Authentication Types
No Authentication
If the No Authentication type is configured by the administrator, device authentication will not be required during enrollment. As a result, devices can be easily enrolled directly into the SureMDM Web Console.
To configure the devices without authentication, follow these steps:
On the SureMDM Web Console, navigate to Settings > Account Settings > Device Enrollment Settings > Device Enrollment Rules.
Choose No Authentication from the Device Authentication Type drop-down list and click Apply.
Prompt for User Name and Email ID on Device - Enable this option to prompt users to provide their name during the device enrollment process. This name will be displayed under the Device User Name and E-mail column in the Device Grid.
Basic Authentication
When administrators want to configure the Basic Authentication type, the credentials must be configured for the devices to authenticate before enrolling in the SureMDM Web Console.
To configure credentials to enroll the devices in the SureMDM Console, follow these steps:
On the SureMDM Web Console, navigate to Settings > Account Settings > Device Enrollment Settings > Device Enrollment Rules.
Configure the following settings:
- Device Authentication Type: Choose the Require Password from the Device Authentication Type drop-down list.
- Enter Password: Enter a desired password.
- Show Password: Select this option to show the password (alphanumeric characters) entered in Enter Password field.
- Prompt for User Name and Email ID on Device - Enable this option to prompt users to provide their name during the device enrollment process. This name will be displayed under the Device User Name and E-mail column in the Device Grid.
- Bypass Password Authentication During QR Enrollment - Enable this option to Bypass Password prompt during device enrollment process using QR code approach.
This requires devices enrolled with SureMDM agent version 27.22.16 or later for Android, 4.74 or later for iOS, 5.6.4 or later for macOS and 6.07.0 or later for Windows.
- For Windows, Password Authentication will be bypassed for both QR Code Enrollment and the Customized (wrapped) SureMDM Agent.
- Bypass Enrollment Authentication for Apple User Enrollment - When enabled, devices will bypass the enrollment authentication configured in SureMDM and instead authenticate using Managed Apple ID credentials. For federated Apple accounts, authentication will follow the identity management settings configured in Apple Business Manager (ABM). Applies for iOS and macOS devices only.
OAuth Authentication
SureMDM allows Active Directory authentication for enterprises with an Active Directory domain account. It is a convenient way for administrators to manage a large number of enrolled devices.
This feature is supported only on Android, Windows, macOS, and iOS.
To set up OAuth authentication as ADFS on SureMDM, follow these steps:
On the SureMDM Web Console, navigate to Settings > Account Settings > Device Enrollment Settings > Device Enrollment Rules.
Configure OAuth Authentication as ADFS settings and click Apply.
| Settings | Description |
|---|---|
| Advanced Device Authentication | |
| Device Authentication Type | Choose OAuth Authentication from the Device Authentication Type drop-down list. |
| Auth Endpoint & Token Endpoint | Enter the Auth Endpoint and Token Endpoint. |
| Client ID | Click Generate to get the Client ID. Note: Client ID has to be generated only for ADFS server. For Azure AD, GSuite, and others there are pre-generated Client ID's. |
| Client Secret (EMM Only) | Copy the Client Secret from the server machine. |
- Bypass Enrollment Authentication for Apple User Enrollment - When enabled, devices will bypass the enrollment authentication configured in SureMDM and instead authenticate using Managed Apple ID credentials. For federated Apple accounts, authentication will follow the identity management settings configured in Apple Business Manager (ABM). Applies for iOS and macOS devices only.
SAML (Security Assertion Markup Language)
SureMDM supports device enrollment using SAML authentication. This section describes how to configure SureMDM using SAML-based authentication for device enrollment with ADFS as an identity provider.
This feature is supported only on Android, Windows, macOS, and iOS.
Following steps are involved in SAML Authentication
Install Open SSL Tool and Generate Certificates
Obtain ADFS Service URL
Obtain Federation Service Identifier
Configure SAML
Add SureMDM as a SAML Service Provider
Enroll SureMDM Agent
- Bypass Enrollment Authentication for Apple User Enrollment - When enabled, devices will bypass the enrollment authentication configured in SureMDM and instead authenticate using Managed Apple ID credentials. For federated Apple accounts, authentication will follow the identity management settings configured in Apple Business Manager (ABM). Applies for iOS and macOS devices only.
Install Open SSL Tool and Generate Certificate
SAML setup requires the generation of a certificate with a public and private key. Use the OpenSSL tool for this generation.
To install the OpenSSL tool on a Windows machine, follow these steps:
Admins can skip this section if OpenSSL tool is already installed.
