installation guide user guide...variable information appears in italic type. this includes...
TRANSCRIPT
Fusion UDM Installation Guide Page 1 of 82
Installation Guide User Guide
Fusion UDM Premium and Professional Manage and maintain your IT environment
Fusion UDM Installation Guide Page 2 of 82
Table of Contents
INFORMATION ....................................................................................................................................................... 4
COPYRIGHTS .......................................................................................................................................................... 4
DOCUMENT REVISION INFORMATION ......................................................................................................................... 4
ABOUT THIS GUIDE AND WHO SHOULD USE IT ..................................................................................................... 5
TYPOGRAPHICAL CONVENTIONS................................................................................................................................. 5
INTRODUCTION ...................................................................................................................................................... 6
ARCHITECTURE....................................................................................................................................................... 7
SYSTEM REQUIREMENTS AND SERVER SIZING ...................................................................................................... 8
COMPATIBILITY ...................................................................................................................................................... 9
INSTALLATION PREREQUISITES CHECKLIST .......................................................................................................... 10
FOR FUSION UDM SERVER INSTALLATION ................................................................................................................. 10
FOR FUSION UDM ENDPOINT DEVICE INSTALLATION .................................................................................................. 10
FOR FUSION ANDROID MDM (MOBILE DEVICE MANAGEMENT) ................................................................................... 11
PORT AND SERVICE REQUIREMENTS ......................................................................................................................... 12
INSTALLATION OF FUSION UDM .......................................................................................................................... 15
STEP 1: SERVER COMPONENTS INSTALL ................................................................................................................... 15
STEP 2: MS SQL SERVER CONFIGURATION .............................................................................................................. 17
STEP 3 - SINGLE SERVER INSTALLATION .................................................................................................................... 19
DISTRIBUTED SERVER INSTALLATION ......................................................................................................................... 26
HA/FAILOVER/CLUSTERING SERVER INSTALLATION ..................................................................................................... 29
INSTALLATION OF FUSION UDM AGENT .............................................................................................................. 33
MANUAL INSTALLATION OF THE FUSION .................................................................................................................... 33
DEPLOYING AGENT FROM WITHIN FUSION UDM SERVER ............................................................................................. 35
DOMAIN GROUP POLICY TO INSTALL FUSION UDM AGENT ........................................................................................... 37
FUSION MDM SETUP AND CONFIGURATION ....................................................................................................... 40
DOMAIN IDENTITY ................................................................................................................................................ 40
CONFIGURING ENTERPRISE SERVICE ACCOUNT (ESA) .................................................................................................. 42
Fusion UDM Installation Guide Page 3 of 82
MOBILE DEVICE MANAGEMENT CONFIGURATION ....................................................................................................... 54
UPGRADING FUSION UDM SERVER AND AGENT ................................................................................................. 63
FUSION UDM SERVER SOFTWARE ............................................................................................................................ 63
UPGRADING THE FUSION AGENT SOFTWARE .............................................................................................................. 64
SSL CERTIFICATE CREATION AND INSTALLATION ................................................................................................. 65
CREATE SELF-SIGNED SSL CERTIFICATE USING OPENSSL ............................................................................................... 65
PROCEDURE TO INSTALL SSL CERTIFICATE .................................................................................................................. 67
NETWORK LOAD BALANCING WINDOWS 2012/R2 ............................................................................................. 70
DISCLAIMER ......................................................................................................................................................... 82
Fusion UDM Installation Guide Page 4 of 82
Information
This document is a user guide and has been written by VXL Technology/Software. The information within this
guide is correct at the time this guide was authored, using the version of software available at that time. You
may find that there are instances within this guide that vary with the actual version of software you are
evaluating or using. We apologize for this and request that you check the VXL website at http://www.vxl.net
to see if there are any later revisions or addendums available for download.
Every effort has been made to make this guide as complete and as accurate as possible, but no warranty of
fitness is implied. The authors and the publisher shall have neither responsibility nor liability to any person or
entity with respect to loss or damages arising from the use of information contained in this guide.
Copyrights
This guide and its contents are the copyright of VXL Instruments Limited. ©2016 All rights reserved.
Information in this document is subject to change without prior notice and does not represent a commitment
on the part of the manufacturer. No part of this guide may be reproduced or transmitted in any form or
means, electronic or mechanical, including photocopying and recording, for any purpose, without the express
written permission of the manufacturer.
The VXL Logo, Fusion UDM, Fusion UDM Logo, VXL Software logo are all trademarks and registered
trademarks of VXL Instruments Ltd. All other logos and names are the trademarks and registered trademarks
of the respective owners.
Document Revision Information
Date of release Version number Information
7/6/2016 V6.0x Release of master template
28/7/2016 V7.0x Android add-ons
Fusion UDM Installation Guide Page 5 of 82
About this guide and who should use it
Explain here about the guide, its purpose and who should be using this guide – end users, system
administrators etc.
This guide assumes that you have sufficient knowledge of the installation methods used by the operating
system the software is installed on. Should you have any doubt on installing the software you should contact
your partner or VXL for further assistance.
Typographical Conventions
This document uses the following typographical conventions:
Command and option names appear in bold type in definitions and examples. The names of directories, files, machines, partitions, and volumes also appear in bold.
Variable information appears in italic type. This includes user-supplied information on command lines.
Screen output and code samples appear in monospace type.
In addition, the following symbols appear in command syntax definitions.
Square brackets [ ] surround optional items.
Angle brackets < > surround user-supplied values.
Percentage sign % represents the regular command shell prompt.
Pipe symbol | separates mutually exclusive values for an argument.
Fusion UDM Installation Guide Page 6 of 82
Introduction
This installation guide has been written with the aim of guiding you through the steps of correctly setting up
and installing the Fusion UDM software suite. The guide describes the different steps, along with illustrations
to help you install Fusion UDM within your IT environment.
The architecture and deployment scenarios provided within the guide is an example and you should ensure that
you plan the database server construction so that responses from the server are as fast as possible. We have
included a ‘System requirements and server sizing’ section within the guide, should you need to understand the
best setup you require. The term used ‘Endpoint’ generally refers to the physical devices you intend to manage
within your IT environment.
There are two other guides which accompany the installation guide and are available as part of the Fusion
UDM downloadable suite;
Quick start-up guide - gives you basic understanding of using Fusion UDM core features for the first
time
Administrator guide - gives you a full in-depth understanding of all Fusion UDMs feature set
Administrator guide is also available online within Fusion UDM software, to access this
Within Fusion’s main device manager screen
Select the toolbar > Help
For more technical supported knowledgebase, FAQ’S and video tutorials please http://www.vxl.net/support
Fusion UDM Installation Guide Page 7 of 82
Architecture
Fusion UDM software is based on multi-tier Service oriented architecture (SOA) consisting of Smart client agent,
SOAP based messaging framework and web services based middleware.
The core application framework is based on web services architecture using SOAP over HTTP(S) protocol, thus
inherits & exhibits the robustness, reliability, scalability, security & high availability features over LAN and WAN
networks.
The software can connect over Wireless (VSAT, GPRS, CDMA, and 3G) & wired networks (Dial up, Broadband &
Leased line).
