Editing Enterprise - Tried and tested provisioning strategies

Warning: You are not logged in. Your IP address will be recorded in this page's edit history.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Learn more about Contributing to the wiki.

Each of the provisioning strategies in this chapter are either in daily use or at least built and tested as proof-of concept.

In the pictures, thick red dashed lines represent ''logical'' connections between actors. If a line has an arrow, it represents direction of the initiation of the communication (which is the direction of the required firewall rule).

= Strategy 1: Simple and direct =

This is the most simple strategy and the most straightforward to implement. In this strategy, direct enrollment is used. Also, since the whole process takes place at the same server, the line between the enrollment and the bootstrapping phases are blurred.

[[Image:Combined_Enrollment_Installation_server_at_lobby_network.png|900px]]
<div style="margin-left:200px;">Figure 1: Combined Enrollment/Installation server at lobby network</div>

== The process ==
# Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories on the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway.
# The user connects directly, using the device keyboard and display, to a URL on the Enrollment/Installation server.
# The user provides his/her credentials. 
# The Enrollment/Installation server generates the EUF and bootstraps the installation.

== Components ==

* Web application (CGI script) running at the Enrollment/Installation server. An example (skeleton) CGI script will be provided soon in gagare.maemo.org that corresponds to the examples given for the [[Enterprise_Device_Configuration|device side configuration]].

== Firewall rules ==

{| border="1"
! Source !! Target !! Protocol !! Direction !! Notes
|-
| Enrollment server || Enterprise User Database || LDAPS (636)|| Inbound ||   
|-
| Admin server || Installation server || SSH (22)||Outbound ||   
|-
| Admin server || Installation server || HTTPS (443)||Outbound || Optional

== Security considerations ==

* The Enterprise User Database must be accessible. This needs a hole on its inbound firewall. This is a concern in case the Enrollment Server is compromized.
* The user password travels (in encrypted form) in an insecure network outside the corporate firewalls.

== Pros and cons ==

* + Simple and straightforward to implement.
* - Potentially tedious to the user, at worst case they have to authenticate themselves '''twice''' using the device keyboad (first for Access Gateway, then for Enrollment Server).

= Strategy 2: SMS based =

Although the device does not currently support OTA configuration messages, there is a way to utilize SMS messages in provisioning.
The idea is to deliver the configuration data from Enrollment Server to Installation Server behind the scenes, and simultaneously deliver to the device via SMS a one-time time-limited URL which enables access to the configuration data.

This strategy is more complicated to implement but easier to use. It uses indirect enrollment.

[[Image:Separate_Enrollment_and_Installation_servers.png|900px]]
<div style="margin-left:200px;">Figure 2: Separate Enrollment and Installation servers</div>

== The process ==

# Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories from the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway.
# User connects to the Enrollment Server using a desktop computer and provides his/her credentials.
# Using the credentials, the Enrollment Server queries user information from Enterprise User Database, including the phone number of the users device.
# Enrollment Server generates a random pin code.
# Enrollment Server generates the EUF and transfers it, along with the pin code, to Installation Server.
# Enrollment Server generates a URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code>https://server.example.com/indirect.cgi?pincode=aa913a5b-6558-44a5-a501-bbf5c81078d3</code>.
# Enrollment Server generates an SMS message which contains the URL and sends it to the device using SMS gateway.
# When the user opens the SMS message at the device, Conversations application displays the URL as a clickable link. When the user clicks the link, the Web Browser application is invoked and the URL is opened.
# When the CGI script at the Installation Server is called, it checks whether there is an EUF matching the pincode. If there is, the script checks the age of the EUF. If the file is older than a predefined time limit (e.g., 5 minutes) an error message is generated and processing stops.
# If the file age is OK, the script bootstraps the installation according selected bootstrapping strategy. "Via package" bootstrap strategy is probably more feasible, especially if ease of use is among the reasons.
# At the device, the Web Browser invokes the Application Manager, which installs the on-the-fly generated package and all packages in the dependency chain
# Post-install script runs and re-enables repositories disabled at step 1

To clean up, Installation server runs a cron job at every few minutes, removing all generated temporary files which are older than predefined time limit

== Components ==

* Web application (CGI script) running at Enrollment Server
* Web application (CGI script) running at Installation Server
* SMS gateway

== Firewall rules ==

{| border="1"
|-
| Source || Target || Protocol || Direction || Notes 
|-
|Admin server || Installation server || SSH (22)||Outbound || 
|-
|Enrollment server || Installation server || SSH (22)||Outbound || 
|-
|Admin server || Installation server || HTTPS (443)||Outbound ||Optional

== Security considerations ==

* Pin code can and should be fairly long, longer than a typical username and password together.
* No need for inbound firewall holes.
* User password does not travel outside corporate intranet.

