Editing Enterprise - Tried and tested provisioning strategies
Warning: You are not logged in.
Your IP address will be recorded in this page's edit history.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 3: | Line 3: | ||
In the pictures, thick red dashed lines represent ''logical'' connections between actors. If a line has an arrow, it represents direction of the initiation of the communication (which is the direction of the required firewall rule). | In the pictures, thick red dashed lines represent ''logical'' connections between actors. If a line has an arrow, it represents direction of the initiation of the communication (which is the direction of the required firewall rule). | ||
- | + | = Strategy 1: Simple and direct = | |
This is the most simple strategy and the most straightforward to implement. In this strategy, direct enrollment is used. Also, since the whole process takes place at the same server, the line between the enrollment and the bootstrapping phases are blurred. | This is the most simple strategy and the most straightforward to implement. In this strategy, direct enrollment is used. Also, since the whole process takes place at the same server, the line between the enrollment and the bootstrapping phases are blurred. | ||
- | [[Image:Combined_Enrollment_Installation_server_at_lobby_network.png | + | [[Image:Combined_Enrollment_Installation_server_at_lobby_network.png|900px]] |
- | + | <div style="margin-left:200px;">Figure 1: Combined Enrollment/Installation server at lobby network</div> | |
- | + | ||
+ | == The process == | ||
# Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories on the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway. | # Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories on the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway. | ||
# The user connects directly, using the device keyboard and display, to a URL on the Enrollment/Installation server. | # The user connects directly, using the device keyboard and display, to a URL on the Enrollment/Installation server. | ||
Line 16: | Line 16: | ||
# The Enrollment/Installation server generates the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> and bootstraps the installation. | # The Enrollment/Installation server generates the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> and bootstraps the installation. | ||
- | + | == Components == | |
* Web application (CGI script) running at the Enrollment/Installation server. An example (skeleton) CGI script will be provided soon in gagare.maemo.org that corresponds to the examples given for the [[Enterprise_Device_Configuration|device side configuration]]. | * Web application (CGI script) running at the Enrollment/Installation server. An example (skeleton) CGI script will be provided soon in gagare.maemo.org that corresponds to the examples given for the [[Enterprise_Device_Configuration|device side configuration]]. | ||
- | + | == Firewall rules == | |
- | {| | + | {| border="1" |
- | + | ||
- | + | ||
! Source !! Target !! Protocol !! Direction !! Notes | ! Source !! Target !! Protocol !! Direction !! Notes | ||
|- | |- | ||
Line 32: | Line 30: | ||
|- | |- | ||
| Admin server || Installation server || HTTPS (443)||Outbound || Optional | | Admin server || Installation server || HTTPS (443)||Outbound || Optional | ||
+ | |||
|} | |} | ||
- | + | == Security considerations == | |
* The Enterprise User Database must be accessible. This needs a hole on its inbound firewall. This is a concern in case the Enrollment Server is compromized. | * The Enterprise User Database must be accessible. This needs a hole on its inbound firewall. This is a concern in case the Enrollment Server is compromized. | ||
* The user password travels (in encrypted form) in an insecure network outside the corporate firewalls. | * The user password travels (in encrypted form) in an insecure network outside the corporate firewalls. | ||
- | + | == Pros and cons == | |
* + Simple and straightforward to implement. | * + Simple and straightforward to implement. | ||
* - Potentially tedious to the user, at worst case they have to authenticate themselves '''twice''' using the device keyboad (first for Access Gateway, then for Enrollment Server). | * - Potentially tedious to the user, at worst case they have to authenticate themselves '''twice''' using the device keyboad (first for Access Gateway, then for Enrollment Server). | ||
- | + | = Strategy 2: SMS based = | |
- | Although the device does not currently support OTA configuration messages, there is a way to utilize SMS messages in provisioning. The idea is to deliver the configuration data from Enrollment Server to Installation Server behind the scenes, and simultaneously deliver to the device via SMS a one-time time-limited URL which enables access to the configuration data. | + | Although the device does not currently support OTA configuration messages, there is a way to utilize SMS messages in provisioning. |
+ | The idea is to deliver the configuration data from Enrollment Server to Installation Server behind the scenes, and simultaneously deliver to the device via SMS a one-time time-limited URL which enables access to the configuration data. | ||
This strategy is more complicated to implement but easier to use. It uses indirect enrollment. | This strategy is more complicated to implement but easier to use. It uses indirect enrollment. | ||
- | [[Image:Separate_Enrollment_and_Installation_servers.png | + | [[Image:Separate_Enrollment_and_Installation_servers.png|900px]] |
+ | <div style="margin-left:200px;">Figure 2: Separate Enrollment and Installation servers</div> | ||
- | + | == The process == | |
# Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories from the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway. | # Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories from the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway. | ||
Line 59: | Line 60: | ||
# Enrollment Server generates a random pin code. | # Enrollment Server generates a random pin code. | ||
# Enrollment Server generates the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> and transfers it, along with the pin code, to Installation Server. | # Enrollment Server generates the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> and transfers it, along with the pin code, to Installation Server. | ||
- | # Enrollment Server generates a URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code | + | # Enrollment Server generates a URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code>https://server.example.com/indirect.cgi?pincode=aa913a5b-6558-44a5-a501-bbf5c81078d3</code>. |
# Enrollment Server generates an SMS message which contains the URL and sends it to the device using SMS gateway. | # Enrollment Server generates an SMS message which contains the URL and sends it to the device using SMS gateway. | ||
# When the user opens the SMS message at the device, Conversations application displays the URL as a clickable link. When the user clicks the link, the Web Browser application is invoked and the URL is opened. | # When the user opens the SMS message at the device, Conversations application displays the URL as a clickable link. When the user clicks the link, the Web Browser application is invoked and the URL is opened. | ||
Line 69: | Line 70: | ||
