Multitenancy Setup for Enrollment and Apple iOS Management Extender

This page has not been liked. Updated 1/16/14, 7:22 AM by Dan_IBMTags: None


The main goal for multitenancy support for MDM is to provide tools to drive multitenancy using the BigFix platform as much as possible. This means making the various components themselves multi-tenant aware, as well as providing a property to serve as the basis for Console management rights. This property is called an "enrollment tag".

Due to the single-tenant nature of Exchange and Lotus Traveler, these plugins themselves have not been made multi-tenant. An option has been added to the Setup and Configuration Wizard that allows configuring a per-extender enrollment tag. All devices reported by this plugin will be marked with this tag. It is strongly recommended to install one instance of the Exchange Plugin per Exchange Extender machine in multi-tenant mode. Similarly, it is strongly recommended to install one instance of the Traveler Plugin per Traveler Extender machine.

The Enrollment and Apple iOS Management Extender, however, has undergone more extensive improvement. Multitenancy support in the iOS extender allows management of multiple, distinct groups of devices from one iOS extender. This feature provides unique APNS connections between groups, customizable configuration and enrollment, and sensitive data share prevention. Android devices enroll through the enrollment server and are thus marked with an enrollment tag in a similar way as iOS devices. Due to the complications regarding configuration of the iOS extender and enrollment server, its configuration is not supported via content in this initial release. This document will help describe how to configure the iOS extender and enrollment server in an multi-tenant environment.



The multitenancy installation process is the same as with a regular iOS extender using the deployment Fixlet. From this point on, the rest of the configuration steps are completed outside of content. This configuration is completed using a command-line utility located in “<program files>\BigFix Enterprise\Management Extender\MDM Provider\utils\mdmios.bat”. Open a command prompt with administrator privileges to the “MDM Provider\utils” folder to perform any of the following configuration steps.

Note: Any text in monospace font indicates a command to run on this command line. The iOS extender should not have to be restarted before/after these commands.


Turning on multi-tenant mode

You must set your MDM deployment to “multi-tenant” mode. To do this, use the following steps:
  1. Launch the Tivoli Endpoint Manage Administration Tool.
  2. Click Advanced Options.
  3. Add an advanced option mdmAppsUsePrivate with a value of “1”.
  4. Set the server to “multi-tenant mode” for the rest of multitenancy to work:

    mdmios.bat config multitenant true


Configuring SSL certificates and hostname

When using an external alias, the Fixlet might provide an incorrect default hostname / DNS name. To change the hostname of the iOS extender and create new SSL certs to match this hostname, run the following command (replacing with the actual hostname you want to use):

mdmios.bat recreate_certs

If you are using officially signed SSL certificates, then you will need to place the files manually into the "MDM Provider/private" folder yourself. You should name the SSL private key as "ssl_key.pem", the certificate should be named "ssl_cert.pem", and if you have an intermediate certificate bundle, it should be named "ssl_bundle.pem". After putting these files in place, you must run the following command:

mdmios.bat recreate_keystore

Note: You must stop the service to run these commands.


Configuring MDM authentication

An important step to configure after deploying the iOS Extender and before enrolling any devices is to enable MDM authentication. This configuration setting is normally configured in the setup wizard, and is important to enable.

mdmios.bat config mdm_sign_messages true


Configuring Android Relay

To enroll Android devices through a multi-tenant enrollment server, configure an "android_relay" value that points to the TEM relay the device will register after successfully passing through the enrollment server. This process is similar to the hostname used above, as the iOS Extender always resides on a relay.


mdmios.bat config android_relay


Adding an enrollment tag

Adding an enrollment tag is equivalent to adding a customer / tenant to this extender. This process requires specifying three values: the tag ID, the URL tag, and the tag display name / organization name.

mdmios.bat tag_init <tag id> <url tag> <organization name>

The tag ID value is the value that is meaningful to your organization, and is the value that the device will later report as its “enrollment tag”. The URL tag corresponds to enrollment URL that maps to this tag.
mdmios.bat tag_init 12 foo Foo, Inc
mdmios.bat tag_init 24 blah Blah Corporation
This creates two tags with IDs "12" and "24", which are mapped to by external URLs "/c/foo" and "/c/blah". These tags perform the following actions:
  • Creates a directory "MDM Provider\tags\<tag id>" to store tag-specific files
  • Configures the main config.yaml to be aware of the new enrollment tag
  • Generate an APNS CSR in order to obtain an APNS push certificate for this tag (obtainable at:<url tag>/csr)
After downloading this CSR file, send an email to and attach the push.csr file. Please use the email subject of: "MDM APNS CSR <organization name>". After you get your signed file from IBM, go to and create a new certificate with this CSR. When you get successfully download the certificate from Apple's website, rename it to "push.cer" and place it manually into the "tags\<tag id>\private" folder. Then, devices can be enrolled in basic mode at the URL:<url tag>


Various enrollment tag specific URLs

The URL tag is the means by which the enrollment server decides which configuration to Assume your management extender is at URL "".

