Hardware reference guide
GlobalProtect Administrator’s Guide 75
Set Up the GlobalProtect Mobile Security Manager Set Up the Mobile Security Manager for Device Management
Step 4 (Optional) Configure the Mobile Security
Manager to integrate with an existing
enterprise SCEP server for issuing
identity certificates to iOS devices.
The benefit of SCEP is that the private
key never leaves the mobile device.
If you plan to use SCEP to issue
identity certificates, make sure that
the iOS devices that will be
enrolling have the proper CA root
certificates to enable them to
establish a connection with your
SCEP server.
1. Configure the Mobile Security Manager to access the SCEP
server and define the certificate properties to use when issuing
identity certificates as described in Set Up a SCEP
Configuration.
2. Enable SCEP on the Mobile Security Manager:
a. Select
Setup > Settings > Server and then click the Edit
icon in the SCEP Settings section.
b. Select the
SCEP check box to enable SCEP.
c. Select the SCEP configuration you just created from the
Enrollment drop-down.
d. (Optional) If you want the Mobile Security Manager to verify
the client certificate the SCEP server issued to the device
before completing the enrollment process, you must import
the SCEP server’s root CA certificate and create a
corresponding
Certificate Profile.
e. Click
OK to save the settings.
Step 5 Configure the enrollment settings. 1. Select
Setup > Settings > Server and then click the Edit icon
in the Enrollment Settings section.
2. Enter the
Host Name of the device check-in interface (FQDN
or IP address; it must match what is in the CN field of the
Mobile Security Manager certificate associated with the device
check-in interface).
3. (Optional) Set the
Enrollment Port the Mobile Security
Manager will listen on for enrollment requests. By default, it is
set to 443 and it is recommended that you leave it set to this
value and use a different port number for the device check-in
port.
4. Enter the
Organization Identifier and optionally an
Organization Name to be displayed on the configuration
profiles that the Mobile Security Manager pushes to the devices.
5. (Optional) Enter a
Consent Message that lets users know that
they are enrolling in your device management service. Note that
this message will not be displayed on devices running iOS 5.1.
6. Select the CA certificate the Mobile Security Manager should
use to issue the certificates from the
Certificate Authority
drop-down and optionally modify the
Identity Certificate
Expiration
value (default 365 days; range 60 to 3650 days).
7. Click
OK to save the settings.
Set Up the Mobile Security Manager for Enrollment (Continued)