== Pros and cons ==

* + The obvious advantage of indirect enrollment combined with SMS-URL based bootstrapping is the minimization of user interaction performed from the device keyboard and display. Writing the provisioning URL, username and password from the device keyboard are all avoided. Most of the user interaction can be performed using full size keyboard and display, only couple of touchscreen clicks is left to be to done at the device. 
* - A bit more laborious to implement
* - Requires more servers (not necessarily if Admin server can host as Enrollment server as well)

= Strategy 3: Offline installation =

This strategy is probably used as a complement to previous strategies. The server topology may be similar to either of the descried ones.

The most important use case for this strategy is to enable provisioning for users located at remote sites and unable to access corporate WLAN.

== The process ==

# To avoid Application Manager halting problem, user needs to disable all repositories from the device. Or alternatively, connect to a 3G network.
# User connects to the Enrollment Server via a VPN connection to the corporate intranet using a desktop computer and provides his/her credentials.
# Using the credentials, the Enrollment Server queries the user information from the Enterprise User Database.
# Enrollment Server generates a random pin code.
# Enrollment Server generates EUF, transfers it and the pin code to Installation server.
# Enrollment Server generates an URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code>https://server.example.com/offline.cgi?pincode=a913a5bXTgd</code>.
# Enrollment Server redirects the web browser to that URL, or presents a clickable link.
# When the CGI script at the Installation Server is called, it checks if there is an EUF matching the pincode. If yes, the script checks the age of the EUF. If the file is older than a predefined time limit (e.g., 5 minutes), an error message is generated and processing stops.
# If the file age is OK, the script (See [[Enterprise_Provisioning_-_Appendix|Appendix]] for further instructions for implementing this phase)
** Generates User Info package ("Via package" bootstrapping strategy is recommended).
** Produces a list of required packages from the dependencies of the EP.
** Creates a temporary repository which contains all the required packages and the User Info package.
** Creates an install file which contains 
*** The User Info package and
*** The URL to the local repository on the device.
** Generates a zip file from the repository and the install file
# The script outputs the zip file with appropriate content type definitions. See [[Enterprise_Provisioning_-_Appendix|Appendix]].
# User connects the device to the desktop computer via USB cable.
# User copies the zip file to her device.
# At the device, the user extracts the repository and the install file from the zip file.
# User taps the install file to invoke the Application Manager, which installs the User Info package and all the packages in the dependency chain.

== Components ==

* Web application (CGI script) running at Enrollment server
* Web application (CGI script) running at Installation server

== Firewall rules ==

Same as in previous two strategies, depending on which server topology is used

== Security considerations ==

* None

== Pros and cons ==

* + Enables provisioning at remote locations
* + Fairly simple to use
* - Can be fairly laborious to implement
* - Presumably slow and storage space consuming

= Summary =

Here we looked at the tried out solutions for provisioning but some readers might be interested to read our [[Enterprise_Provisioning_-_Strategy_Variations|alternative solution considerations]] or about [[Enterprise_Provisioning_-_Future_Prospects|future prospects for provisioning]]. If on the other hand these solutions suited already your needs you can move onward to [[Enterprise_Provisioning_Summary|provisioning summary]].

[[Category:Enterprise]]

Please note that all contributions to maemo.org wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see maemo.org wiki:Copyrights for details). Do not submit copyrighted work without permission!

