15.8.4 Specifying settings to link with an MDM system

To obtain smart device information from an MDM system and manage it in JP1/IT Desktop Management 2, you must specify information for connecting to the MDM system and the schedule for obtaining the smart device information.

Important

Only a single MDM linkage setting can be specified for each MDM server. If more than one setting is specified for a single MDM server, JP1/IT Desktop Management 2 might fail to control smart devices.

To set information for linking with JP1/IT Desktop Management 2 - Smart Device Manager:

1. Display the Settings module of JP1/IT Desktop Management 2.

2. In the menu area, select General and then MDM Linkage Settings.

3. In the information area, click the Add button in the MDM Linkage Settings.

4. In the displayed dialog box, specify following information:

   MDM system

   Select JP1/ITDM2 - SD Manager.

   Hostname and port number of MDM Server

   Specify the same hostname you installed JP1/IT Desktop Management 2 - Smart Device Manager. Do not specify its IP address. Specify linking SSL port number of JP1/IT Desktop Management 2. Default port number for it is 26055.

   URL

   Specify the URL as follows.

   https://hostname:port-number/jp1itdm2sdm/jp1itdm2sdm-login.htm

   hostname is the same hostname you installed JP1/IT Desktop Management 2 - Smart Device Manager. port-number is the port number for the Management Console of JP1/IT Desktop Management 2 - Smart Device Manager. Default port number for it is 26080.

   Example: http://SDMServer:26080/jp1itdm2sdm/jp1itdm2sdm-login.htm

   User ID and Password

   Specify the user id and password you specified on the Management Console of JP1/IT Desktop Management 2 - Smart Device Manager. The user id must be defined as follows.

   User ID: JP1MDMYYYXX@server01.jp1mdm.hitachi.jp

   YYY: a decimal number (range 001 to 999), XX: a decimal number (range 01 to 05)

   Rights: Administrator

5. Click the Test button to check if a connection to theJP1/IT Desktop Management 2 - Smart Device Manager can be established.

6. Edit Collection Schedule.

   Specify the schedule if you want to regularly update the smart device information according to a determined schedule.

7. Click OK.

8. In the information area, click the Edit button in Edit Discovery Option.

9. In the displayed dialog box, specify whether the discovered smart device is to be automatically managed.

To set information for linking with an MDM system:

When using Microsoft Intune as your MDM system, steps #1 to #3 are not necessary.

Instead, follow the procedure for registering the root CA certificate to the Java keystore in "Additional settings for using Microsoft Intune as MDM system" below.

1. Obtain a server certificate for an MDM product.

   1. In the Web browser, access the portal of MDM products.

   2. Export the server certificate to a file.

   For Internet Explorer:

   (i) Right click on the window, and select Properties, Certificates, Details, and then Copy to File.

   (ii) Use the certificate export wizard to export the certificate in the DER encoded binary X.509 format.

   For Firefox:

   (i) Right click on the window, and select View Page Info, Security, View Certificate, Details, and then Export.

   (ii) In the dialog box for saving certificates, save the certificate in the X.509 Certificate (DER) format.

2. Copy the server certificate obtained in step 1 to a management server.

3. Import the server certificate to the management server.

   Execute the following command in the command prompt of the management server:

   JP1/IT Desktop Management 2 - Manager installation folder\mgr\uCPSB\jdk\jre\bin\keytool.exe -import -keystore JP1/IT Desktop Management 2 - Manager installation folder\mgr\uCPSB\jdk\jre\lib\security\cacerts -file server certificate path -alias server certificate alias^#

   #: The string server certificate path indicates the path of the server certificate copied in step 2. The string server certificate alias indicates another name of the server certificate to be imported. You can specify any name for the alias.

   When the command is executed, you are asked to type a password to import the server certificate. Type the password. The default password is change it.