Go to the below link and download Win64 OpenSSL v1.1.1a Light by clicking on the EXE link.
Double-click the OpenSSL file using default settings to complete the installation.
Go to the Location where OpenSSL is installed.
Example: C:\Program Files\OpenSSL-Win64
Press CTRL+Right Mouse button to launch the command prompt.
Type the following command in the prompt and press Enter:
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
- Restart the computer.
This step is mandatory.
- Go to the location where OpenSSL is installed, open the bin folder, and then launch the OpenSSL application.
Generate Certificate
To generate a certificate, follow these steps:
- Run the below commands in the Command prompt:
req -x509 -nodes -sha256 -days 2048 -subj "/CN=suremdm.42gears.com" -newkey rsa:2048 -keyout "ssocert.key" -out "ssocert.crt"
pkcs12 -export -in "ssocert.crt" -inkey ssocert.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out "ssocert.pfx" -password pass:{{YOURPASSWORD WIHTOUT BRACES}}
x509 -inform pem -in "ssocert.crt" -outform der -out "ssocert.cer"
A certificate will be generated and saved at path C:\Program Files\OpenSSL-Win64\bin. Ensure the below-mentioned files are present here:
ssocert.pfx
ssocert.crt
ssocert.cer
Obtain ADFS Service URL
To obtain the ADFS Service URL, follow these steps:
Log in to the Windows Server machine hosting Active Directory and ADFS.
In ADFS Console (Server Manager > ADFS > Tools > AD FS Management), expand Service and click End Point.
Please make a note of the URL Path for SAML 2.0
- Prefix the paths with the machine name and save it.
The saved path will be required in later steps.
Obtain Federation Service Identifier
To obtain the Federation Service URL, follow these steps:
- In the AD FS Console, right-click Service and select Edit Federation Service Properties.
Please note down the URL mentioned in the Federation Service Identifier field.
Configure SAML
To enable SAML-based enrollment in SureMDM, follow these steps:
On the SureMDM Web Console, navigate to Settings > Account Settings > Device Enrollment Settings > Device Enrollment Rules.
Configure SAML Authentication settings and click Save.
| Settings | Description |
|---|---|
| Advanced Device Authentication | |
| Device Authentication Type | Choose OAuth Authentication from the Device Authentication Type drop-down list. |
| SSO Type | Choose the SSO Type from the following: |
| Service Identifier | Enter the Service Identifier from Obtain Federation Service Identifier |
| Sign On Service Url | Enter the Sign On Service Url from Obtain ADFS Service URL. |
| Upload CertificateLogout Service Url | Enter the Sign On Service Url from Obtain ADFS Service URL. |
| Upload Certificate | Browse ssocert.pfx file generated and provide password used at the time of certificate generation. Refer to the steps in Generate Certificates. |
Add SureMDM as a SAML Service Provider in ADFS
To add SureMDM as a SAML service provider in ADFS, follow these steps:
Access Remote Desktop Connection/ Login into ADFS Server.
Launch the AD FS Console from Server Manager, then click Tools and select AD FS Management.
Click Relying Party Trusts and then click Add Relying Party Trust.
Select Claims aware and click Start.
Select Enter data about relying party manually and click Next.
Enter the Display Name as SureMDM and click Next.
In the Configure Certificate section, browse the certificate (ssocert.cer). Refer to Generate Certificate.
Check Enable support for the SAML 2.0 WebSSO protocol and enter URL.
Enter urn:42gears:suremdm:SAML2ServiceProvider in Relying party trust identifiers field.
Select Permit everyone or select a specific group based on your requirements.
Click Next > Close.
In the main AD FS Console, right-click SureMDM and select Properties.
Select the Signature Tab and click Add.
Select the certificate (ssocert.cer. Refer Generate Certificate) and click Apply.
Select the Endpoints tab and click Add SAML.
Select Endpoint type as SAML Assertion Consumer and Trusted URL.
Click OK.
In the Edit Claim Issuance Policy prompt, click Add Rule.
Click Next.
In the Claim rule name field, enter SureMDM, select Attribute store as Active Directory and add the following mappings and click Finish.
Click OK.
Enroll SureMDM Agent
Refer to the steps under Scan QR Code to enroll the SureMDM Agent.
Once the user has scanned the QR code, the user will be redirected to the ADFS /Azure AD portal/ GSuite/Other login pages. Enter the appropriate login credentials. On successful configuration, the SureMDM Agent Home Screen will show the status as Online, and in the SureMDM Web Console, the device will be listed under the Unapproved option.