The solution consists of following elements:
Fusion UDM middleware software (IIS, MS SQL)
Fusion UDM administrator GUI software (IIS)
Fusion UDM Agent software
Windows XP / 7 / 8 / 10 / Embedded Versions GNU Linux / Gio Linux v6
Apple iOS / Google Android / Windows Phone/10
Fusion UDM supports the following deployment scenarios:
Installation on a single server
Installation on distributed servers or multitier
Fusion UDM Installation Guide Page 8 of 82
System Requirements and Server Sizing
The following is the recommended server set-up for POC/Testing and for a Live production environment for
hosting a Fusion UDM installation;
POC / Testing
All Management suite services hosted on one server
OS options: Microsoft 2008 R2 and above
CPU: Intel Xeon Dual Core or Intel i7 Quad Core 64-bit processor RAM: 4 GB
HDD Sizing: 4 GB of free disk space on 7.2K RPM or faster drives or arrays
Database: Microsoft SQL Express, Microsoft SQL
Up to
1000 endpoint devices
Single Server
All Management Suite Services Hosted on One Server
OS options: Microsoft 2008 R2 and above
CPU: Intel Xeon Dual Core or Intel i7 Quad Core 64-bit processor RAM: 6 GB min
Architecture: Central system, no high availability
Average system utilisation <70%
Network Adapter: Gigabit Network adapter
HDD Sizing: 250 GB of free disk space on 7.2K RPM or faster drives or arrays Database: Microsoft SQL Express, Microsoft SQL
Up to
2000 endpoint devices
Single Server
All Management Suite Services Hosted on One Server
CPU: Intel Xeon Quad Core 64-bit processor
RAM: 8 GB min
Architecture: Central system, no high availability
Average system utilisation <70%
Network Adapter: Gigabit Network adapter
HDD Sizing: 250 GB of free disk space on 7.2K RPM or faster drives or arrays
Database: Microsoft SQL Express, Microsoft SQL
Up to
6000 endpoints devices
Single Server
Server 1 – The IIS Server
CPU: Intel Xeon Quad Core 64-bit processors
RAM: 16GB Min
Network Adapter: Gigabit Network adapter
HDD Sizing: 250 GB of free disk space on 7.2K RPM or faster drives or arrays Server 2 - The Database Server
CPU: Dual Intel Xeon Quad Core 64-bit processor
RAM: 32 GB Min
Network Adapter: Gigabit Network adapter
HDD Sizing: 500 GB of free disk space on 7.2K RPM or faster drives or arrays Database: Microsoft SQL Full
Up to 6000+ endpoint
devices
For larger environments than those listed, please refer to server sizing
documentation or speak to your VXL representative
Fusion UDM Installation Guide Page 9 of 82
Compatibility Fusion UDM has been strenuously tested on various different platforms and environments.
Software Type Compatibility detail
Server OS Microsoft Windows 2008 R2 64 bit all (GUI editions) Microsoft Windows Server 2012 / R2 64bit all (GUI editions) Citrix Xen Desktop, Microsoft Hyper V &VMware virtualized instances of any of the above
IIS Version IIS 7.5 for Windows Server 2008 R2;
IIS 8.0 for Windows Server 2012
.net runtime version
Microsoft .NET Framework 4.5 full version (4.5.50709.378389) and above
Microsoft .NET Framework 4.5.1 full version (4.5.50709.378389) and above
SQL Database: SQL Server 2008, 2012, 2014 and its express editions
SSL certificate OpenSSL compatible SSL certificate for HTTPS & FTPS communication.
Admin
console
Internet browser
Microsoft Internet Explorer version 9.0, 10.0 & 11.0 and Edge browser 12 and above Mozilla Firefox version 21 and above (for Windows, Linux & Android OS) Google Chrome version 28 and above (for Windows, Linux & Android OS) Apple Safari Browser 5.1.7 and above (for Windows, MAC OSX, iOS)
Endpoint
devices
Thin client devices
Microsoft XP Embedded
Microsoft WES 2009, Microsoft WES 7 and P (32, 64 Bit)
Microsoft WES8, Microsoft Windows 10 IoT Enterprise
VXLs own GIO6 Linux
Desktop/Laptop
devices
Microsoft Windows XP SP2
Microsoft 7 - Professional, Enterprise and Ultimate editions
Microsoft Windows 8 - Professional and Enterprise editions
Microsoft Windows 10 – Professional, Enterprise and Education editions
Citrix Xen Desktop, Microsoft Hyper V &VMware based virtualized instances of the
above.
Mobile or Tablet
Devices
All devices based upon the below, with ‘Google Play-store’ access
Android OS 5.0 (Lollipop)
Android OS 6.0 (Marshmallow)
Fusion UDM Installation Guide Page 10 of 82
Installation Prerequisites Checklist
For Fusion UDM Server Installation
The installation requires full ‘Administrator’ user login (local/domain) on the host/server operating sys-
tem to install the Fusion UDM server application, modules and other components needed.
IIS 7.5 or later with following server components included
IIS Management Console, IIS Management Scripts and Tools
IIS Management Service, Default Document, Directory Browsing, Static Content, HTTP Errors,
Static content, HTTP errors, Static content compression and Request filtering.
If IIS 8.0 is required, include the optional ASP.net 4.5 component as well.
For assistance on ‘Server components install’ please refer to this section within the guide
Microsoft .NET Framework 4.5 full version (For Windows 2008 R2) is required to be installed
Downloadable from https://www.microsoft.com/en-gb/download/details.aspx?id=30653
Microsoft SQL 2008 and above including express editions
Downloadable from https://www.microsoft.com/en-gb/download/details.aspx?id=42299
In addition to although not required we recommend adding the SQL Management tool, should
the SQL database require managing;
Downloadable from https://www.microsoft.com/en-gb/download/details.aspx?id=8961;
For assistance on ‘MS SQL database configuration’ please refer to this section within the guide
Ports and Service requirements are needed to be adhered to. For assistance on ‘Port and service require-
ments’ please refer to this section within the guide.
For Fusion UDM Endpoint Device Installation
In order to install the Fusion UDM Agent software successfully, you will need to ensure that “Administra-
tor” user is enabled, or the “Run as Administrator” option is available when manually installing the soft-
ware onto endpoint devices
For Patch management (Fusion Premium) the Windows Update Agent (WUA) service needs to be running
on the Windows OS endpoint device for the patch management feature to operate.
Fusion UDM Installation Guide Page 11 of 82
For Fusion Android MDM (Mobile Device Management)
The below prerequisites are required if administrators want to monitor, manage, audit, and secure corporate
data on Android mobile/tablet devices.
Firstly, you need to complete the process of “Google claimed customer Domain”
https://www.google.com/a/signup/?enterprise_product=ANDROID_WORK
You need to create and configure customer enterprise service account (ESA) from Google developer
Console, as per instructions mentioned in Fusion UDM administrator’s user guide. Obtain the ESA ID,
generate the OAuth secret key (.json) file for web application and generate (.json) file for directory api
service account.
Create/claim EMM token using the Google admin console.
In case of bulk license management, Google apps subscription for concern customer is required.
https://play.google.com/work
In case of private apps deployment, a play store publisher account is required for concerned customer
domain. https://play.google.com/apps/publish
Android devices consisting of minimum OS version 5.0 / Lollipop onwards.
The devices should also consist of the following OEM pre-installed system packages for BYOD/work pro-
file support: android.software.managed_users, android.software.device_admin.
List of officially supported devices are available at https://www.android.com/work/
NOTE: For assistance configuring mobile device management please refer to the Administrator guide
Fusion UDM Installation Guide Page 12 of 82
Port and Service Requirements
In order for Fusion UDM to communicate from the server to endpoint and from the endpoint back to the server,
various ports are required to be opened on your firewall. During the install of Fusion UDM these exceptions are
added into the software firewall, but any ports may need to be open on the switch/VLANs to allow full
uninterrupted communication.