To clean up, Installation server runs a cron job at every few minutes, removing all generated temporary files which are older than predefined time limit | To clean up, Installation server runs a cron job at every few minutes, removing all generated temporary files which are older than predefined time limit | ||
- | + | == Components == | |
* Web application (CGI script) running at Enrollment Server | * Web application (CGI script) running at Enrollment Server | ||
Line 75: | Line 76: | ||
* SMS gateway | * SMS gateway | ||
- | + | == Firewall rules == | |
- | {| | + | {| border="1" |
- | + | ||
|- | |- | ||
- | + | | <b>Source</b> || <b>Target</b> || <b>Protocol</b> || <b>Direction</b> || <b>Notes</b> | |
|- | |- | ||
|Admin server || Installation server || SSH (22)||Outbound || | |Admin server || Installation server || SSH (22)||Outbound || | ||
Line 87: | Line 87: | ||
|- | |- | ||
|Admin server || Installation server || HTTPS (443)||Outbound ||Optional | |Admin server || Installation server || HTTPS (443)||Outbound ||Optional | ||
+ | |||
+ | |||
|} | |} | ||
- | + | == Security considerations == | |
- | * | + | * Pin code can and should be fairly long, longer than a typical username and password together. |
* No need for inbound firewall holes. | * No need for inbound firewall holes. | ||
* User password does not travel outside corporate intranet. | * User password does not travel outside corporate intranet. | ||
- | + | == Pros and cons == | |
* + The obvious advantage of indirect enrollment combined with SMS-URL based bootstrapping is the minimization of user interaction performed from the device keyboard and display. Writing the provisioning URL, username and password from the device keyboard are all avoided. Most of the user interaction can be performed using full size keyboard and display, only couple of touchscreen clicks is left to be to done at the device. | * + The obvious advantage of indirect enrollment combined with SMS-URL based bootstrapping is the minimization of user interaction performed from the device keyboard and display. Writing the provisioning URL, username and password from the device keyboard are all avoided. Most of the user interaction can be performed using full size keyboard and display, only couple of touchscreen clicks is left to be to done at the device. | ||
Line 101: | Line 103: | ||
* - Requires more servers (not necessarily if Admin server can host as Enrollment server as well) | * - Requires more servers (not necessarily if Admin server can host as Enrollment server as well) | ||
- | + | = Strategy 3: Offline installation = | |
This strategy is probably used as a complement to previous strategies. The server topology may be similar to either of the descried ones. | This strategy is probably used as a complement to previous strategies. The server topology may be similar to either of the descried ones. | ||
Line 107: | Line 109: | ||
The most important use case for this strategy is to enable provisioning for users located at remote sites and unable to access corporate WLAN. | The most important use case for this strategy is to enable provisioning for users located at remote sites and unable to access corporate WLAN. | ||
- | + | == The process == | |
# To avoid Application Manager halting problem, user needs to disable all repositories from the device. Or alternatively, connect to a 3G network. | # To avoid Application Manager halting problem, user needs to disable all repositories from the device. Or alternatively, connect to a 3G network. | ||
Line 114: | Line 116: | ||
# Enrollment Server generates a random pin code. | # Enrollment Server generates a random pin code. | ||
# Enrollment Server generates <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span>, transfers it and the pin code to Installation server. | # Enrollment Server generates <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span>, transfers it and the pin code to Installation server. | ||
- | # Enrollment Server generates an URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code | + | # Enrollment Server generates an URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code>https://server.example.com/offline.cgi?pincode=a913a5bXTgd</code>. |
# Enrollment Server redirects the web browser to that URL, or presents a clickable link. | # Enrollment Server redirects the web browser to that URL, or presents a clickable link. | ||
# When the CGI script at the Installation Server is called, it checks if there is an <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> matching the pincode. If yes, the script checks the age of the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span>. If the file is older than a predefined time limit (e.g., 5 minutes), an error message is generated and processing stops. | # When the CGI script at the Installation Server is called, it checks if there is an <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> matching the pincode. If yes, the script checks the age of the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span>. If the file is older than a predefined time limit (e.g., 5 minutes), an error message is generated and processing stops. | ||
Line 131: | Line 133: | ||
# User taps the install file to invoke the Application Manager, which installs the User Info package and all the packages in the dependency chain. | # User taps the install file to invoke the Application Manager, which installs the User Info package and all the packages in the dependency chain. | ||
- | + | == Components == | |
* Web application (CGI script) running at Enrollment server | * Web application (CGI script) running at Enrollment server | ||
* Web application (CGI script) running at Installation server | * Web application (CGI script) running at Installation server | ||
- | + | == Firewall rules == | |
Same as in previous two strategies, depending on which server topology is used | Same as in previous two strategies, depending on which server topology is used | ||
- | + | == Security considerations == | |
* None | * None | ||
- | + | == Pros and cons == | |
* + Enables provisioning at remote locations | * + Enables provisioning at remote locations | ||
Line 151: | Line 153: | ||
* - Presumably slow and storage space consuming | * - Presumably slow and storage space consuming | ||
- | + | = Summary = | |
- | + | ||
- | + | ||
- | [[ | + | Here we looked at the tried out solutions for provisioning but some readers might be interested to read our [[Enterprise_Provisioning_-_Strategy_Variations|alternative solution considerations]] or about [[Enterprise_Provisioning_-_Future_Prospects|future prospects for provisioning]]. If on the other hand these solutions suited already your needs you can move onward to [[Enterprise_Provisioning_Summary|provisioning summary]]. |
Learn more about Contributing to the wiki.