Services

The Services tab covers General services (focused on location services) and Domain services.

Location services

If this SDM domain must be able to fetch the location of its managed devices, select Enable location services on this domain and then click Update

SDM-6_0_Domain-admin_SERVICES_Enable-location-services.png

Enabling location services means that SDM provides any device's last-known location, including the time the device reported.

Note

This setting requires that the Snow iOS app is installed on the user device. Please note that activating this setting must take into account local rules and regulations.

Domain services

This is a powerful section in the SDM domain configuration, as it specifies and controls the real-time corporate services that are integrated with SDM to make it a truly automated enterprise mobility management (EMM) solution. 

Under Domain services, click Add service and add each service one by one that this domain requires:

AddService.png

Snow Software’s recommendation is to set up the services in the following order:

  • Device push

  • Cloud extender

  • And then later, as needed:

    • Apple DEP

    • Apple VPP

    • Google EMM

    • Private app store

Device push

A mobile device vendor allows its customers to receive vendor notifications on the customer's purchased devices. Not surprisingly, these are known as push notifications, which are sent to devices from a vendor server once a secure connection to the server has been set up. In Snow Device Manager, enabling this secure vendor-server-initiated communication is handled by the Device Push Service.

Note

Snow Software recommends strongly that all customer domains enable the Device Push Service, as this is the most effective mechanism for enrolling devices. 

In the Domain Administration tool, this service is already added by default when a new domain is created, enabling Android Push out of the box. If the customer does not use iOS devices at all, then this part of the domain configuration is already complete and can be skipped. If this is true in your case, then you may now move on to the next section, Google EMM.

However, to enable the enrollment of iOS devices, an Apple Push certificate must be connected to the Apple Push Notification (APN) service, which results in Snow Device Manager being authenticated by Apple so that push notifications can be sent to SDM-enrolled devices. This certificate is a file with the extension .cer. Once again, this is a key part of an effective iOS device enrollment strategy.

In the Device Push Service dialog, the PUSH CERT OK and expiration date message at the end of completing this process signals that the service has been correctly configured for Apple Push.

SDM-6_0_Domain-admin_SERVICES_Add-service_Device-push_FINAL-Win-and-Android-removed.png

Before continuing with the Apple Push configuration, determine first if the customer already has an Apple Push certificate or not:

Customer has no valid Apple Push certificate

To enable the enrollment of iOS devices, configure the Device Push Service in the following way if the customer does not already have a valid Apple Push certificate:

  1. On the Services tab's DevicePush row (under Domain services), click Edit

    The Device Push Service dialog appears.

  2. Make sure that Enabled is activated and then enter an appropriate name for this service in the Name box.

  3. Click Create CSR.

    Create_Apple_MDM_Signing_Request.png

    The Create Apple MDM Signing Request dialog appears.

  4. Create Apple MDM Signing Request dialog:

    1. In the Email box, enter your Apple ID.

    2. In the Common Name box, enter your SDM domain name (or other suitable name).

    3. In the Country box, select a country.

    4. Click Generate.

      A .csr file is generated. 

  5. Save the .csr file to your local computer.

  6. Open a web browser, navigate to https://identity.apple.com/pushcert, and sign in with your Apple ID credentials.

  7. Click Create a Certificate.

  8. Click Browse and navigate to your .csr file.

  9. Click Upload.

    Note

    If there is an error message stating a problem with the generated CSR file, click Reset CSR.

  10. Click Download.

    A .pem file is saved in your default download folder.

  11. Open the Device Push Service dialog again, review the settings, click Upload APN and navigate to your .pem file.

  12. Click Open.

  13. Next, click Apply to accept all Device Push service settings. 

  14. Finally, click Execute if you want to force the starting of this service now.

You may now move on to the next section, Google EMM.

Customer already has a valid Apple Push certificate

To enable the enrollment of iOS devices, configure the Device Push Service in the following way if the customer already has a valid Apple Push certificate and wants to reuse it:

  1. On the Services tab's DevicePush row (under Domain services), click Edit

    The Device Push Service dialog appears.