  • Enrollment:
  • CSR:
  • Diagnostics:


Removing an enrollment tag

To remove an enrollment tag, run the following command:

mdmios.bat tag_remove <tag id>

Note: This will delete this tag's folder under the "tags" directory and removes its configuration and APNS certificate. This requires that there are no devices currently enrolled under this enrollment tag. If you run tag_remove and there are still devices enrolled under this tag, it will warn you with a list of device ids that are still enrolled. Use Fixlet #116 to remove the MDM profile from these devices. If the devices are unresponsive or did not notify the server of their unenrollment, you may forcibly mark these devices as unenrolled by running the following command:

mdmios.bat unenroll <device id>


Configuring authenticated enrollment

There are two different options when configuring authenticated enrollment as a step up from basic mode: LDAP or SAML. LDAP authentication is identical to what has been supported by the TSP since MDM 1.1 and can be run in either "password" or "pin" mode. LDAP authentication requires some configuration steps on the iOS extender, and some configuration on the TSP.


Install Trusted Services Provider

Run Fixlet 143: “Deploy Trusted Service Provider”, which is found under Setup and Configuration>Manage Components>Deploy MDM Components.
You can install the TSP on the iOS Extender for testing, but as a best practice install the TSP on a separate computer within your corporate intranet.
Note: The following examples assume that there is a tag with the ID "12" and a URL tag of "foo", which are configured on iOS management extender "". If your ID and URL tags are different, then make sure to use your tag ID in the commands below.

Use the below process to configure a tag-specific value:
mdmios.bat tag_config <tag id> <key> <value>

Configuring iOS extender for LDAP / TSP authentication:

You must first configure the iOS extender to put it in an enrollment mode to require authentication, and then point it to the TSP to authenticate with.
mdmios.bat tag_config 12 enrollment_mode "password"
mdmios.bat tag_config 12 auth_type LDAP
mdmios.bat tag_config 12 tsp_host
If the TSP is not unique per customer, there does not need to be a specific TSP configuration for this tag. It will inherit it from the master config.yaml setting.
mdmios.bat tag_config 12 auth_header_text "Enter your email address and your password"
mdmios.bat tag_config 12 auth_user_label "Email"
mdmios.bat tag_config 12 auth_pass_label "Password"

Configuring the TSP for LDAP authentication:

The next step is to configure the TSP itself to know how to authenticate with LDAP.
tsp.bat config ldap_host
tsp.bat config ldap_port 389
tsp.bat config ldap_admin_user "CN=Adminstrator,CN=Users,DC=company,DC=com"
tsp.bat config ldap_admin_pass "secret1234"
tsp.bat config ldap_base_dn "CN=Users,DC=company,DC=com"
tsp.bat config ldap_person_query "(&(objectclass=person)(mail=%s))"
tsp.bat config ldap_use_ssl true
tsp.bat config ldap_group_filter "(objectclass=groupOfNames)"
tsp.bat config ldap_allowed_groups "['one','two','three']"

SAML Authentication

See the SAML Authentication page for more details about configuring the iOS Extender for SAML authentication. Note that SAML Authentication may be used in single tenant environments and any config commands used during SAML Authentication will, by default, apply to the entire enrollment server. This may not be the desired behavior in a multitenancy environment.

When configuring the iOS Extender for SAML authentication in a multitenancy environment change any config commands into tag_config commands so they apply to specific enrollment tags only and do not apply to the entire enrollment server. The Tag ID must be included after the tag_config command, for example:

mdmios.bat config auth_type SAML

would become:

mdmios.bat tag_config foo auth_type SAML

where foo is the Tag ID.

In addition, when setting up SAML Authentication in a multi-tenant environment, note the use of the auth_enrollment_tag_attribute. This attribute is discussed in greater detail within the SAML Authentication documentation.


Custom Enrollment Questions

To generate custom enrollment questions, manually enter the commands listed below. The questions are in a JSON format. It is best to generate an action in the dashboard, and then copy the "createfile" portion of the action and manually import it:

mdmios.bat tag_config foo enrollment_mode "pin"

mdmios.bat import enrollment_question_set "c:\your-qs.json" "foo"

Note: After manually copying the createfile from the action, replace all double open curly braces "{{" to a single brace "{". The double-brace is an escaping method used in actionscript.

Note: After importing these enrollment questions, the enrollment tag you configured it for will be configured again for LDAP authentication. This is due to the "auth_type" field (set to LDAP by default) in the questions JSON file. If you are using SAML, you will need to reconfigure the auth_type to be SAML just as above (repeated here for clarity):

mdmios.bat tag_config foo auth_type "SAML"