a new key, you use the GenerateKey.bat script in the product install directory.

Note: In Forefront Threat Management Gateway (TMG) array configurations, the Secure Mobile Gateway KeyStore must be shared by all members of the array. The recommended way to enable this functionality is to configure Secure Mobile Gateway to use the Shared Configuration model, in which the config folder is shared by all array members. If you do not use Shared Configuration, the ArraySharedData.xml file must be replicated to the config folder of each member of the cluster whenever it is modified.