Ports quick chart reference Listed below are ALL the ports which Fusion UDM uses;
Source Destination Ports TCP/UDP
Direction (Uni
or Bi) Description
Agent Server 80 TCP BI HTTP communication
Agent Server 443 TCP BI HTTPS Communication
Agent Server 21 TCP Uni For Normal FTP(FTP)
Agent Server 990 TCP Uni For Secure FTP(FTPS)
Browser Server 9001 to
9020 TCP Uni
For VNC shadowing used by
browser
Agent Server 5500 TCP Uni For VNC (Used by FUDM Agent)
Agent Server 5901 TCP Uni For VNC (Used for connection)
Server Server 1433 TCP Uni For SQL Connection
Server Agent 139 TCP Uni Agentless discovery and
Remote installation (Push)
Server Agent 445 TCP Uni Agentless discovery and Remote installation (Push)
Server Agent 137 UDP Uni Agentless discovery and
Remote installation (Push)
Server Agent 138 UDP Uni Agentless discovery and
Remote installation (Push)
Server Agent 9000 TCP/UDP Uni For Discovery
Server Agent 7 UDP Uni For Wake On Lan (WOL)
Server Agent 9 UDP Uni For Wake On Lan (WOL)
Fusion UDM Installation Guide Page 13 of 82
Ports and Services explained HTTPS Port 443 - if you are doing a secure SSL installation of Fusion UDM server
HTTP Port 80 – if you are doing a none SSL installation of Fusion UDM server
For remote VNC Shadowing functionality using HTML5;
TCP Ports 9001-9020 are used by the browser to connect to the Fusion UDM server.
TCP Port 5500 is used by the Fusion UDM agent to connect to the FUSION UDM Server.
TCP Port 5901 is used for connection within processes on the server itself.
For agent based discovery of devices and remote installation of agent software across multiple LAN subnets,
certain ports and services are required for this;
TCP and UDP Port 9000 on both Fusion UDM server and endpoint for initiated device discovery.
TCP ports 139, 445 and UDP ports 137,138 on both
File and printer sharing service needs to running i.e. C$ sharing capability to transfer the agent to the
endpoint
Windows Firewall requires the ‘File and printer sharing service’ exception to be added.
Agentless discovery across VLAN & VPN environments:
VPN should be configured to allow NetBIOS broadcast forwarding, or alternatively WINS should be im-
plemented on each side of VPN.
VLAN setup within a domain environment the WINS/computer browsing service needs to running on all
domain controllers. All endpoints should be configured as WINS clients.
For Wake-On-LAN (WOL) functionality:
WOL must be supported and enabled within the BIOS
Wake on Magic Packet option must be enabled. This is located in the power management tab within the
network interface properties, accessed using device manager
Simple TCP/IP services should be running
Open UDP port 9 in Windows firewall settings
For Wake-On-LAN (WOL) functionality within an VLAN:
Directed broadcasts should be enabled on the router
Enable and open UDP ports 7 and 9
Fusion UDM Installation Guide Page 14 of 82
Using Ping, Telnet and Net stat for port testing (Troubleshooting) If you are not sure that the required ports are open and are communicating between the server and endpoint
device, there are various tools to check this. Ping is a method of checking if the computer is connected to a
network. Net stat displays active TCP/UDP connections, ports on which the computer is listening to and Telnet
can be used to test the port to the server or endpoint.
Ping command
From the Fusion UDM server
Open CMD prompt
Type ping <IP address of the endpoint>
If there is a response from the IP address, then it is communicating ok
If there is no response, it could well be that the firewall is blocking this
Net stat command From the Fusion UDM server
Open CMD prompt
Type netstat -ano
This will list all the ports that are established and are in the listening state.
If ports are not listening or showing time wait there is problem that needs to investigated
Telnet Command
From the endpoint device, Open CMD prompt
Type telnet < Server hostname/IPaddress> 9000
If the screen goes blank, this means the port is open and communicating
Connection refused means that nothing is running on that port
Timeout generally means the firewall is blocking access
Fusion UDM Installation Guide Page 15 of 82
Installation of Fusion UDM
The following section will list the various steps required to correctly install and configure Fusion UDM on to your
server environment adhering to the ‘Installation Prerequisites checklist’.
STEP 1: Server Components Install
For Windows Server 2012 / R2 1. On the taskbar select Server Manager
2. Select Add Roles and Features
3. Follow the prompts until you reach Server Roles
4. Scroll up/down and tick Web Server (IIS)
This will prompt with the management tools dialog, select ‘Add Features’
5. Follow the prompts until you reach ‘Role Services’
6. Expand the Web Server and ensure the following is ticked to be installed:
Web Server > Common HTTP Features-> Default Document, Directory Browsing, HTTP Errors,
Static Content
Web Server > Performance-> Static Content Compression
Web Server > Security-> Request Filtering
Web Server > Application Development-> ASP NET 4.5 (which will add additional features), Web
socket protocol
Management Tools-> IIS Management Console
Management Tools-> IIS Management Scripts and Tools
Fusion UDM Installation Guide Page 16 of 82
On confirmation select ‘Restart the destination server automatically if required’
Select Install
After completion of installation select Close button.
For Windows Server 2008 R2 1. On the taskbar select Server Manager
2. Select Add Roles
3. Follow the prompts until you reach Server Roles
4. Select Web Server (IIS) and select Next
5. Expand the Web Server (IIS) and tick the following to be installed:
Common HTTP Features-> Static Content, Default Document, Directory Browsing, HTTP Errors
Security-> Request Filtering
Performance-> Static Content Compression
Management Tools-> IIS Management Console
Management Tools-> IIS Management Scripts and Tools
Management Tools-> IIS Management service
Select Install, after completion of installation, select the Close button.
Fusion UDM Installation Guide Page 17 of 82
STEP 2: MS SQL Server Configuration
Once the Microsoft SQL database is installed, there are some configurations required for Fusion UDM to
communicate correctly with Microsoft SQL.
Make sure that during installation of MSSQL user should be select following minimum features.
Ensure that during the installation of SQL management that the “sa” account is enabled and that you
are aware of its valid credentials as this will be required during Fusion UDM installation. If you do not
know the credentials for the “sa” account, please speak to your database administrator responsible
for SQL.
On a default installation of Microsoft SQL, the protocols within SQL Server Configuration Manager are
usually enabled, but to ensure this please check the following;
1. Open SQL Server Configuration Manager.
Expand SQL Native Client 10.0 Configuration module
Select Client Protocols
Right-click on each of the below and enable the following:
Shared Memory
TCP/IP
Named Pipes
VIA (if applicable)
Fusion UDM Installation Guide Page 18 of 82
2. The next step is to configure the protocol port to be used.
Select SQL Server Network Configuration
Select Protocols for SQL EXPRESS (this can vary depending on version of SQL installed)
Right click on TCP/IP and Select IP Addresses.
For IP section, change the TCP Port to 1433
Click apply and then OK
3. Once the above has been completed a restart of the SQL server services is required
4. Select SQL Server Services.
Right-click SQL Server (MSSQLSERVER) in this instance
Select Restart
Fusion UDM Installation Guide Page 19 of 82
Close the SQL Server Configuration Manager.
STEP 3 - Single Server Installation
The Fusion UDM software can be installed one a single server comprising of IIS, SQL database and Fusion
UDM managing up to a maximum of 2000 endpoint devices. If you are installing onto a larger environment we
recommend following the distributed server installation included within the guide.
To download the latest version of Fusion UDM Software at;
http://www.vxl.net/contact/request-evaluation
Copy the downloaded installer package onto the hard drive of the server you are going to use for Fu-
sion UDM.
1. When you are ready, click on the setup file you copied earlier. The following startup wizard will appear
2. Select the Next button. The End User License Agreement (EULA) will be displayed.
Fusion UDM Installation Guide Page 20 of 82
3. Select the “I accept the terms in the license Agreement” check box and then click the “Next” button.
4. The following screen is displayed allowing you to choose the installation path. You can change the default
installation path which is set to “C:\VXL” or choose alternatively location using the “Browse” button.
