Product Documentation

To install Device Manager

Dec 21, 2015

Before you install Device Manager, make sure you do the following:

  • Disable TCP/IP6 on the NIC and in the registry.
  • Disable the User Account Control setting in Control Panel.

The setup wizard includes several discrete tasks. You need to complete the all of the tasks in this topic in consecutive order to complete the entire wizard.

To start the installation wizard

  1. Double-click the Device Manager executable installation file. The Setup Wizard opens.
  2. On the Installer Language page, select your preferred language, click OK and then on the Welcome page, click Next to start the installation.
  3. On the License Agreement page, read the terms and then click I Agree to accept the terms and conditions.
  4. On the Choose Components page, do one of the following and then click Next.
    • If you are installing Device Manager for the first time, select Full.

      Full installation includes the following:

      • Installation of the Device Manager Server
      • Installation of the Device Manager repository database (PostgreSQL) and automatic creation of the database and requisite tables
      • Installation of the integrated web application server hosting the Device Manager server
      Note: If the Application Server has already been installed, Citrix recommends that you remove it prior to a fresh installation. Installing the Application Server component only and reusing an existing Device Manger database is supported.
    • If the SQL database server is already installed on your computer or on another server, clear the check box. The install type changes to Customized. For example, clear the PostgreSQL component if you are using a local or separately installed instance of Microsoft SQL Server.
    The following steps assume that you are installing Device Manager for the first time and that you chose Full in Step 4.
  5. On the Choose Install Location page, leave the default install location or click Browse to select a folder on your computer and then click Install. The PostgreSQL component installs.

To complete the PostgreSQL installation

  1. On the PostgreSQL Installation notes page, click Next.
  2. On the Installation options page, keep the default options, select additional options, or click Browse to change the installation location and then click Next.
  3. On the Service configuration page, define the server account that runs the PostgreSQL server by doing the following and then click Next.
    1. Leave the default settings for service name, account name, and account domain. Also, leave the Install as a service option selected.
    2. In Account password and Verify password, enter a password that meets the password policy of your organization.
      Important: If the password you enter does not meet the password requirements, after Step 9, a Password notification appears prompting you to enter another password. If the password does not comply with the organization policy, the installation may fail without warning.
      An Account error message appears stating that the user is not found and prompts you to create the user.
  4. Click Yes.
    Important: Although the message appears as an error, the message means that the designated account doesn't yet exist and that you must create the account.
  5. If a Password notification warning appears, click No.
  6. On the Initialize database cluster page, do the following:
    1. In Locale, click English.
    2. In Superuser name, define an administrator account for the database.
    3. In Password and Password (again), type a password and then click Next.
  7. On the Enable procedural languages page, leave the default PL/pqsql check box selected and then click Next.
  8. On the Enable contrib modules page, select any modules you want to enable, click Next and then click Next again to start the database installation.
  9. When the database installation is complete, click Finish.

To configure the connection to the RDBMS

  1. On the Device Manager License page, click Browse to specify the .crt license file on your computer that contains the valid license keyword provided by Citrix and then click Next. Next, you configure the Device Manager Repository connection parameters for the selected relationship database management system (RDBMS).
  2. On the Configure database connection page, in Database driver, click an RDBMS, such as PostgreSQL.
    • If you click PostgreSQL or a Microsoft SQL database, you need to configure a user name, as well as the following:
      • In Password, enter the password you defined when you installed the PostgreSQL database.
      • In Database name, enter a database name or leave the default value.
    • If you click a database other than PostgreSQL, such as SQL Server, you need to configure the SQL Server home name or IP address, as well as the communication TCP port of the database server. The default TCP port is 1433.
      Note: Be sure to use the correct local or domain account user name, password, and desired database name that you configured during installation. The account used for Microsoft SQL should also have db_owner, db_creator, db_writer, and processadmin rights.
  3. Click Check the connection and then click Next.
  4. In the Confirmation message, click Create and then when a message appears stating that the connection to the database is successful, click OK.