Summary:

Cancel | Editing help (opens in new window)

Retrieved from "https://wiki.maemo.org/Enterprise_-_Tried_and_tested_provisioning_strategies"

Personal tools

Navigation

Views

Editing Enterprise - Tried and tested provisioning strategies

@@ Line 3: / Line 3: @@
 In the pictures, thick red dashed lines represent ''logical'' connections between actors. If a line has an arrow, it represents direction of the initiation of the communication (which is the direction of the required firewall rule).
-== Strategy 1: Simple and direct ==
+= Strategy 1: Simple and direct =
 This is the most simple strategy and the most straightforward to implement. In this strategy, direct enrollment is used. Also, since the whole process takes place at the same server, the line between the enrollment and the bootstrapping phases are blurred.
-[[Image:Combined_Enrollment_Installation_server_at_lobby_network.png|thumb|900px|alt=Diagram of a combined ecrollment/installation server installed at a lobby network|Figure 1: Combined Enrollment/Installation server at lobby network]]
+[[Image:Combined_Enrollment_Installation_server_at_lobby_network.png|900px]]
+<div style="margin-left:200px;">Figure 1: Combined Enrollment/Installation server at lobby network</div>
-=== The process ===
+== The process ==
 # Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories on the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway.
 # The user connects directly, using the device keyboard and display, to a URL on the Enrollment/Installation server.
@@ Line 16: / Line 16: @@
 # The Enrollment/Installation server generates the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> and bootstraps the installation.
-=== Components ===
+== Components ==
 * Web application (CGI script) running at the Enrollment/Installation server. An example (skeleton) CGI script will be provided soon in gagare.maemo.org that corresponds to the examples given for the [[Enterprise_Device_Configuration|device side configuration]].
-=== Firewall rules ===
+== Firewall rules ==
-{| class="wikitable"
+{| border="1"
-|+ Firewall rules: Simple and direct strategy
-|-
 ! Source !! Target !! Protocol !! Direction !! Notes
 |-
@@ Line 32: / Line 30: @@
 |-
 | Admin server || Installation server || HTTPS (443)||Outbound || Optional
 |}
-=== Security considerations ===
+== Security considerations ==
 * The Enterprise User Database must be accessible. This needs a hole on its inbound firewall. This is a concern in case the Enrollment Server is compromized.
 * The user password travels (in encrypted form) in an insecure network outside the corporate firewalls.
-=== Pros and cons ===
+== Pros and cons ==
 * + Simple and straightforward to implement.
 * - Potentially tedious to the user, at worst case they have to authenticate themselves '''twice''' using the device keyboad (first for Access Gateway, then for Enrollment Server).
-== Strategy 2: SMS based ==
+= Strategy 2: SMS based =
-Although the device does not currently support OTA configuration messages, there is a way to utilize SMS messages in provisioning. The idea is to deliver the configuration data from Enrollment Server to Installation Server behind the scenes, and simultaneously deliver to the device via SMS a one-time time-limited URL which enables access to the configuration data.
+Although the device does not currently support OTA configuration messages, there is a way to utilize SMS messages in provisioning.
+The idea is to deliver the configuration data from Enrollment Server to Installation Server behind the scenes, and simultaneously deliver to the device via SMS a one-time time-limited URL which enables access to the configuration data.
 This strategy is more complicated to implement but easier to use. It uses indirect enrollment.
-[[Image:Separate_Enrollment_and_Installation_servers.png|thumb|900px|alt=Diagram of separate enrollment and installation servers|Figure 2: Separate Enrollment and Installation servers]]
+[[Image:Separate_Enrollment_and_Installation_servers.png|900px]]
+<div style="margin-left:200px;">Figure 2: Separate Enrollment and Installation servers</div>
-=== The process ===
+== The process ==
 # Since repositories at the public Internet are usually not accessible, to avoid Application Manager halting problem, the user needs to disable all repositories from the device. Alternatively, the user may authenticate him/herself to pass through the Access Gateway.
@@ Line 59: / Line 60: @@
 # Enrollment Server generates a random pin code.
 # Enrollment Server generates the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> and transfers it, along with the pin code, to Installation Server.
-# Enrollment Server generates a URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code><nowiki>https://server.example.com/indirect.cgi?pincode=aa913a5b-6558-44a5-a501-bbf5c81078d3</nowiki></code>.
+# Enrollment Server generates a URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code>https://server.example.com/indirect.cgi?pincode=aa913a5b-6558-44a5-a501-bbf5c81078d3</code>.
 # Enrollment Server generates an SMS message which contains the URL and sends it to the device using SMS gateway.
 # When the user opens the SMS message at the device, Conversations application displays the URL as a clickable link. When the user clicks the link, the Web Browser application is invoked and the URL is opened.
@@ Line 69: / Line 70: @@