  2. Make sure that Enabled is activated and then enter an appropriate name for this service in the Name box.

  3. Click Advanced. The Apple Certificates dialog appears. Click Add. The Add Certificate dialog appears.

    1. In the Name box, enter an appropriate name for the existing certificate.

    2. For Type, select SSL_Apple_MDM, which is the specific certificate type for Apple Push.

    3. Browse to the location of the .cer file, select it, and then click Open.

    4. In the resulting Certificate dialog, enter the SSL push certificate password that the customer has received earlier from Apple.

      Apple-push_Certificate-password_CROPPED.png

      Click Ok.

    5. On the Add Certificate dialog, a text response string appears under the Browse button:

      Apple-push_Certificate-password_WENT-THROUGH-FINE_CROPPED.png

      This indicates that the certificate is correct. 

      Note

      If this string is missing, then this means that there is something wrong with the uploaded file and the certificate cannot be read. Therefore, it will fail and the connection to Apple Push cannot be made.

      In such a case, the customer must create a new Apple Push certificate from scratch by following the instructions in Customer has no valid Apple Push certificate.

    6. Click Save. A dialog appears with the text Certificate (SSL_Apple_MDM) stored successfully. Click Ok.

    7. Close the Apple Certificates dialog by clicking the X symbol in the upper-right corner.

    8. You can now see the PUSH CERT OK message and certificate expiration date as shown earlier. 

      Just above this, the Apple Push option is now available. Select this.

      SDM-6_0_Domain-admin_SERVICES_Add-service_Device-push_FINAL-Win-and-Android-removed_FOCUS-ON-APPLE-PUSH_CROPPED.png
  4. Next, click Apply to accept all Device Push service settings. 

  5. Finally, click Execute if you want to force the starting of this service now.

You may now move on to the next section, Google EMM.

Cloud extender

On a daily basis, Cloud Extender synchronizes SDM remotely with the organization's users and devices by integrating SDM and the following customer systems:

  • Microsoft Active Directory (AD)/LDAP, for synchronizing users and security groups—this is a requirement

  • Microsoft Exchange, for synchronizing information about the organization's devices—this step is optional, but recommended

In this case, the steps above have already been carried out on the customer site, so the task here is to make the connection to the customer's SDM domain 

SDM-6_2_Domain-admin_SERVICES_Add-service_Cloud-extender.png

To configure the Extender Service:

  1. Click Enabled and enter appropriate names for this service in the Name box and for its service user in the ServiceUser box.

  2. Decide whether or not the organization needs to activate the following settings and act accordingly:

    • Full sync (Delete removed devices)

    • Remove old duplicate partnerships

    • Device synchronization settings

    • Allow partial IMEI match

    • Create user if not found (Sync folder)

    • Reporting levels: None, Normal, Always

    Note

    These are strategic questions about which the organization should already have made a decision.

  3. Next, Snow Software recommends that you click Export under Create extender service settings file to create a configuration file (.cfg). This file includes details regarding the specific customer's SDM domain (name and location), helping to save time during the Snow Cloud Extender (SCE) setupsteps, which happen on the customer premises. Refer to User Guide: Cloud Extender Setup for more information.

    Note

    While this is a recommended step here, the SCE setup can succeed without this file. 

  4. (The Import button is mostly used for internal troubleshooting purposes at Snow Software, so it can be disregarded during this configuration.)

  5. Click Apply to accept all Cloud Extender service settings. Finally, click Execute to start this service.

The Apple Device Enrollment Program (DEP) is a mechanism for deploying corporate-owned iOS devices in an effective way. 

Once the customer has enrolled in this program, the SDM integration service for this can be set up. This service synchronizes SDM with Apple's DEP portal every 24 hours. Any new DEP devices are brought into SDM at that time.

