Core Configuration files
MDM Core has multiple configuration files. The main configuration file, /etc/mdmcore/core.config
, contains settings that are applicable to the core as a whole. Individual services may have their own app.config
or web.config
files as well.
Core.config file
This file contains settings that affect all core services. It contains the database connection string, the database encryption key, and log settings for individual services.
DBConnectionString
This is the connection string used to connect to the database. It has three fields:
PrivateKey
This is the key that is used to encrypt sensitive fields in the database.
Caution: |
Changing this field prevents the MDM Core services from accessing fields that have been encrypted with a previous key, including any devices that have been registered previously. |
Logging configuration
MDM Core uses NLog as its log engine. NLog is highly configurable in its retention policy, message granularity, and log locations. The Core is set to log each service's log messages to its own file. By default, these files are located in /usr/local/mdmcore/log
. Log granularity is set to Debug and log files are set to rotate when their size reaches 10MB. For more information on how NLog can be configured, see this link: https://github.com/nlog/NLog/wiki/Configuration-file.
App.config files
App.config
files are configuration files used for the Core's system services. These files do not need to be modified.
Web.config files
Web.config
files are similar to App.config files, but exist for web services. These files do not need to be modified.
Core monitoring
The MDM Core system services are monitored by monit. Services are checked every 30 seconds. If a service is not running, its init script is called. These scripts can be found in etc/init.d
and start with "Mdm*". By default, monit tries 3 times to restart a service. If it fails to start it during these attempts, it times out and no further effort is made to start it. For more information on monit, see this link: http://mmonit.com/monit/documentation/monit.html.
The MDM Core web services are hosted and monitored by Apache. Some of that behavior is configurable (see the following section), however it is possible to confirm a web service is available by using the curl command locally. For example:
CertInstall: curl http://localhost/certinstall/CertificateInstallerService.asmx/Alive
Challenge: curl http://localhost/challenge/ChallengeService.asmx/Alive
DemandCommand: curl http://localhost/iosws/DemandCommandService.asmx/Alive
OTA Enrollment: curl http://localhost/iosone/Enroll.aspx
OTA Configuration: curl http://localhost/iosone/Config.aspx
MDM: curl http://localhost/iosone/MDM.aspx
Apache Config File
Apache configuration specific to the MDM Core is located at /etc/httpd/conf.d/core/mdm_core.conf
. The contents of this file control security, scalability, reliability, and behavior for its web services. Under normal circumstances there should be no need to edit this file, but if necessary it can be modified to suit your environment.
Table: Apache config file settings
Setting |
Default |
Description |
MonoMaxActiveRequests |
1000 |
How many web requests will be served concurrently before requests are put in waiting. |
MonoMaxWaitingRequests |
100 |
How many web requests can be placed in waiting before incoming requests are dropped. |
MonoAutoRestartMode |
Requests |
Restart based on the number of web requests served. We do not recommend changing this setting. |
MonoAutoRestartRequests |
1100 |
How many web requests to serve before cleaning house and restarting mod_mono. This occurs quietly and does not affect ongoing operation. |
MonoSetEnv |
MONO_STRICT_MS_COMPLIANT=yes |
Enforce strict Microsoft interpretation of XML. Do not change this setting. |
MonoDebug |
true |
Provides additional information in stacktraces. We recommend keeping this on as it will make it easier for you to communicate any errors that occur. |
MonoServerPath |
/opt/mono/bin/mod-mono-server4
|
Location of mod_mono server. Unless you have moved this prerequisite on your system, do not change this setting. |
MonoAutoApplication |
Disabled |
Controls auto discovery and hosting of mono applications. We do not recommend changing this setting as it may result in a less secure system. |
More information on the above settings can be found here: http://www.mono-project.com/Mod_mono
The following table describes the SSL configuration file (/etc/httpd/conf.d/ssl.conf
).