4. Display the Settings module of JP1/IT Desktop Management 2.

5. In the menu area, select General and then MDM Linkage Settings.

6. In the information area, click the Add button in the MDM Linkage Settings.

7. In the displayed dialog box, specify information about the MDM system to be connected to.

8. Click the Test button to check if a connection to the specified MDM system can be established.

9. Edit Collection Schedule.

   Specify the schedule if you want to regularly update the smart device information according to a determined schedule.

10. Click OK.

11. In the information area, click the Edit button in Edit Discovery Option.

12. In the displayed dialog box, specify whether the discovered smart device is to be automatically managed.

The smart device information is obtained from the MDM system according to the schedule specified in MDM Linkage Settings.

To link with MobileIron, you must assign API permission in MobileIron to the user ID specified in MDM Linkage Settings.

Additional settings for using Microsoft Intune as MDM system:

When working with Microsoft Intune, you must register the following root CA certificate in Java keystore of PC where JP1/IT Desktop Management 2 - Manager is installed. After registering the key in the Java keystore, restart the JP1/IT Desktop Management 2 service.

• DigiCert Global Root CA

If this root CA certificate is not registered in Java keystore, download the root CA certificate file from DigiCert's Web site and run the following command at the command prompt:

JP1/IT Desktop Management 2 - Manager installation folder\mgr\uCPSB\jdk\jre\bin\keytool.exe -import -file DigiCertGlobalRootCA.crt-path -alias DigiCertGlobalRootCA -keystore JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\jdk\jre\lib\security\cacerts

When you run the command, you are prompted for a password to import the root certificate. Please enter your password. The default password is "changeit".

Also, use your Microsoft Entra ID to register the app that enables JP1/IT Desktop Management 2 - Manager to communicate with Microsoft Intune. Set the following items: Settings that are not listed can be left at their default values. Set the application (client) ID and directory (tenant) ID of the registered app in the MDM server information.

Authentication - Allow public client flows

Yes

Certificates & secrets

Select either "Certificates" or "Client Secrets".

For "certificate", upload the public key certificate file of the client certificate obtained from the certification authority to Microsoft Entra ID, and store the private key certificate file in the following folder on the management server. Name the file IntuneCert.pem.

JP1/IT Desktop Management 2 - Manager installation folder\mgr\temps

For multi-tenant management servers:

JP1/IT Desktop Management 2 - Manager installation folder\mgr\tenant\tenant name\mgr\ temp

For "Secret", set the generated client secret value in the MDM server information.

API permissions

Specify "Microsoft Graph" as API to be accessed.

Also, set the following items.

What type of permissions does your application require?

Application permissions

Permission

• DeviceManagement-ManagedDevices.Read.All

• DeviceManagement-ManagedDevices.PrivilegedOperations.All

Additional settings for using Google Workspace as MDM system:

When working with Microsoft Intune, you must register the following root CA certificate in Java keystore of PC where JP1/IT Desktop Management 2-Manager is installed. After registering the key in the Java keystore, restart the JP1/IT Desktop Management 2 service.

• DigiCert Global Root CA

If this root CA certificates are not registered in Java keystore, download the root CA certificate file from the DigiCert website and run the following command at the command prompt:

JP1/IT Desktop Management 2 - Manager installation folder\mgr\uCPSB\jdk\jre\bin\keytool.exe -import -file DigiCertGlobalRootCA.crt-path -alias DigiCertGlobalRootCA -keystore JP1/IT Desktop Management 2 - Manager installation folder\mgr\uCPSB\jdk\jre\lib\security\cacerts

When the command is executed, you are asked to type a password to import the server certificate. Type the password. The default password is changeit.

And then, setting up with following steps.

1. Make sure your domain ownership has been verified by Google Workspace. If you are unable to prove your domain ownership, follow Google Workspace procedure.

2. Register the following root CA certificate in the Java keystore of the PC where JP1/IT Desktop Management 2 - Manager is installed. After registering the key in the Java keystore, restart the JP1/IT Desktop Management 2 service.