Once you are ready click the “Next” button to continue.
5. The following screen will be displayed where you can choose from one of the two installation types. For
installation on a single server choose “complete” installation option. Click the “Next” button to continue.
Fusion UDM Installation Guide Page 21 of 82
6. An information screen similar to the one below will be displayed listing the components that will be in-
stalled on your system. You can see how much disk usage is needed and used by clicking the Disk Usage
button. Keep the defaults options and Click the “Next” button to continue.
7. The “Requirements” screen will be displayed. The installer will automatically identify and display the sta-
tus of prerequisites, indicating whether the component is installed or unavailable on your system.
8. In case the installation prerequisites are met the “Next” button will be visible and one can proceed with
the installation. Click the “Next” button to continue.
Fusion UDM Installation Guide Page 22 of 82
NOTE: If the prerequisites are found to be installed on your System, a tick mark () will be displayed indicating
component compliance. In case any prerequisite is not fulfilled, a Red Cross (X) will be shown alongside the
missing component and the setup will not proceed further. The prerequisite needs to be installed before
continuing the installation.
9. The next step is database connection setup and is displayed next as the “Database setup” screen. Enter
the correct credentials to establish the SQL server connection. Once you have entered this click the”
Next” button, a connection to the SQL server will be tested.
10. In FUDM database can be installed on remote machine to do so select database connection type Remote
while installing database. When Remote type is selected then Database get connected to remote ma-
chine of which details have mentioned in the form.
Fusion UDM Installation Guide Page 23 of 82
Note: It is essential to uninstall Fusion UDM entry from Add Remove Programs from system through which we
have install the FUDM database. If we want to install the Fusion UDM application on the same system through
which the database was remotely installed.
Ensure that the correct credentials and setup of SQL is adhered to. If not, then the following message
can occur
11. Once the SQL connection is established, the next screen is the communication server setup that is re-
quired for the configuration of the web server’s hostname and port requirements. Since the IIS server is
located on the current installation server we have populated the host name of the server along with SSL
communication ticked on default (this is recommended for Live secure Fusion UDM environment) If the
server is part of a domain infrastructure a FQDN is required using the following syntax:
Hostname.Fulldomainname for example fusion.test.com
NOTE: This is important if you wish to register devices over a WAN environment or register mobile devices
Fusion UDM Installation Guide Page 24 of 82
12. In case a default website is already running on the selected port, you will be shown a dialog as shown
below and asked if you wish to stop the site using the port in question.
13. The next screen(s) will prompt you to start the installation process. If you wish to change any of the pro-
vided information you can do so by clicking the “Back” button.
Fusion UDM Installation Guide Page 25 of 82
14. After completion of the installation process the installer will launch the Fusion UDM web console. You
can prevent this by un-ticking the “Launch Fusion UDM Web Console” checkbox and clicking “Finish”.
15. In order to log into the Fusion UDM server, you can begin by using the default logon credentials. We
strongly recommend you to change the credentials as quickly as possible. The default credentials are:
Username: admin
Password: admin
NOTE - You can access Fusion UDM Admin console from anywhere without having to remotely login, by
enabling port forwarding on the router to the static IP/hostname of the server.
To learn and help you understand the features of Fusion UDM please refer to the Administration’ guide.
Fusion UDM Installation Guide Page 26 of 82
Distributed Server Installation
If you are installing onto a larger environment for over 2000+ endpoint devices, we recommend a distributed
server method.
It is assumed that both the servers used this are of similar configuration and that you have copied the
Installer package onto the hard drive of the computer system prepared for installation of the web com-
ponent with the server running the IIS server role.
1. The initial part of installation is the same as single server installation mentioned in the previous section,
from steps 1 – Server components Install and Step 2 – MS SQL installation.
2. During the Fusion UDM installation at ‘Step 5’ of the install process, select the ‘Custom’ installation op-
tion and proceed to next step.
3. Select the ‘Install Fusion UDM Database’ option first as the server installation requires the database to
be present and prepared in readiness for the server installation to connect to.
4. Once installed, you will be required to re-run the installation setup. First time for the database installa-
tion and the second time for the server installation.
Fusion UDM Installation Guide Page 27 of 82
5. When requested you will need to specify the database server and connection parameters, as shown be-
low;
6. Select ‘Connect to remote database server’ and populate the correct credentials
Fusion UDM Installation Guide Page 28 of 82
7. Once you have completed and connected to the database successfully, you can continue the installation.
Please refer to steps 10 onwards, mentioned in the previous chapter for assistance.
Fusion UDM Installation Guide Page 29 of 82
HA/Failover/Clustering Server Installation
If you require a high-availability installation for Fusion UDM server with an example of how it operates below,
please follow through the following steps;
Fusion UDM Installation Guide Page 30 of 82
The prerequisites for the server installation are the same as the ones required for the single server
installation. It is assumed that the servers used in the clusters are of similar configuration and that
you have copied the Installer package onto the hard drive of the computer system prepared for in-
stallation of the web component – the servers running the IIS server role.
It is assumed that both the servers used this are of similar configuration and that you have copied the
Installer package onto the hard drive of the computer system prepared for installation of the web
component with the server running the IIS server role.
1. The initial installation is the same as single server installation mentioned in the previous section
2. At ‘Step 5’ of the installation process, select the ‘Custom’ installation option and proceed to next step.
3. Select the ‘Install Fusion UDM Database’ option first as the server installation requires the database to be
present and prepared in readiness for the server installation to connect to.
You will be required to run the installation once for the database installation and on the servers in
the cluster for the server installation.
Install Fusion UDM Database Install Fusion UDM Server Application
4. Install Fusion UDM database on local server
For the install of the Fusion UDM Database, the administrator will require the local database server
details along with connection parameters:
Fusion UDM Installation Guide Page 31 of 82
Important: (Remote IP Address) SQL instance should be configured to accept TCP/IP connections from remote
computers
This configuration change may be required when a Fusion UDM connect to remote database and also at the
time of installation of Fusion UDM remote database is required to access a remote SQL Server instance as part
of a distributed installation.
5. On the SQL Server, open 'SQL Server Configuration Manager'. For example:
Start > All Programs > Microsoft SQL Server 2008/2008
R2sss > Configuration Tools > SQL Server Configuration Manager.
i. For MS SQL 2012: Use the Windows key or hover over the left lower corner of the
ii. desktop and select All Programs > Microsoft SQL Server 2012 > Configuration Tools >
SQL Server Configuration Manager
6. Expand 'SQL Server Network Configuration' and highlight the 'Protocols for [InstanceName]'option.
7. In the right-hand window, if 'TCP/IP' currently has the 'status' of 'Disabled', right click on 'TCP/IP' and se-
lect 'Enable'.
Note: You will be requested to restart the SQL Server service to complete the configuration change.
8. To restart the service, you can use the same Microsoft Management Console (MMC) window.
Highlight the 'SQL Server Services' option at the top of the tree. In the right-hand window,
Right click on the SQL Server [Instance]' entry and choose 'Restart'.
Fusion UDM Installation Guide Page 32 of 82
The SQL instance has now been configured to accept TCP/IP connections from remote
computers
9. Require local database server details with connections
Fusion UDM Installation Guide Page 33 of 82
Installation of Fusion UDM Agent
This section covers in-depth the manual and domain group policy installation method. For agentless install we
have provided a brief method, with this explained more in-depth within the Fusion UDM Administrator guide.
