Hardware reference guide
GlobalProtect Administrator’s Guide 69
Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management
Step 2 (Optional) Modify the device check-in
settings.
By default, the Mobile Security Manager
listens on port 443 for both enrollment
requests and check-in requests. As a best
practice, you should keep the enrollment
port set to 443 and use a different port
number for device check-in. The device
check-in process requires a client
certificate to establish the SSL session
whereas enrollment does not. If both
services are running on the same port, the
mobile device will erroneously pop-up
certificate prompts during the enrollment
process, which may be confusing to the
end users.
1. Select
Setup > Settings > Server and then click the Edit icon
in the Device Check-in Settings section.
2. Set the
Check-in Port the Mobile Security Manager will listen
on for device check-in requests. By default, the port is set to 443.
However, as a best practice, you should change the device
check-in port to 7443 or 8443 and enrollment to prevent users
from sometimes being prompted for a client certificate when
enrolling.
3. By default, the Mobile Security Manager will send push
notifications to the devices it manages every 60 minutes to
request check-in. To change this interval, enter a new
Device
Check-in Notification Interval
(range: 30 minutes to 1440
minutes).
4. Click
OK to save the settings.
Step 3 (Optional) If the MGT port on the
Mobile Security Manager does not have
access to the Internet, configure service
routes to enable access from the device
check-in interface to the required external
resources, such as the Apple Push
Notification Service (APNs) and the
Google Cloud Messaging (GCM) service
for sending push notifications.
1. Select
Setup > Settings > Services > Service Route
Configuration
.
2. Click the
Select radio button.
3. Click in the
Interface column that corresponds to the service
for which you want to change the service route and then select
the ethernet1 interface.
4. Repeat these steps for each service you want to modify. For the
purposes of setting up the ethernet1 interface for device
check-in, you will want to change the service route for
Push
Notification
. If you do not have Internet access from the MGT
interface, you must change all service routes to this interface.
5. Click
OK to save the settings.
Set Up the Mobile Security Manager for Device Check-In (Continued)