   • GTS Root R1

     If Java keystore does not register this root CA certificate, then download the following route CA certificate file:

     Download Website

     Google Trust Services

     https://pki.goog/repository/

     Certification authority

     GTS Root R1

     Certificate Type

     Certificate (DER)

     File name: r1.crt

     Execute the following command in the command prompt

     JP1/IT Desktop Management 2 - Manager installation folder¥mgr¥uCPSB¥jdk¥jre¥bin¥keytool.exe -import -file path-of-r1.crt -alias GTSRootR1 -keystore JP1/IT Desktop Management 2 - Manager installation folder¥mgr¥uCPSB¥jdk¥jre¥lib¥security¥cacerts

     When the command is executed, you are asked to type a password to import the server certificate. Type the password. The default password is changeit.

3. Make the following settings in Google Workspace:

   • Create a Google Cloud project and enable the API

   • Enabling the Admin SDK API

   • OAuth consent window settings

   • Change the organizational policy to enable the private key file to create

   • Create a service account, create a key, and get the private key file

   • Delegate domain-wide permissions to service account

   Google Workspace setting items and setting values are listed in the following tables:

   Function	Setting items	Setting values	Default
   Creating a Google Cloud Project	Project name	Enter any value	--
   	Organization	Select any organization	No organization
   	Location	Select anywhere	--
   Enabling the Admin SDK API	Admin SDK API Enable	Click Enable	--
   OAuth consent window settings	User type	Select "External"	--
   	App name	Enter any value	--
   	User support e-mail	Enter any value	--
   	Developer contact information	Enter any value	--
   	Highly sensitive scopes	Set the following value: https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly	--
   Create for Service Account	Service Account Name	Enter any value	--
   	Service Account ID	Enter any value	--
   	Private key file	Select "JSON format" in create private key and download the private key file#	--
   	Enable domain-wide delegation	No setting required	On
   Delegate domain-wide permissions to service account	Client ID	Enter the client ID obtained from the service account's secret key	--
   	OAuth scope	Set the following value: https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly	--

   Legend: --: Not applicable

   #: Specify the downloaded private key file in Secret key file on the Add MDM server information (GWS integration) window or Edit MDM server information (GWS integration) window.

Important

Creating service account keys is disabled by default in organizational policy. For this reason, modify your organization policy in the following steps to enable service account key creation.

1. As a Google Workspace user who has been assigned the privileged administrator role, log in to Google Cloud and assign the role to manage organizational policies to users who create the private key file as shown in the following tables.

   Function	Item	Setting contents
   Select a resource	Name	Created Google Cloud project-name
   [IAM and Administration] - [IAM] - [Access allowed]	Principal	Google Cloud user who creates the private key file
   Edit privilege	Role	Assigning following roles: Organization Administrator Organization Policy Administrator

2. Log in to Google Cloud as the user who assigned the role in step 1, and set the organizational policy as shown in the following tables.

   Function	Item	Setting contents
   Select a resource	Name	A project of an organization type with the same name as the domain
   [IAM and Administration] - [IAM] - [Organizational Policy]	Policy name	constraints/iam.disableServiceAccountKeyCreation
   	Policy source	Override the parent's policy
   	Rules	Off

   Note that it may take as long as 15 minutes before the policy is applied. If the private key file of service account cannot be created, wait for a while before you execute creation of the private key file.

Important

When performing version up install from JP1/IT Desktop Management 2 - Manager 11-01 to JP1/IT Desktop Management 2 - Manager 12-50 or later, re-import the root certificate after the upgrade to JP1/IT Desktop Management 2 - Manager 12-50 or later.

Tip

Discovered smart devices are to be managed according to the settings specified in Edit Discovery Option. If the discovered devices are not specified as a device to be automatically managed, to manage the smart devices, you must specify the smart devices as management target in the Discovered Nodes view of the Settings module.

Tip

After importing the server certificate that you obtained from the MDM system to the management server, if you change the server certificate, you need to obtain the changed server certificate, and then re-import it to the management server.

Related Topics:

• 15.2.6 Checking the discovered devices

• 15.2.7 Checking the managed devices

To Page Top