There are various methods of installing the Fusion UDM Agent software
Manual installation of the Fusion UDM Agent onto the endpoint
Deploying the Fusion UDM Agent using the Agentless install feature within Fusion UDM server
Domain group policy to install Fusion UDM Agent
Manual installation of the Fusion
Ensure the endpoint compatibility on page 9 before attempting the installation.
Copy the Fusion UDM installer package onto the hard drive of the target endpoint.
NOTE: For Windows XP-SP2 OS based endpoints, the latest version of Windows Installer component is
required for successful installation.
1. Double-click on setup file, which will start the install wizard. Click “Next”.
2. You will be shown a lists of changes that are made by the installer and Prerequisites that are required
to install the Fusion agent software.
Fusion UDM Installation Guide Page 34 of 82
3. If you agree select the checkbox and click on the “Next” button to proceed with the installation.
4. Click the “Finish” button to complete the installation of Fusion UDM Agent setup.
Fusion UDM Installation Guide Page 35 of 82
Deploying Agent from within Fusion UDM Server
In this section we explain how to discover and install devices from within Fusion UDM server using a
straight forward LAN IP range. For other searches this is explained in-depth within the Administrator guide
Ensure that the prerequisites per ports and service requirements are adhered to first.
1. Within Fusion UDM, select the toolbar and select “Discovery”
2. Select Discover and from Scan Type, select LAN
3. Type in a valid from and to IP address range and click OK
Fusion UDM Installation Guide Page 36 of 82
This will populate the endpoints available for the agent software to be installed on to
If you wish to quicken the search process, click on refresh.
4. Select install and tick the endpoint device(s) you wish to the install agent onto.
5. Within a domain environment you would need to populate the administrator account credentials avail-
able on the endpoints and then click on Install.
The process of deploying the agent to selected endpoints will begin
Any in-progress and completion alerts will appear within the Discovery area.
NOTE: Ensure that ‘File and Print sharing’ and ‘ports’ mentioned within the ‘Ports and service requirements’
section are adhered to or the installation will fail with ‘Share rights access denied’
Fusion UDM Installation Guide Page 37 of 82
Domain group policy to install Fusion UDM Agent
In this section we show you how to use Group Policy to automatically distribute Fusion Agent to client
computers or users. You can use Group Policy to distribute computer programs by using the following
method:
If you assign the program to a user, the agent is installed when the user logs on to the computer.
When the user first runs the program, the installation is completed. If you assign the program to a
computer, the agent is installed when the computer starts, and it is available to all users who log on
to the computer.
STEP1: Create a distribution point To publish or assign a computer program, you must create a distribution point on the publishing server. To do
this, please follow these steps:
1. Log on to the server as an administrator.
2. Create a shared network folder where you are going to put the Microsoft Windows Installer package
(.msi file) that you want to distribute.
3. Set permissions on the share to allow access to the distribution package.
4. Copy the Fusion UDM agent installer (FUDMAgent.MSI) package to the distribution point.
Please use the installer version of the ‘Agent MSI file’ which is a silent installer, normally this resides within the
Fusion server or contact your VXL support representative for this
STEP2: Create a Group Policy Object To create a Group Policy Object (GPO) to use to distribute the software package, follow these steps:
5. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative
Tools, and then click Active Directory Users and Computers.
6. Right-click your domain name and create Organization Unit[OU]. (for example FUDM).
Fusion UDM Installation Guide Page 38 of 82
7. Add the client machine in that OU on which the application gets the install.
8. Go to run and type gpmc.msc following window will appear, right click on OU and create new GPO.
When you have finished, click OK.
STEP 3: Assign a package 9. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative
Tools, and then click Active Directory Users and Computers.
10. In the console tree, right-click your domain, and then click Properties.
11. Click the Group Policy tab, select the policy that you want, and then click Edit.
12. Under Computer Configuration, expand Software Settings.
13. Right-click Software installation, point to New, and then click Package.
In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared
installer package that you want. For example, \\file server\share\file name.msi.
Do not use the browse button to access the location. Make sure that you use the UNC
path of the shared installer package.
Fusion UDM Installation Guide Page 39 of 82
14. Click Open.
15. Click Assigned, and then click OK. The package is listed in the right-pane of the Group Policy window.
16. Close the Group Policy snap-in, click OK, and then close the Active Directory Users and Computers
snap-in.
17. When the client computer starts, the managed software package is automatically installed. Appendix
Fusion UDM Installation Guide Page 40 of 82
Fusion MDM Setup and Configuration
Domain Identity
In this section we show you the process to setup and configure your Android devices to work within Fusion
UDM.
STEP 1: Register the Managed Domain
The “Google claimed customer domain” registration process is required to follow in order for the below steps
https://www.google.com/a/signup/?enterprise_product=ANDROID_WORK
1. : Admin enters basic business contact information
2. Admin enters basic information about the business
Business name
Address
Number of Employees
Fusion UDM Installation Guide Page 41 of 82
STEP 2: Create the Admin Account Admin creates the account for the Managed Domain
STEP 3: Verify Domain Ownership Admin verifies Domain ownership
1. Add Meta tag to corporate homepage
Google verifies by scanning homepage
2. Add a TXT or CNAME record to domain’s DNS
Google verifies by checking DNS records
3. Add an HTML file to root of company’s website
Google verifies by scanning the company website
Fusion UDM Installation Guide Page 42 of 82
STEP4: Generate EMM API Token
Generated for binding to Customers EMM Provider
Enables Android for Work management via API’s
Allows management of ONLY specific Managed Domain devices
Configuring Enterprise Service Account (ESA)
Creation and configure customer Enterprise Service Account (ESA) from the Google developer console.
To do this, sign into https://console.developers.google.com using your administrator account setup
previously.
STEP1 - Create the project Register your application for Admin SDK in Google API Console. Google API Console allows you to manage
your application and monitor API usage. Create a project where your application will be registered you can
use one project to manage all of your applications, or you can create a different project for each application.
To add the project, navigate to:
Google API -> Project dropdown -> Create project.
Here, we enter the Project name.
Fusion UDM Installation Guide Page 43 of 82
Step 2 - Enable APIs for the project To get started using Admin SDK, you need to first use the setup tool, which guides you through creating a project in the Google API Console, enabling the API, and creating credentials.
1. On the developer’s console page, go to API Manager. 2. Then go to Library. 3. Search and Enable APIs required for your project. 4. The following APIs need to be enabled:
Google Play EMM API Admin SDK Android Device Verification API App Engine Admin API Big Query API
5. List of the enabled APIs will be displayed in Dashboard section.
Fusion UDM Installation Guide Page 44 of 82
6. To enable the API, click on ENABLE button. After we enable a particular API, the button gets changes to DISABLE.
STEP3 - Working with credentials You need credentials to access the APIs. Depending on the API, you need an API key, a service account or an
OAuth 2.0 Client ID.
3.1 - Creation of Service account key:
Service account key enables server-to-server, app-level authentication using robot accounts.
3.1.1 - Service account addition:
To set up a new service account, do the following:
1. If the API Manager page isn't already open, open the console menu and select API Manager.
2. On the left, click Credentials.
3. Click Create credentials > and select Service account key.
4. On the create service account key form, click New Service account.
5. Enter the service account name and select the role as Project > Owner.
6. A service account id name will be automatically generated.
7. Click Create to generate a service account.
8. Your new public/private key pair (Service JSON) is auto-generated and downloaded to your ma-
chine.
This information is required for configuring Fusion MDM. Please save this information in a
separate folder.
Important: It serves as the only copy of this key, so it is highly recommended to store it securely.