To configure and register Crystal Reports

With Crystal Reports, you can process the mobile device connection and session logs to generate activity reports online by using the Device Manager web console, or offline from the Device Manager repository database. The reports include watermark with registration information. To remove the watermark, you need a Crystal Reports Developer Edition license and a keycode for the product. If you did not enter a license serial number during installation, you can define it later by following these steps:
  1. Edit the crconfig.xml configuration file located at in the Device Manager setup folder, which is typically \Program Files\Xenmobile on a Windows server:

    tomcat\webapps\Device Manager\WEBINF\classes\crconfig.xml

  2. Add your serial number by editing the <keycode></keycode> element. For example, if your serial number is XXXX-YYYY-ZZZZ, modify the line as follows:

    <keycode>XXXX-YYYY-ZZZZ</keycode>

  1. On the Crystal Report Java Reporting Components configuration page, to leave a watermark on the reports, leave the keycode blank. Or, to remove the watermark, enter your keycode for the product and then click Next.

To configure the server connectors

On this page, you configure the connection between the Device Manager agent and the Device Manager server for the initial download of the Device Manager agent and subsequent updates and for establishing connections between the Device Manager agent and the Device Manager server in a common operation.
  1. On the Configure the modes of connection page, configure the following:
    1. Enable iOS. Select this check box if you manage iOS devices.
      Important: You can only configure this option during installation. If you do not select this option and you want to enable the mode in the future, you must reinstall the application server.
    2. Both HTTP and HTTPS access (recommended). Click this option to complete the standard configuration, which enables HTTP downloading and common HTTPS connections.
    3. Only https. Click only if the agent setup wizard file (setup.cab or setup.apk) is not downloaded through the web browser of the Windows Mobile or Android device.
    4. Only http. Click only if a VPN is already installed between the Device Manager server and the mobile devices.
    5. Authentication code for applications/tunnels. Enter a prefix that Device Manager uses to create authentication keys used by the software. Use a simple alphanumeric word or passphrase. Use mixed cases, numbers, and letters only. Then, record this value for use later when you configure the system.
  2. On the Define an HTTP connector page, leave the default port of 80 or enter a different port number.
  3. In Maximum concurrent connections, leave the default value of 20 or enter a different number. In standard operating mode, HTTP connections are used only to upload the Device Manager agent and to connect the Device Manager Remote Support application. Each connection represents how many device (client) connections you want to allow at any one given time, simultaneously.
    If you want to allow inbound connections to the Device Manager server through the HTTP port, you can also give your server an external IP address.
    Note: If you change the Device Manager server IP address, the change is transparent to users if the external address in the Device Manager Server SSL certificate has not been changed and you chose the All local Addresses option during configuration. It's also recommended that you update the security rules.
  4. On the Define an HTTPS connector page, leave the default port of 443 or enter a different port number.
  5. In Maximum concurrent connections, leave the default value of 400 or enter a different number and then click Next.
  6. On the Define an HTTPS connector for iOS enrollment page, you can leave the default port of 8443 or enter a different number. iOS standards typically rely on a connection through port 8443.
  7. In Maximum concurrent connections, leave the default value of 20 or enter a different number and then click Next.

To integrate the PKI

The Device Manager server has an integrated Public Key Infrastructure (PKI) which incorporates several Certification Authorities (CAs) to manage the key pairs and certificates required to authenticate the server and mobile devices. The certificates are in X509 v3 format. The Device Manager server is always authenticated, although the device authentication is optional and is only activated and applied if the license includes the Device Manager Secure Device option.