 To clean up, Installation server runs a cron job at every few minutes, removing all generated temporary files which are older than predefined time limit
-=== Components ===
+== Components ==
 * Web application (CGI script) running at Enrollment Server
@@ Line 75: / Line 76: @@
 * SMS gateway
-=== Firewall rules ===
+== Firewall rules ==
-{| class="wikitable"
+{| border="1"
-|+ Firewall rules: SMS-based strategy
 |-
-! Source !! Target !! Protocol !! Direction !! Notes
+| <b>Source</b> || <b>Target</b> || <b>Protocol</b> || <b>Direction</b> || <b>Notes</b>
 |-
 |Admin server || Installation server || SSH (22)||Outbound ||
@@ Line 87: / Line 87: @@
 |-
 |Admin server || Installation server || HTTPS (443)||Outbound ||Optional
 |}
-=== Security considerations ===
+== Security considerations ==
-* PIN code can and should be fairly long, longer than a typical username and password together.
+* Pin code can and should be fairly long, longer than a typical username and password together.
 * No need for inbound firewall holes.
 * User password does not travel outside corporate intranet.
-=== Pros and cons ===
+== Pros and cons ==
 * + The obvious advantage of indirect enrollment combined with SMS-URL based bootstrapping is the minimization of user interaction performed from the device keyboard and display. Writing the provisioning URL, username and password from the device keyboard are all avoided. Most of the user interaction can be performed using full size keyboard and display, only couple of touchscreen clicks is left to be to done at the device.
@@ Line 101: / Line 103: @@
 * - Requires more servers (not necessarily if Admin server can host as Enrollment server as well)
-== Strategy 3: Offline installation ==
+= Strategy 3: Offline installation =
 This strategy is probably used as a complement to previous strategies. The server topology may be similar to either of the descried ones.
@@ Line 107: / Line 109: @@
 The most important use case for this strategy is to enable provisioning for users located at remote sites and unable to access corporate WLAN.
-=== The process ===
+== The process ==
 # To avoid Application Manager halting problem, user needs to disable all repositories from the device. Or alternatively, connect to a 3G network.
@@ Line 114: / Line 116: @@
 # Enrollment Server generates a random pin code.
 # Enrollment Server generates <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span>, transfers it and the pin code to Installation server.
-# Enrollment Server generates an URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code><nowiki>https://server.example.com/offline.cgi?pincode=a913a5bXTgd</nowiki></code>.
+# Enrollment Server generates an URL which points to a CGI script at the Installation Server and contains the pin code. For example, <code>https://server.example.com/offline.cgi?pincode=a913a5bXTgd</code>.
 # Enrollment Server redirects the web browser to that URL, or presents a clickable link.
 # When the CGI script at the Installation Server is called, it checks if there is an <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span> matching the pincode. If yes, the script checks the age of the <span style="color:#0000ff" title="Enterprise User Configuration File: A container for user-specific and enterprise-specific configuration values collected from various sources. ">EUF</span>. If the file is older than a predefined time limit (e.g., 5 minutes), an error message is generated and processing stops.
@@ Line 131: / Line 133: @@
 # User taps the install file to invoke the Application Manager, which installs the User Info package and all the packages in the dependency chain.
-=== Components ===
+== Components ==
 * Web application (CGI script) running at Enrollment server
 * Web application (CGI script) running at Installation server
-=== Firewall rules ===
+== Firewall rules ==
 Same as in previous two strategies, depending on which server topology is used
-=== Security considerations ===
+== Security considerations ==
 * None
-=== Pros and cons ===
+== Pros and cons ==
 * + Enables provisioning at remote locations
@@ Line 151: / Line 153: @@
 * - Presumably slow and storage space consuming
-== Summary ==
+= Summary =
-Here we looked at the tried out solutions for provisioning but some readers might be interested to read our [[Enterprise Provisioning - Strategy Variations|alternative solution considerations]] or about [[Enterprise Provisioning - Future_Prospects|future prospects for provisioning]]. If on the other hand these solutions suited already your needs you can move onward to [[Enterprise Provisioning Summary|provisioning summary]].
+Here we looked at the tried out solutions for provisioning but some readers might be interested to read our [[Enterprise_Provisioning_-_Strategy_Variations|alternative solution considerations]] or about [[Enterprise_Provisioning_-_Future_Prospects|future prospects for provisioning]]. If on the other hand these solutions suited already your needs you can move onward to [[Enterprise_Provisioning_Summary|provisioning summary]].
 [[Category:Enterprise]]