Fusion UDM Installation Guide Page 45 of 82
3.1.2 – Domain Verification:
You need to verify domain ownership to allow web hook notifications to be sent to your external domains. Google verifies that the user owns each of the listed domains via Search Console.
1. Domain Verification > Add Domain. Enter the name of the domain.
2. After successful addition of domain name, the entered domain gets listed on the Google
console.
3.1.3 – OAuth consent screen:
If this is your first time creating a client ID, you can configure your consent screen by clicking OAuth
consent screen.
You won't be prompted to configure the consent screen after you do it the first time.
Fusion UDM Installation Guide Page 46 of 82
3.1.4 – Domain-wide delegation
1. One last step remaining in Service account section. 2. Navigate to API Manager > Credentials. Next to Service accounts, click on Manage service
accounts. The service accounts form will be displayed.
3. Find the service name you’ve created previously. Click on the Options button next to it and select Edit.
4. On the Edit service account form, select the checkbox against Enable Domain-wide delega-tion. Click on Save to save the changes.
3.2 - Creation of OAuth client ID:
This id requests user consent so that an app can access user’s data. To create an OAuth 2.0 client ID in the console:
Fusion UDM Installation Guide Page 47 of 82
1. If the API Manager page isn't already open, open the console menu and select API Manager. 2. On the left, click Credentials. 3. Click New Credentials, then select OAuth client ID. 4. Select the application type as Web application for project and enter any additional information as
required. 5. Enter the OAuth client ID name. 6. Authorized JavaScript origins: For use with requests from a browser. This is the origin URI of the
server/client application. (e.g.: https://fusion.vxl.net) 7. Authorized redirect URIs: For use with requests from a web server. This is the path in your applica-
tion that users are redirected to after they have authenticated with Google. The path will be ap-pended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address. Recommended urls are as follows (e.g. with edit URLs)
a. https://<FQDN>/Handlers/Tools/MDMConfiguration_Handler.ashx b. https://<FQDN>/authorize/ c. https://<FQDN>/AuthCallback/IndexAsync/ d. https://<FQDN>/oauth2callback/
8. Click Create to create the Client ID. 9. Now, a Client JSON file is automatically generated which can be downloaded by clicking the Down-
load JSON button on top of the page. 10. Along with the Client JSON, we also have a Client secret key listed below it.
Fusion UDM Installation Guide Page 48 of 82
This Client JSON & Client secret key information is required for configuring Fusion MDM. Please save this information in a separate folder.
3.3 - API Key generation:
Identifies your project using a simple API key to check quota and access.
To create an API key in the console:
1. If the API Manager page isn't already open, open the console menu and select API Manager. 2. On the left, click Credentials. 3. Click New Credentials, then select API key. 4. On the create new key form, click on Server key.
5. Enter the name for the API key. 6. Click Create to generate the API Key.
This API key should also be kept secret and is required for configuring Fusion MDM. Please save this information in a separate folder.
Fusion UDM Installation Guide Page 49 of 82
Important: It may take up to 1 hour for settings to take effect.
3.4 - Project ID:
The project we have created has an ID associated with it.
1. In order to retrieve the ID of the project, navigate to API manager, then click on Credentials.
2. Under the Service account keys section, click on Manage service accounts.
3. From the left menu, click on Settings.
4. On the Settings page, the Project number will be our required Project ID.
This Project ID information is required for configuring Fusion MDM. Please save this information in a
separate folder.
With the above steps, our configuration on Google developer console is completed.
Step 4 - Managing APIs
We now move on to Google admin console. Sign in to https://admin.google.com with the same mail id which
was used to login previously in Google developer console.
The service account that you created needs to be granted access to the Google Apps domain’s user data that you want to access. The following tasks have to be performed by an administrator of the Google Apps domain:
1. Click on Security > Show more > Advanced Settings > Manage API Client Access.
Fusion UDM Installation Guide Page 50 of 82
Manage API Class Access: API class access allows admins to control access to user data by applications that use OAuth protocol.
Here, we require two things:
1. Client Name - Authorized API clients.
Your client name will be the Client key generated previously on Google developer console. Navigate to Google developer console page. Then from left menu, go to API Manager > select Credentials. In the OAuth 2.0 client IDs section, click on the Client name you’ve previously created. The Client ID on this page will be required. Copy the client ID and paste it into the Google admin page > Manage API Client Access > Client name section.
2. API scopes - API client domains are registered with Google and authorized to access data for your users.
You can directly use the following links as API scopes which are recommended:
https://www.googleapis.com/admin/directory/v1,
https://www.googleapis.com/admin/directory/v1/users,
https://www.googleapis.com/androidenterprise/v1/enterprises,
https://www.googleapis.com/auth/admin.directory.customer,
https://www.googleapis.com/auth/admin.directory.device.mobile,
https://www.googleapis.com/auth/admin.directory.device.mobile.action,
https://www.googleapis.com/auth/admin.directory.domain,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.group.member,
https://www.googleapis.com/auth/admin.directory.group.member.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
Fusion UDM Installation Guide Page 51 of 82
https://www.googleapis.com/auth/admin.directory.notifications,
https://www.googleapis.com/auth/admin.directory.orgunit,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.resource.calendar,
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.alias,
https://www.googleapis.com/auth/admin.directory.user.alias.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.user.security,
https://www.googleapis.com/auth/admin.directory.userschema,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/apps.licensing,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/contacts,
https://www.googleapis.com/auth/contacts.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/plus.login,
https://www.googleapis.com/auth/plus.me,
https://www.googleapis.com/auth/plus.profiles.read,
https://www.googleapis.com/auth/userinfo.profile
3. Copy the above links all together and paste them in API scopes section. 4. Click on Save to save your settings.
Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain. You are ready to instantiate an authorized Admin SDK Directory service object on behalf of your Google Apps domain's users.
Step 5 - Working with Service account & Tokens
4.1 – Service account
A service account's credentials include a generated email address that is unique, a client ID, and at least one public/private key pair.
If your application runs on Google App Engine, a service account is set up automatically when you create your project. If your application doesn't run on Google App Engine or Google Compute Engine, you must obtain these credentials in the Google Developers Console.
1. In order to retrieve the ID of the project, navigate to API manager, then click on Credentials.
2. Under the Service account keys section, click on Manage service accounts.
3. Select the service account name that we have created previously.
4. The value in the Service account ID column against that service account name is our required Service
Account Email.
5. This Service account email will be required further in MDM Configuration process.
Fusion UDM Installation Guide Page 52 of 82
5.2 - Generating the token:
Part of binding your third-party provider involves sharing your company’s EMM token with the provider. After you generate a token, you have 30 days to share it. If the token expires, you have to generate a new one.
1. Sign in to the Google Admin console as a super administrator to generate an EMM token or see an unexpired one.
2. Click Security > Android for Work Settings. Copy the token (a string of characters) or click Generate Token to generate a new token.
Fusion UDM Installation Guide Page 53 of 82
Important: When a new token is generated, copy the token and save it as a token once generated cannot be retrieved again.
After successful enrolment with MDM Configuration, the service account email used for configuration is only displayed on Google admin console.
In General Settings section, the checkbox against the Enforce EMM policies on Android devices is unchecked by default. Make sure you have checked the checkbox.
Fusion UDM Installation Guide Page 54 of 82
You can't view previously generated token or generate a new token. A new token can only be generated when
the MDM Configuration is unenrolled from the server.
Mobile Device Management Configuration
In general, the EMM console is the mechanism through which an enterprise manages its entire mobile fleet
(platform-agnostic). This will also be the place that a customer’s IT admin goes to manage policies for Android
for Work. Policy files are generated by the EMM console and sent down to the device-side DPC, which will
then enforce the policies within the Managed Profile.