Here is what a complete and successful configuration looks like in the Apple Device Enrollment Program Service dialog:

Apple-DEP_FINAL_CROPPED_and_fixed.png

On the Services tab under Domain services, click Add service > Apple DEP.

The Apple Device Enrollment Program Service dialog appears:

  1. Enter an appropriate name for this service in the Name box.

  2. Next, select Auto-assign users to enrolling devices. This is required for version 6 of Snow Device Manager. Users will be prompted to enter their credentials (user name or email and password) during enrollment to enable auto assignment of a Snow Device Manager user to this device.

  3. Select the Assignment Policy, and if you prefer, adjust the matching Assignment Text from the default to the text of your choice that expresses a similar meaning:

    • Auto enrollment regardless if user is found.

      If the provided user name/email is found, the enrolled device is matched to this user.

      If not, then the device is still enrolled automatically to the default DEP user. The DEP user is a system default user in all SDM domains

      Assignment Text default: Please enter your email adress or user name to assign you to this device. Any password will do

    • User must exist to allow enrollment.

      If the provided user name/email is found, the enrolled device is matched to this user.

      Note

      Please be aware that, in the case where a valid user is found, this user must still provide any password (correct or not), as the enrollment page still requires a password.

      If the user name/email is not found, enrollment cannot be completed.

      Assignment Text default: Please enter your email adress or user name to assign you to this device. At least a valid user is required

    • Full user credentials required to allow enrollment. The user must enter their valid user name or email and password. Otherwise, enrollment cannot be completed.

      Assignment Text default: Please enter your email adress or user name and password to assign you to this device. Required

  4. Click Generate a public key certificate. The Save DEP public key certificate dialog appears.

    Give the resulting public key file an appropriate name and click Save to save the file to your local computer. This public key is a file with the extension .pem. You will upload this file to the Apple Business Manager site in the next step, as this is the public key certificate for this domain's particular SDM Apple DEP service.

  5. In this step, you will start configuring the link between this Snow Device Manager DEP service and Apple by creating an MDM server on the Apple Business Manager site. This is the Apple server on which all of the customer iOS devices will be registered for this specific SDM customer domain. You will upload the public key certificate file of this domain's SDM DEP profile from the previous step to this server, in order to then generate an Apple DEP token against the public key file.

    Here are the sub-steps required at this point:

    1. Open a web browser and navigate to https://business.apple.com. Enter the customer's Apple ID name and password.

    2. Under Devices in the left navigation, select MDM Servers.

      SDM-6_0_Domain-admin_SERVICES_Add-service_Apple_DEP_token-creation_1.png
    3. Click Add New MDM Server

      1. In the MDM Server Information box, enter an appropriate server name.

      2. Under Upload your Public Key, click Upload File, navigate to the .pem file from the previous step, select it, and click Open.

      3. Click Save.

        SDM-6_0_Domain-admin_SERVICES_Add-service_Apple_DEP_save-server.png
      4. On the resulting server screen, click Get TokenDownload Server Token, and then Save.

        Navigate to a location on your computer where you will save the token (.p7m) file and then click Save.

  6. Back on the Apple DEP Service dialog, click Upload DEP server tokens.

    Navigate to the location of the .p7m file you saved in the previous step, select the file, and then click Open.

  7. The DEP Domain Service dialog notifies you that this service is operational. You receive a similar message if you click the Verify DEP Account button.

    Click OK.

    Notice that a profile called Default DEP Profile is now listed near the bottom of the dialog:

    SDM-6_0_Domain-admin_SERVICES_Add-service_Apple_DEP_Default-profile-listed.png

    You will add a DEP profile that is specific for the customer's needs, but first you must carry out the next steps.

  8. In the next series of sub-steps—back on the Apple Business Manager site—you will assign newly-purchased iOS devices to your MDM server. iOS devices are devices that have not been given to customer employees yet.

    1. Click Device Assignments. Under Choose Devices, select one of the following:

      • Serial Number, and then add the comma-separated serial numbers of the iOS devices to be enrolled in SDM.

