Push Notification with iOS In House Agent
At the time of writing the current version of the Symantec MDM solution does not allow you to send push notification messages to your users via the agent.
This article has been written in order to bridge the current gap and get you 90% of the way to a working push installation working with your MDM In-House agent and the Management Platform.
What you are going to need:
- A built version of the in-house agent signed and exported (ipa enterprise distro) ready to be installed on iOS Devices
- The certificate that was request when the "App" was created in the provisioning portal @ developer.apple.com - this will need to be download and then reexported with it's private key as p12 file.
- An account with a push provider - There are a lot but for the sake of this article I am going to use http:///www.parse.com (for no other reason than I think that it is a good solution) - If you choose another provider then you need to make sure that they provide access to push messages and add devices via a API. Parse.com is free up to a certain number of pushes and then costs there after - for medium installations the free limit will be perfectly acceptable
- A Read Only user for the Symantec_CMDB database so that the vbscript that does the work looking for the token and matching this against a user can run.
- A good deal of time and patience as there are a number of steps and it never works first time!
Gotchas to watch out for before we start:
- That you have at least the 1.0.4716 - although I have not tested this completely I believe that it was only since this version that Symantec have incorporate the request for a token so that the user sees a pop up asking them if they want to accept push from the agent. You CANNOT at the moment use the app store agent as it would require that symantec make public the app APNS cert and also that they modify it to ask for push token.
- Make sure that you have enabled the "Client Push" on Parse.com under "Push Notification Settings"
Still with me! Then let's begin!
The first thing is to make sure that you have built the MDM in house agent and have it deployed on an iOS client - this is reasonably well documented in the symantec guides so I am not going to go through this here - if you have problems then post a comment or open a discussion and I am sure you will find someone to help you
As stated in the gotchas you need to make sure that you have enabled the "Apple Push Notification" section @ parse.com - there is a great video on how to do this from parse.com @ https://parse.com/tutorials/ios-push-notifications - ignore the end of it as we won't be using this.
Next you will need open the MDM in house agent on an iOS device and it should pop up and ask you whether you would like to enable "Push Notifications" for this app - choose YES! and then enroll the device in the normal fashion with your MMS.
Once the device is enrolled we need to check that it actually has registered its token with the MDM. You can find this token by navigating to the devices and the entering the "Resource Manager" for that device - choose "Inventory" from the "View" menu and then choose "Mobile_Device" from the "Mobile Inventory" folder. You are looking for an entry called "Agent Token" and there should be a long alpha numeric code. Don't confused it with the Auth Token or the MDM Device Token as they aren't the same!!!
NB: Currently I have had problems where the AgentToken seems to be set to "(null)" after the device has not checked in for a little while - I have this case open with Symantec - my work around is not reference to the History table rather than the base table. But htis does mean that you have to wait a little whle after enrollment for a change to happen to the Agent Token before you can send a push - when I have a response from Symantec I will post and update.
If you successfully see the token then that's great we are now just about ready to send a push to that device!
On the parse.com site you will need to import the cert that you got from the apple developer site (with private key), this is what parse will send along with the deviceToken from the MDM to apple APNS servers to send the push to the device. Once again there is a guide for this @ https://parse.com/tutorials/ios-push-notifications that explains how to export the cert as p12 and where to import it.
The final part of the install is a couple of ASP pages that reference the VBS and send a push. You can then reference this in a User Defined right click action.
Step by Step setup on the MMS:
Unzip the folder called mdmPush into "C:\Program Files" or C:\Program Files(x86)" (if 64bit) on the MMS server.
There are 4 files in the root
- postUserPush.asp - A post form that references the VBS
- pushUserForm.asp - A form that asks for Username and Message and posts to the a fore mentioned form
- readFileIn.asp - This reads in the log file that is made by the system to show you what happens
- style.css - This is the associated stylesheet for all of the asp files - I have not edited it but you can if you want
Editing the VBS
I have create a little vbscript (it is attached inside the zip under the folder called VBS ) that takes a number of command line arguments (in order see what arguments it takes run it like this ("cscript PushToThisOne.vbs /?" ) in order to add the device into the list of devices on your parse.com account and then either send a push to a single device using it's token or to all the devices that a user has using there email address and finally another routine that scans an AD for members of an AD Group and then emails each of them (although I have tried to make this as generic as possible it would probably require some modifications to work with each specific environment - please post if you want some help!).
In order to get it working please edit the file with your favourite editor ("Notepad++ " or something will do fine) - There are numbe of variables that appear just of the top of the script that you will need to correct for your environment, these are:
parseApplicationID = "PARSE APP ID HERE"
parseRestAPIKey = "PARSE API KEY HERE"
symantecCMDBServer = "DNS NAME OF SQL SERVER"
symantecCMDBNAme = "Symantec_CMDB"
sqlUser = "RO USER FOR THE DB"
sqlPASS = "RO USERS PASS FOR THE DB"
domainSuffix = ""
NB: Although this VBSis referenced by the ASP files you can use it completly stand alone and reference it from other services to send push notifications to devices.
- You then need to create a new application pool for the asp files to run under.
- Open IIS manager and choose "Application Pools" and then right click in a white space and choose "Add Application Pool"
- Give it a name (mdmPush) and then choose OK
- We then need to change the Identity that is used for this pool else the pool will not have permissions to launch the script!
- Right click on the pool and choose "Advanced Settings" and then under the line "Identity" double click and choose "LocalSystem"
Now we need to create a new application under the web site used by the MMS
- Right Click and web site where you woudl like to add the application and choose "Add Application"
- Under Alias type "mdmPush"
- Change the Application Pool to the one that we created earlier
- In the Physical path place the path to the directory where you unzipped the ASP files (c:\program files (x86)\mdmPush)
- Choose "OK"
Sending the Push
You should now be able to send a push to a user that is in your MDM by visiting http(s)://yourmmserver.yourdomain.com/mdmPush/pushUserForm.asp
I have modified the permissions on the mdmPush folder on the file system and added a AD user group that is allowed to send pushed with READ and removed anybody else - then enabled "Windows Authenticaiton" on the application meaning that if you are not a member of thar group you cannot visit the page and send a push!
Gotchas and others
Make sure that the Paths that are in the ASP are correct you might have to modify these if you are in a 32 bit environment etc (post if you have problems)
What is missing from this solution:
Logging - I haven't hand a chance yet to add any logging - I don't do anything with the response (positive or negative) then comes back from PARSE.com.
As every use this all at your own risk… It works well in my environment and there is no reason that it shouldn't in yours! But make sure that you understand the procedure
Still have questions!?
Please feel free to post in the comments section and I will try and get back to you with a response.