AFW EMM ENROLMENT It’s the process of binding with domain and getting token from MDM.
Steps for binding with domain i.e. enrollment of domain:
1. Select Configuration Setup -> MDM Configuration.
2. Select AFW EMM Enrollment.
3. Click on Add.
4. Enter Domain name, Service Account Email and Token name.
5. Click on Enroll.
6. The service account gets enrolled.
You can unenroll an existing account by clicking on Delete button next to it.
You can configure an existing account by clicking on Configure button next to it.
The following details are to be entered for configuration:
Fusion UDM Installation Guide Page 55 of 82
1. Service Json: A service account represents a Google Cloud service identity. A .json file of enrolled do-
main is to be uploaded.
2. Client Json: Service account clients are created when domain-wide delegation is enabled on a service
account. A .json file of enrolled domain is to be uploaded.
3. Client secret: OAuth2 uses the client secret mechanism as a means of authorizing a client. It acts as a
secret passphrase that proves to the authentication server that the client app is authorized to make a
request on behalf of the user.
4. API Key: You need an API key to call certain Google APIs. The API key identifies your project.
5. Product ID: The ID of the project that owns the service account.
Steps for configuring the service account:
In this step, we will need the json files & keys which were previously created during the configuration of
Enterprise Service Account.
1. Click the Configuration button.
2. Upload the Service json file.
3. Upload the Client json file.
4. Enter the Client secret key, API key and Product ID.
Settings saved successfully message is displayed.
AFW USER PROVISIONING User Provisioning
The provisioning system usually takes information about employees from the Human Resource (HR) system.
E.g. if a new employee is entered into the HR system the provisioning system detects that and pulls the
information. This information is processed to determine a set of roles that each user should have. The roles
determine which accounts the user should have and such accounts are created. All of that usually happens in
Fusion UDM Installation Guide Page 56 of 82
a matter of seconds. Therefore everything is prepared for the user to work on the very first day. Similar
processes also apply when user is transferred to another department, when his responsibilities change and
when he leaves the company.
It can take data from Customer Relationship Management (CRM) system and create accounts for customers.
As provisioning can also maintain passwords this usually reduces the load of customer support centres.
Provisioning can synchronize user accounts in portal and service provider environments. Provisioning is
especially useful in cloud environments to manage very large number of accounts in many applications -
something that is not feasible to do manually. Identity provisioning is without any doubt a foundation of
Identity and Access Management.
1. Select Domain name from dropdown list.
2. User list with respective selected domain gets listed out.
3. Click on Sync to sync user provisioning data from the selected domain.
4. User is able to add single user to the list by clicking on Add button.
5. Enter First name, Last name, Email ID and Password.
6. Click on Save to save the entered data.
Fusion UDM Installation Guide Page 57 of 82
7. To add users from a domain, click on Add Domain Users button.
8. Enter Domain name, Username and Password.
9. Domain users get added to the list.
APPLICATION MANAGEMENT Applications in Android for Work are managed via Google Play for Work, which provides full Play catalog ac-
cess to an enterprise. IT admins can explicitly approve applications for use in Managed Profiles, and also have
options for bulk purchasing of paid application licenses via Play for Work.
Once applications have been approved, the admin can use the EMM console to distribute applications in one
of two ways. The first way is to collate the approved applications into subsets (called “collections”) and push
them down to the Managed Play Store Client on target devices.
1. Select Domain from dropdown list
2. Install/ Uninstall software list with package name, License count, Permissions, Status, Actions, Type
get listed out.
Fusion UDM Installation Guide Page 58 of 82
Additionally, an Admin has the ability to silently install and uninstall applications into target Managed Profiles
through Google Play. This allows for seamless management of application deployments without requiring any
end-user intervention.
Bulk Purchasing (License)
Aside from permissions acceptance, an admin must also purchase licenses prior to approving a paid
application.
Purchases can be conducted with a credit card or online payment (Google Wallet).
Device Policy Client (DPC)
The Device Policy Client is the EMM’s client-side component. Even though it only resides in the Man-
aged Profile, it is the only managed application to be downloaded from the personal Play Store.
This is because the DPC must be installed on the device prior to the initial setup of the Managed Pro-
file.
Once it is installed, the user can launch the DPC and enter their EMM credentials to begin the An-
droid for Work enrolment process.
Following completion of the setup flow, the DPC will be badged and scoped only to the Managed Pro-
file context by the OS.
If the DPC is removed from the device, the entire Managed Profile will disappear along with it. The
Managed Profile cannot exist unless there is a DPC running inside of it to enforce policy compliance.
Adding an Application
In order to add an application manually into the application list, you need to select the domain first in which
you want to add an application and then click the Add button. The add application form will be displayed.
Fusion UDM Installation Guide Page 59 of 82
Simultaneously, you will need to login into Google Play for Work page (https://play.google.com/work/ ). Visit
the page of the app you want to add into your company domain. Refer the browser URL of the app page.
The name mentioned in the ‘id=’ section is the required package name of that particular application.
For example: If you visit page of ‘Asana’ app, the browser URL is (https://play.google.com/store/apps/de-
tails?id=com.asana.app&hl=en ). In this case, the package name would be com.asana.app
1. On the Add Application form, enter the Application Name.
2. Enter the Package Name which you have copied from Play for Work application page.
3. Select the Type of the app.
4. Click Save to save the entered details.
Application saved successfully message is displayed.
The added application will now be listed in the application table below that particular domain.
Fusion UDM Installation Guide Page 60 of 82
USER APPLICATION PROVISION
In User Application Provisioning, we can assign applications to various users which were previously approved
by the company.
1. Select the Domain name.
2. Select the users to which applications are to be assigned.
3. The list of company approved applications of the respective selected domain will be displayed in the
list below.
4. Select the applications to be assigned for the selected user.
5. On click of Save, summary details popup is displayed showing that the product set is assigned to the
users.
STORE LAYOUT MANAGEMENT
Google Play for Work lets you design and create a store layout unique to your users’ needs. After you give
your users access to apps, you can group the apps into clusters to be display on pages in the Google Play for
Work storefront.
The Google Play EMM API Reference has information on the resources and associated methods you use to de-
sign a store layout.
Fusion UDM Installation Guide Page 61 of 82
Localized names for pages and clusters
Google Play for Work store layout supports localized names for store pages and store clusters. When you cre-
ate a page or cluster you provide a list of supported locales, as IETF language tags, and associated localized
names. If a user’s locale is not on the supported list, the system will chose a close match if one is available.
As an EMM, you can create a unique customized store layout for each of your customers. A typical layout con-
sists of a set of pages to display to users in the Google Play for Work store front. Each page you create con-
tains one or more clusters, and each cluster contains a set of apps. Because you select which apps are in a
cluster, you can use the clusters to group related apps together.
Fusion UDM Installation Guide Page 62 of 82
For example, you could create a page just for work apps that contains a Document cluster and a Planning clus-
ter. The Document cluster might contain apps such as Google Docs, Google Sheets, and Google Slides, and the
Planning cluster could contain work tracking, calendar, and meeting planner apps.
Unbind/Unenrolment of the domain In order to enroll the domain again, first you need to unbind/unenroll the domain which was previously
enrolled.
To unbind a domain, go to AFW EMM Enrolment -> click the Unbind button next to the account name you
want to unbind.
Once your domain is successfully unenrolled from the server, the token which was previously used for
enrollment is expired. You will now be able to generate a new token from Google admin console page.
Refer Step 5.2 in Configuring Enterprise Service Account (ESA) section regarding how to generate a new token.
Important: It is highly recommended to save the token details before uninstalling the Fusion UDM server.
