Managing Verifone’s New Payment Device “Carbon” with WSO2’s EMM

Ulrich Herberg, Ph.D. 2/22/2017

2

What is Carbon?

3

What is Carbon?

• New “flagship” payment terminal by Verifone

• Android based tablet merchant facing

• 3rd party app development SDK and app market(with payment APIs)

• PCI-DSS certified payment terminal customer facing

• Management of all devices (aka “estate”) on Estate Manager portal

• Management of merchants’ devices on Merchant portal

• Remote support by Verifone on Estate Owner Support portal

4

Carbon Use Cases

• With Commerce Platform, merchants can:

- reward their best customers with loyalty and points programs, - display promotional media and coupons, - leverage beacons for store analytics, and - invite customers to redeem personalized offers in real time.

5

Problem: How to Monitor and Manage Carbon Devices?

6

Problem: How to Monitor and Manage Carbon Devices?

7

Why Open Source MDM Solution?

• Commercial solutions for MDM exist, but:

- Incur large costs, often paid based on number of devices- Inflexible for customizations of the MDM solution- Potentially more difficult to integrate in existing terminal management infrastructure- Impossible to get source code to create own modifications of the MDM agent or server

• Thus, we decided to work with WSO2 to advance their existing tool “EMM” to fit our requirements

8

WSO2 Enterprise Mobility Management (EMM) [1]

• Open-source platform for managing Android, iOS and Windows devices

• Based on an “agent” installed on the device and a server that can be deployed on-premise or in the cloud

• Provides UI, as well as API-based control

• Integrates with other WSO2 products, in particular for authorization (SSO, OAuth, …), as well as LDAP

[1] http://wso2.com/products/enterprise-mobility-manager/

9

Self-Enrollment of Devices

• Using mutual TLS (EMM also supports OAuth)

Tablet

CertificateService

MDMServer

1. Send certificate request 2. Receive

certificate 4. Enrollment completed

3. Enroll w mutual TLS

10

Integration Into Our Environment

Tablet

TMSMDMServer

2. Poll for new commands

3. Receivecommand

Terminal

1. Trigger command to Android tablet “A”

4. Return success

5. Return success

11

“EMM as a Blackbox”: API-based MDM

• We needed more APIs than EMM provided out of the box

• I worked with WSO2 to accomplish that

• RESTful APIs documented on Swagger

12

How Do We Use EMM?

• Get device information (including geo location)

• OTA upgrade

• APK installation/update/removal

• Lock device

• Reboot

• Factory reset

• Send logcat

• Send notification

13

Scaling MDM

Tablet

ELB

EMMworker 1

EMMworker 2

EMMworker 3

Auto-scalinggroup

S3 storage RDS

14

Scaling MDM

Tablet

ext. ELB

EMMworker 1

EMMworker 2

EMMworker 3

Auto-scalinggroup

S3 storage RDS

int. ELB

nginx nginxNginx used for TLS termination