Note: If the Device Manager Secure Device option is not included in your Device Manager license, Device Manager does not use the CA for mobile devices.
  1. On the Define the root certification authority page, do the following and then click Next.
    1. In Keystore file path, do not change the default path. The server configuration provided the file path.
    2. In Keystore password, enter the private password used for each component of the local CA. Although you can use the same password for each CA keystore component, it is recommended to use separate passwords for the Root CA, Server CA, Device CA, and Web Service CA certificates. Be sure to write down all keystore passwords uses and save in a safe location. Matching green color password fields confirm that you entered the same password in the Password and Confirm password fields. Passwords must have at least eight characters, and can consist of alphanumeric and ASCII symbol values. Passwords are case sensitive.
    3. In Common name, leave the default name to associate with the creation of the CA component and certificate. If you change this field, your devices may not receive the proper chain of certificates and will not be able to enroll.
    4. In Organizational unit, enter a value typically given to the entity or group that has management authority over the CA.
    5. In Organization, enter a value typically given to the entity or company that is parent to owning the CA and its rights.
    Note: The Root CA certificate is used to issue and sign certificates for intermediate server and client-device CAs. It is also used to regenerate intermediate certificates in the event of compromise. It may be installed in the operating system as a trusted CA root certificate. To avoid alert messages by Internet Explorer 7 as to the validity of certificates issued by this CA, install the root certificate in the operating system.
  2. On the Define the server certification authority page, do the following and then click Next, The intermediate mobile device CA is used to issue and sign mobile device certificates. It is also used to regenerate mobile certificates in the event of compromise.
    1. In Keystore file path, do not change the default path. The value is required by the server configuration.
    2. In Keystore password, enter the private password used for each component of the local CA. Although you can use the same password for each CA keystore component, it is recommended to use separate passwords for the Root CA, Server CA, Device CA, and Web Service CA certificates. Be sure to write down all keystore passwords uses and save in a safe location. Matching green color password fields confirm that you entered the same password in the Password and Confirm password fields. Passwords must have at least eight characters, and can consist of alphanumeric and ASCII symbol values. Passwords are case sensitive.
    3. In Common name, leave the default name to associate with the creation of the CA component and certificate.
    4. In Organizational unit, enter a value typically given to the entity or group that has management authority over the CA.
    5. In Organization, enter a value typically given to the entity or company that is parent to owning the CA and its rights.
  3. On the Define the certificate for HTTPS page, do the following and then click Next. The server shows the HTTPS certificate (SSL server connection) to the mobile devices in order to prove the server identity. The certificate prevents man-in-the-middle attacks. A man in the middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle)
    1. In Keystore file path, do not change the default path. The value is required by the server configuration.
    2. In Keystore password, enter the private password used for each component of the local CA. Although you can use the same password for each CA keystore component, it is recommended to use separate passwords for the Root CA, Server CA, Device CA, and Web Service CA certificates. Be sure to write down all keystore passwords uses and save in a safe location. Matching green color password fields confirm that you entered the same password in the Password and Confirm password fields. Passwords must have at least eight characters, and can consist of alphanumeric and ASCII symbol values. Passwords are case sensitive.
    3. In IP address or FQDN, enter the IP address or fully qualified domain name (FQDN) of the server.
    4. In Organizational unit, enter a value typically given to the entity or group that has management authority over the CA.
    5. In Organization, enter a value typically given to the entity or company that is parent to owning the CA and its rights.
    Important: Retain and safely store all keystore passwords used for the four separate CA installation steps. These are the PKCS#12 certificate files containing the PKI key pairs (*.p12 files) and can be found in the default keystore file path listed during each installation step. Also, keep backup copies of the four *.p12 extension files.
  4. On the Define the APNs certificate file for iOS page, in Private key password, enter the associated private key password used to generate the original Certificate Signing Request (CSR).
  5. In Certificate file path, specify the file system location of a pre-authenticated Apple Push Notification Service (APNS) certificate file downloaded and converted to PKCS#12 format from the Apple iOS Developer for Enterprise portal.
    Note: APNS certificates are provisioned by Apple, Inc. To obtain an APNS certificate, sign in to the following site with your Apple ID: https://identity.apple.com/pushcert. Inspect the values that appear to the page's text area. If the certificate and password match, the Next button is enabled. Click Next.
  6. On the Configure tunnel port(s) used by remote support page, define the port range used by remote support for Android and Windows Mobile devices and then click Next. When you connect to the Device Manager server from the Device Manager web console and then click the Security Report icon in your Internet browser, the certificate displays.

To designate the Device Manager administrator

To connect to the Device Manager web console, you need to configure an account with the administrator role.

  1. On the Extended management of the users page, in User name, enter the administrator's name.
  2. In Password and Confirm password, enter your password. The password must have at least eight characters.
  3. Click Check the user name and then click Next.

To complete the server configuration

  1. On the Configure all page, click Finish. When the installation is complete, a page appears stating that the setup was completed successfully.
  2. Click Next and then click Finish.

Next, you install the Remote Support and the device provisioning modules.