Fusion UDM Installation Guide Page 63 of 82
Upgrading Fusion UDM Server and Agent
Fusion UDM server software
When new Fusion UDM server software updates are available to download, upgrading the existing version to
the latest is straightforward to do.
Copy the Installer onto the hard drive of the server where you have installed the currently used
Fusion UDM server.
1. Double click on the setup file. The familiar start-up wizard will appear.
2. Select “Next” button to proceed. The installer should detect a previously installed version of Fusion
UDM message similar to the one below.
3. Select “Yes” to begin the upgrade process
Fusion UDM Installation Guide Page 64 of 82
4. During the upgrade process the installer will display the progress. Click the “Finish” button to finish
and close the installer.
Upgrading the Fusion Agent software
On default when the Fusion UDM server is updated, Fusion UDM will automatically update any endpoint
devices which have been already registered to the latest version
If you wish to manually control a scheduled time for agent updates, or change the amount of connec-
tions at one time this is updated to, please refer to the administration guide for more information.
Fusion UDM Installation Guide Page 65 of 82
SSL Certificate Creation and Installation
In this section we show how to create and install a self-signed SSL certificate using the OpenSSL tool.
Create self-signed SSL certificate using OpenSSL
Method 1: 1. Access the following link and download the OpenSSL Package
http://ibox.vxl.net/main.html?download&web-
link=382c47bedc3d7f578f9418d47b2987f7&realfilename=OpenSSL.zip
2. After extracting the zip file folder, it will contain the following files:
CreateCertificate.bat
OpenSSL.exe
ReadME.txt
3. Install OpenSSL.exe application
4. Copy CreateCertificate.bat file into the directory C:\OpenSSL-Win32\bin\
5. Run Batch file CreateCertificate.bat
6. Enter required details.
The Common Name - Enter the current Hostname of the Fusion UDM server you have just in-
stalled. This is a mandatory requirement.
Other details are optional and you can ignore these and proceed with blank entries for these.
7. After you have completed the above steps, the following files will get generated in the
"C:\OpenSSLWin32\bin\" directory location:
fusion.ca.cert.pfx
fusion.ca.cert
fusion.ca.key
Method 2: 8. Download and Install latest version of precompiled win-32 binaries of OpenSSL for windows from the
following link https://www.openssl.org/related/binaries.html
9. Open Command prompt, Go to c:\openssl-win32\bin Path
10. Type the following command and input desired information to generate a certificate request:
openssl.exe req –pass out pass: abcdefg -new >fudm.csr
11. Enter the two-digit country code using the acceptable short form. These can be found at the fol-
lowing location: https://www.ssl.com/csrs/country_codes
12. Enter CN Name: IP Address of IIS Server.
13. Type the following command to create the key
openssl.exe rsa–passin pass:abcdefg -in privkey.pem –out fudm.ca.key
14. Type the following command to generate certificate file for the agent.
Openssl.exe x509 -in fudm.csr –out fudm.cert -req –signkey fudm.ca.key -days 365
This will generate the certificate to be used for the Agent/Endpoint - fudm.cert
Fusion UDM Installation Guide Page 67 of 82
15. Upload the certificate to the Fusion UDM server repository using the repository module on the Fu-
sion UDM server, this will be used for automatic transfer to the agent during the discovery and en-
rolment process.
16. Generate the .pfx certificate for use with IIS using the following command.
openssl pkcs12 –passout pass:fusion -export -cacerts -in fudm.cert -out fudm.pfx –inkey fudm.key
17. Import the generated .pfx certificate in the certificate store of server certificates. Use the password
specified in above command (pass: fusion)
Procedure to install SSL certificate
1. Run->inetmgr on the Fusion UDM server, Open IIS -> Start- Administrative tools – IIS manager.
Fusion UDM Installation Guide Page 68 of 82
2. Select server certificates, then select Import certificate, enter the path of certificate file and pass-
word, then press OK.
3. After successful import you can see the newly added certificate i.e.: fusion
4. Go to Sites > Site name (FDM Site) > Select Bindings > add > Select type: https-port: 443
5. Go to SSL Certificate: Select added certificate and click ok.
Fusion UDM Installation Guide Page 69 of 82
6. Restart the Webserver.
7. After successful completion of the binding will be active and you can access the site using HTTPS
8. After completion of the installation and certificate binding process in case the default launch op-
tion is enabled then the installer will launch the server application web console with https request.
The login page for Fusion UDM software will be displayed.
Fusion UDM Installation Guide Page 70 of 82
Network Load Balancing Windows 2012/R2
In this section we talk about applying network load balancing in a Windows 2012/12 environment.
1. Open Server manager.
2. Select Add roles and Features select next.
3. Select role based or feature-based installation and Click next.
Fusion UDM Installation Guide Page 71 of 82
4. Select server from server pool and click next.
5. Select Add IIS role and NLB feature from the list click next.
Fusion UDM Installation Guide Page 72 of 82
6. Select the service for IIS role which you want to install
Fusion UDM Installation Guide Page 73 of 82
7. Check the IIS is running properly
8. Find the NLB in administrative tool or control panel if the icon is not on the dashboard and open
Fusion UDM Installation Guide Page 74 of 82
9. NLB Manager will open as shown below
10. Right click on the NBL select new cluster
Fusion UDM Installation Guide Page 75 of 82
11. Add the host IP
12. Set Host Priority
13. Select to add the Cluster IP Addresses
Fusion UDM Installation Guide Page 76 of 82
14. Setting Cluster IP and Subnet mask
Fusion UDM Installation Guide Page 77 of 82
15. Set Full internet name of NLB cluster and set it to multicast mode
Fusion UDM Installation Guide Page 78 of 82
16. Host Added successfully in the cluster
17. Do the same process to install NLB feature for another Host
18. Add host in same cluster according to the steps given below.
19. Connect to existing cluster
Fusion UDM Installation Guide Page 79 of 82
20. Add new host in existing cluster
Fusion UDM Installation Guide Page 80 of 82
21. Set host priority
Fusion UDM Installation Guide Page 81 of 82
22. Added both host in same NLB cluster and green color is showing good health of cluster
Fusion UDM Installation Guide Page 82 of 82
Disclaimer
Installation Guide
Published on 15th July 2015
Last Updated on 20th September 2016
Document Version 7.0
Documentation Disclaimer
Screenshots and graphics in this manual may differ slightly from your product due to differences in your
product release version or your computer operating system. Reasonable efforts were made to ensure that
the information in this document was complete and accurate. VXL Instruments Ltd. assumes no liability
for any errors. Changes and corrections to the information in this document may be incorporated in future
releases.
Copyright
© 2004-2015 VXL Instruments Limited.
Information in this document is subject to change without prior notice and does not represent a
commitment on the part of the manufacturer. No part of this guide may be reproduced or transmitted in
any form or means, electronic or mechanical, including photocopying and recording, for any purpose,
without the express written permission of the manufacturer. Registered trademarks are properties of
their respective owners. Every effort has been made to make this guide as complete and as accurate as
possible, but no warranty of fitness is implied. The authors and the publisher shall have neither
responsibility nor liability to any person or entity with respect to loss or damages arising from the use of
information contained in this guide.
Trademarks
The VXL Logo, Fusion UDM, Fusion UDM Logo, VXL Software logo are all trademarks and registered
trademarks of VXL Instruments Ltd. All other logos and names are the trademarks and registered
trademarks of the respective owners.
VXL Support
To access our support systems please navigate to http://vxlsupport.me and log a ticket.
VXL Instruments Ltd.
House of Excellence,
No. 17, Electronics City,
Hosur Road,
Bangalore – 560 100, INDIA www.vxlsoftware.com