      • Order Number, and then add the order (for example, from an Apple authorized reseller) that the customer has placed that includes iOS devices to be enrolled in SDM.

      • Upload CSV file, and then upload the file that contains the comma-separated serial numbers of the iOS devices to be enrolled in SDM.

    2. Under Choose Action > Perform Action, select Assign to server.

    3. Under Choose Action > MDM Server, select the MDM server name that you indicated in the previous sub-step.

    4. Click Done.

      SDM-6_0_Domain-admin_SERVICES_Add-service_Apple_DEP_Device-Assignments_order-number_FINAL.png
    5. Click OK.

  9. Back on the Apple DEP Service dialog, you will now configure the new DEP Profile. Click Add.

    The Add a DEP Profile dialog appears.

    Add-a-DEP-profile_CROPPED_FINAL.png
  10. Carry out the following recommended settings:

    1. Enter appropriate information in the following boxes: Profile name / Department / Support phone no. / Support email

    2. Under Profile characteristics, select Supervised and Mandatory only. Deselect all other options.

    3. Under Items to skip during setup, select all options except Location.

      Note

      This means that Snow recommends that Location is included during setup, but none of the other options, since the options here are items that will be skipped (that is, disregarded) the first time an iOS device is switched on and the enrollment process begins.

  11. Click OK. The Add DEP Profile dialog communicates a successfully defined profile. Click OK.

  12. Back on the Apple DEP Service dialog, select the new profile you just created and click Toggle Default, so that it is the profile that will be used by default.

  13. Make sure that Enabled is selected in the upper-left corner and then click Apply. This service is now completely configured.

    Click Synchronize now if you want all DEP devices to be brought into SDM now.

  14. Finally, click Execute if you want to force the starting of this service now.

The Apple Volume Purchase Program (VPP) allows organizations to buy applications in bulk and distribute these to iOS devices. SDM's Apple VPP service connects directly to the customer's corporate Apple VPP account (https://vpp.itunes.apple.com). This connection enables SDM to display VPP characteristics specific to this customer, such as the list of applications that a customer employee with the SDM user role Manager can select when creating an application package to deploy.

SDM-6_2_Domain-admin_SERVICES_Add-service_Apple-VPP.png

To configure the Apple Volume Purchase Program Service:

  1. Enter an appropriate name for this service in the Name box.

  2. Click Apply. The Apple Volume Purchase Program Service dialog closes.

  3. On the right-hand edge of the Apple VPP row, click Edit. The Apple Volume Purchase Program Service dialog opens.

  4. Decide whether or not the organization needs to activate the following settings and act accordingly:

    1. Auto-install app when a license is assigned

    2. Notify user when a license is revoked

    Note

    These are strategic questions about which the organization should already have made a decision.

  5. Click Upload VPP service token and upload the server token. Next, click Verify VPP account to validate the token with Apple's service.

  6. Click Edit invitation mail to customize the invitation text.

    Once this service is executed and its status is enabled, any new SDM user—such a new employee in the organization that has been given a company iPhone, for example—will receive an email message from SDM inviting them to click a link to participate in Apple VPP.

    1. In the From box, enter the organization name, for example.

    2. The Subject line default text is clear and concise, but can naturally be changed as desired.

    3. As this email is in HTML format, edit the body text as desired between the following tags: <p> </p>

    4. Finally, click OK to accept this revised VPP invitation email text.

  7. Click Apply to accept all VPP service settings. Finally, click Execute to start this service. 

Snow Software is a Google Enterprise Mobility Management (EMM) vendor. This means that SDM is a part of the Android Enterprise initiative, which Google has created for managing workplace Android devices.

SDM-6_0_Domain-admin_SERVICES_Add-service_Google-EMM_FINAL.png

On the Services tab under Domain services, click Add service > Google EMM.

The Google EMM Service dialog appears:

  1. Click Generate a Signup URL. This button's name then changes to Complete Enrollment.

    SDM-6_0_Domain-admin_SERVICES_Add-service_Google-EMM_Generate-a-Signup-URL.png

    A web browser opens.