Table: SSL configuration file
Setting |
Default |
Description |
SSLEngine |
ON |
Turns on Apache's SSL Engine. We do not recommend changing this setting. |
SSLProtocol |
all - SSLv2 |
What SSL protocols are acceptable. We do not recommend changing this setting. |
SSLCipherSuite |
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW |
Cipher specifications permitted for use in SSL handshakes. We do not recommend changing this setting as it may have security implications. |
SSLCertificateFile |
/usr/local/mdmcore/certs/sign.crt
|
Location of the SSL certificate (public key). PEM format. |
SSLCertificateKeyFile |
/usr/local/mdmcore/certs/sign.key
|
Location of the SSL certificate's matching private key. PEM format. |
SSLCertificateChainFile |
/usr/local/mdmcore/certs/gd_bundle.crt
|
Chain containing certificates necessary for trust. PEM format. |
RewriteEngine |
ON |
Turns on the rewrite engine. We do not recommend changing this setting as it may have security implications. |
RewriteLog |
/var/log/httpd/rewrite.log
|
Location to log rewrite activity. |
RewriteCond |
%{HTTPS} off %{REMOTE_HOST} !localhost % {REMOTE_HOST} !127.0.0.1 |
Establishes a rewrite condition that excludes HTTPS traffic and traffic from localhost. We do not recommend changing this setting as it may have security implications. |
RewriteRule |
(.*) https://%{HTTP_HOST}%{REQUEST_URI} |
Establishes a rewrite rule that moves all outside HTTP traffic over to HTTPS. We do not recommend changing this setting as it may have security implications. |
SSLOptions |
+ExportCertData +StdEnvVars |
Instructs Apache to pass certificate information to mod_mono and create environmental variables for CGI/SSI that relate to handling SSL traffic. We do not recommend changing these settings as it may result in unexpected behavior and can compromise security. |
More information on the above settings can be found here: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
Core Database Settings
The settings for the MDM Core's web and system services are located in the AppConfigurations table, and listed below.
Table: Core Database Settings
AppKey |
Property |
Type |
Description |
CertificateInstallerService |
IsMono |
bool |
Set to true if running on Mono, false if running on .NET. |
OSIMDMHandler |
LogEvent |
bool |
Deprecated. Do not use. |
OSIMDMHandler |
LogStatus |
bool |
Deprecated. Do not use. |
OSIMDMHandler |
EmailNotify |
string |
Deprecated. Do not use. |
OSIMDMHandler |
SmtpServer |
string |
Deprecated. Do not use. |
OSIMDMHandler |
InventoryMSMQName |
string |
Location of message queue for inventory. |
OSIMDMHandler |
IsMono |
bool |
Set to true if running on Mono, false if running on .NET. |
OSIMDMHandler |
RejectDevices WithNoMDM Signature |
bool |
Reject devices that do not provide an MDM Signature. Set to false. |
OSIMDMHandler |
DisableCertificate CheckForCommands |
bool |
Do not validate a device's client certificate when it contacts the server to retrieve commands. Set to false. |
OSIMDMHandler |
DisableCertificate CheckForCheckIn |
bool |
Do not validate a device's client certificate when it contacts the server with check-in information. Set to True. |
OSIMDMHandler |
Certificate CheckExpiration |
int |
After a device's client certificate has been validated, do not validate it again for the specified amount of seconds. |
OSIMDMHandler |
Certificate RevocationCheckMode |
string |
If "NoCheck", certificate revocation list is not used. If "Offline", only the local certificate revocation list is used. If "Online", the certificate revocation list specified in the certificate is used. Also in the configuration service. |
OSIDemandCommandDemandCommandServiceService |
Demand CommandMSMQName |
string |
Location of message queue for iOS demand commands. |
APNSService |
APNSHost |
string |
Set this to "gateway.push.apple.com". |
APNSService |
APNSConnection HoldMinutes |
double |
Defaults to 1. Number of minutes to hold apns connection open. This is to avoid spamming apns. |
APNSService |
APNSPort |
int |
Set this to 2195. |
APNSService |
APNSReconnect Interval |
int |
Connection to APNS (per tenant) will be torn down and re-built after the specified number of minutes. |
APNSService |
APNSFeedback Port |
int |
Set this to 2196. |
APNSService |
FeedbackPath |
string |
File location to place feedback. |
APNSService |
APNSFeedback Host |
string |
Set this to "feedback.push.apple.com". |
APNSService |
APNSPath |
string |
