GravityZone Mobile Client installation prerequisites

Bitdefender GravityZone provides full visibility into organizations' overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender's Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization.

This article presents the information you need to know before you proceed with the installation of GravityZone Mobile Client.

Overview

Security for Mobile Devices manages and controls iPhone, iPad and Android devices with a unified enterprise-grade management that keeps the device safe with real-time scanning and enforces organization's security policies on any number of devices to lock screen, require authentication, encrypt removable media, locate lost devices and deny non-compliant or jailbroken devices accessing corporate services.
Before starting to add devices to users and install GravityZone Mobile Client on end devices, you must make sure the requirements are met.

Requirements

Configure External Address for Communication Server

In the default GravityZone setup, mobile devices can be managed only when they are directly connected to the corporate network (via Wi-Fi or VPN). This happens because when enrolling mobile devices they are configured to connect to the local address of the Communication Server appliance.

To be able to manage mobile devices over the Internet, no matter where they are located, you must configure the Communication Server with a publicly reachable address.

To be able to manage mobile devices when they are not connected to the company network, the following options are available:

  • Configure port forwarding on the corporate gateway for the appliance running the Communication Server role.
  • Add an additional network adapter to the appliance running the Communication Server role and assign it a public IP address.

The Communication Server can be configured from GravityZone CLI:

Please note that the address from the above image is just an example. You must use the following syntax: https://<IP/Domain>:<port>.

Supported Platforms

Security for Mobile Devices supports the following types of mobile devices and operating systems:

  • Apple iPhones and iPad tablets (iOS 5.1+)
  • Google Android smartphones and tablets (2.2+)

Connectivity Requirements

Mobile devices must have an active cellular data or Wi-Fi connection and connectivity with the Communication Server.

Push Notifications

Security for Mobile Devices uses push notifications to alert mobile clients when policy updates and tasks are available. Push notifications are sent by the Communication Server via the service provided by the operating system manufacturer:

  • Google Cloud Messaging (GCM) service for Android devices.
    For GCM to work, the following are required:
    • Google Play Store must be installed.
    • Devices running a version lower than Android 4.0.4 must also have at least one logged in Google account.
    • To send push notifications, the following ports must be open: 5228, 5229 and 5230.
  • Apple Push Notifications service (APNs) for iOS devices.
    Devices using APNs need a direct connection to Apple's server. If a device is unable to connect using cellular data, it will attempt to use Wi-Fi if available. If there is a proxy server on the Wi-Fi network, the device will not be able to use APNs, because APNs requires a direct and persistent connection from device to server.
    When connecting to APNs, iOS devices will use the cellular data connection if it's available. Only if the cellular connection is not available or viable will the device switch to Wi-Fi for APNs connections.
    For APNs traffic to get past your firewall, you'll need to open these ports:
    • TCP port 5223 (used by devices to communicate to the APNs servers)
    • TCP port 2195 (used to send notifications to the APNs)
    • TCP port 2196 (used by the APNs feedback service)
    The APNs servers use load balancing. Your devices will not always connect to the same public IP address for notifications. The entire 17.0.0.0/8 address block is assigned to Apple, so it's best to allow this range in your firewall settings.

iOS Management Certificates

To set up the infrastructure for iOS mobile device management, you must provide a number of security certificates.

Communication Server Certificate

The Communication Server certificate is used to secure communication between the Communication Server and iOS mobile devices.

Requirements:

  • This SSL certificate can be signed either by your company or by an external Certificate Authority.
  • The certificate common name must match exactly the domain name or IP address used by mobile clients to connect to the Communication Server. This is configured as the external MDM address in the configuration interface of the GravityZone appliance console.
  • Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.

Apple MDM Push Certificate

The Apple MDM Push certificate is required by Apple to ensure secure communication between the Communication Server and the Apple Push Notifications service (APNs) servers when sending push notifications. Push notifications are used to prompt devices to connect to the Communication Server when new tasks or policy changes are available.
Apple issues this certificate directly to your company, but it requires that your Certificate Signing Request be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate.

iOS MDM Identity and Profile Signing Certificate

The iOS MDM Identity and Profile Signing certificate is used by the Communication Server to sign identity certificates and configuration profiles sent to mobile devices.

Requirements:

  • It must be an Intermediate or End-Entity certificate, signed either by your company or by an external Certificate Authority.
  • Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.

iOS MDM Trust Chain

The iOS MDM Trust Chain certificates are required on mobile devices to ensure they trust the Communication Server certificate and the iOS MDM Identity and Profile Signing certificate.
The Communication Server sends this certificate to mobile devices during activation. The iOS MDM Trust Chain must include all intermediate certificates up to the root certificate of your company or to the intermediate certificate issued by the external Certificate Authority.

NOTE: For more details regarding Security Certificates, refer to Creating Security Certificates KB article.


Rate this article:

Submit