    Note

    If you are already signed in with your personal Google Account, sign out before logging in with the Google account that will be used for the EMM service.

  2. On the Google Play website (https://play.google.com/work):

    1. Click Sign in

    2. Type the Email address or phone number of the Google account and then click Next.

    3. Type the Password of the Google account and then click Next.

      The Google dialog box closes.

    4. Click Get started

    5. Under Business name > Your answer, enter the organization name and then click Next:

      SDM-6_0_Domain-admin_SERVICES_Add-service_Google-EMM_Google-Play_BUSINESS-NAME.png
    6. On the We need some details about your key contacts screen, provide the details (Name, Email, Phone) of the organization's Data Protection Officer and EU Representative.

    7. Accept the terms of the Managed Google Play agreement and then click Confirm.

    8. On the Set up complete screen, click Complete Registration.

      A message now appears from Snow Software, confirming that the Google Play sign-up process was successful.

    9. Under Business name > Your answer, enter the organization name:NDEEnter the Business name, select the I have read... check box, and then click Confirm.

      Note

      Ignore the message from Google that you must return to the EMM provider to complete the registration.

    10. Click Complete registration.

      The Google Play sign-up process is confirmed.

  3. Back on the Google EMM Service dialog, click Complete Enrollment and then Verify Account. This button's name then changes to Renew credentials.

    SDM-6_0_Domain-admin_SERVICES_Add-service_Google-EMM_Complete-enrollment.png

    A message appears indicating that this account is operational.

  4. Under the Work Profile area:

    1. Enter an appropriate Work profile name.

    2. Select one of the Work profile policy options according to the table below.

    3. Leave the default color as is or click the Add icon image077.png to select a new Main text color

    4. Leave Skip encryption during provisioning deselected to ensure device data security.

      Note

      The default option is to leave the check box empty so that data is encrypted. This option is only available for Android version Nougat or later versions.

    5. Select one of the Account type options according to the table below.

    6. Select one the the Access to applications options according to the table below.

    7. Select one the the Approve permissions options according to the table below.

    8. To select Enrollment group, click selectoption.png, select the user group and then click OK.

      Note

      The default enrollment group is root/users. Select a group that is not used by another Google EMM Service. Only users in the selected enrollment group or its sub-groups will be included in the service.

    9. Select Language.

    10. Make sure that Enabled is selected in the upper-left corner and then click Apply. This service is now completely configured.

  5. Finally, click Execute if you want to force the starting of this service now.

Setting

Option

Description

Work profile policy

Install a work profile on enrolling devices only

This is the default option.

A work profile will only be installed on new devices, and not on already enrolled devices.

Install a work profile on all devices

A work profile will be installed on both new and already enrolled devices.

Never install a work profile on a device

This option can be used to temporarily stop enrollment of work profiles.

Account type

Automatically select account type

This is the default option. In most cases, this setting does not need to be changed.

The system automatically selects to enroll one or more devices as work profiles or as device owner.

User Account that can be used on multiple devices

This option is used to enroll work profile devices only, with one user having one or more devices.

Device Account specific to a single device

This option is used to enroll device owner devices only, with one user to one device.

Access to applications

All approved applications

This is the default option.

All approved applications will be available for the user.

All applications, including not approved

All applications in Google Play will be available for the user.

Approved applications for the user (shows empty whitelist)

Initially, only the Snow app will be available for the user.

Approve permissions

Automatically approve future permissions for a product

This is the default option.

The user does not have to approve future permissions.

Only approve the current set of permissions for a product

The manager must approve future permissions.

Use the private app store service to publish and deploy private applications in your domain specific app store. The applications are only available for the Snow Device Manager domain to which the private app store service is connected.

On the Services tab under Domain services, click Add service > Private app store.

The Private app store Service dialog appears.

  1. In the Name box, enter a name for the private app store service.

  2. Select the Enabled check box, select Apply, and then select Close.