The base location of the push notification message queue. By default, .\\Private$ . |
APNSService |
FeedbackInterval |
int |
How often to collect Feedback from APNS in minutes. |
APNSService |
IsMono |
bool |
Set to true if running on Mono, false if running on .NET. |
APNSService |
MainLoopPause Seconds |
int |
Amount of time in seconds that the APNS Service will wait in between checking for requests. |
APNSService |
MaxMessages PerPoll |
int |
Amount of messages that the service will process every time it checks for requests. |
APNSService |
MaxThreadPool Threads |
int |
Maximum amount of threads the APNS service is allowed to generate. |
APNSService |
MDMPush CollapseSeconds |
double |
Amount of time in seconds that the service will wait to send APNS Push requests. Setting this to 0 will send right away. |
APNSService |
PushCertRefresh IntervalSeconds |
int |
Amount of time in seconds that the service will wait in between refreshing an in memory dictionary of push certificates. Defaults to 300 seconds (5 min). |
InventoryProcessingService |
InventoryMax ThreadCount |
int |
Maximum number of threads that can be running at the same time. |
InventoryProcessingService |
InventoryQueue Timeout |
int |
How many seconds to wait when pulling from the inventory queue before timing out. Only utilized if IsMono is set to true. |
InventoryProcessingService |
InventoryMSMQ Name |
string |
The location of the iOS inventory queue. By default, .\\Private$\\Inventory . |
InventoryProcessingService |
IsMono |
bool |
Set to true if running on Mono, false if running on .NET. |
InventoryProcessingService |
InventoryTimeout |
TimeSpan |
The amount of time an InventoryThread can run for before being terminated. Default is "00:01:30". |
CommandService |
DemandMax ThreadCount |
string |
Maximum number of threads that can be running at the same time. |
CommandService |
DemandThread Timeout |
TimeSpan |
The amount of time a DemandThread can run for before being terminated. Default is "00:01:30". |
CommandService |
DemandCommand MSMQName |
string |
The location of the iOS demand queue. By default, .\\Private$\DemandCommand . |
CommandService |
APNSPath |
string |
The base location of the push notification message queue. By default, .\\Private$ . This should match the APNSPath property in the APNSService. |
CommandService |
CheckForDuplicates |
bool |
If true, a message will only be placed on the push notification message queue if one is not already there. |
CommandService |
IsMono |
bool |
Set to true if running on Mono, false if running on .NET. |
CommandService |
DemandCommand QueueTimeout |
int |
How many seconds to wait when pulling from the demand queue before timing out. Only utilized if IsMono is set to true. |
InventoryProcessingService |
DemandCommandService |
string |
URL to the DemandCommand web service in this environment. Must be reachable from wherever the InventoryProcessing service is located. |
Configuration and Command services |
Verisign_mPKI_URL |
string |
Not currently in use. |
Configuration, Inventory, MDM Handler, and Enrollment services |
JsonProcessing Service |
string |
|
ConfigurationService |
DisableCertificate Check |
bool |
Set to true to disable all certificate checks in the configuration service. Set to false. |
Other Important Tables:
DeviceIos - Contains information about all known (to MDM Core) iOS devices. UDID can be found here along with the password reset code, push token, magic, encryption certificate, and other information necessary to manage devices.
Certificates - Any certificates (including private keys) that were installed via the CertificateInstallerService can be found here. All relevant information for the certificate is located in this table. (Thumbprint, Subject, Type). You can look in this table to determine if the APNS certificate got installed correctly.
ChallengeTimeStamp - All challenges get stored here until they are used, or expire.
Setting the logging level (mdmcore.log)
The logging level is defined within /etc/mdmcore/Core.config
. At the bottom of the file, there is a rules section where the minLevel can be set for the level of tracing that should be done for each of the services. By default this is set to "Debug", but it is helpful to have this set to "Trace" for debugging issues. There are about 10 lines to update (e.g., MDMHandler, CommandService, InventoryProcessingService, iOS rules, and so on).
Thanks for your feedback. Let us know if you have additional comments below. (requires login)