Introduction to the AirWatch Remote Management Service

Introduction

The AirWatch Remote Management Service is a Java-based service that will relay communication between the AirWatch Admin Console and supported devices. In particular, it will relay communication between a Remote Management Agent installed on each device and the Remote Management Web Console, which is a Java Applet initiated from the AirWatch Admin Console.  Through this service, administrators will be able to remote perform actions such as Remote Control, File Manager, Registry Manager, etc.

The legacy remote management model used a proprietary, TCP-based protocol that was not based on standard application level protocols, and had limitations when used in a SaaS deployment model.  This updated service utilizes HTTP WebSockets, and supports the use of SSL for security.  RMS will be introduced with AirWatch 8.2.

Components

  • Remote Management Service (RMS) - This service brokers the remote management connection between the AirWatch Console and the Tunnel Agent client on the device.
  • Tunnel Agent - This client is installed on each device that will connect to the RMS.  In most devices it is contained within the Remote Management Agent.  In Windows Rugged it is a separate binary (exe) file.
  • Remote Management Agent - This agent is installed on the device to provide core remote management features such as Remote UI, File Manager, Registry Manager, etc.  The specific functionality available depends on the device platform  Part of the Remote Management Agent is the Tunnel Agent, which handles the actual connection between the Remote Management Agent and RMS.
  • Web Console - The Web Console is a Java Applet launched from the AirWatch Admin Console.  An administrator can perform remote management functions through this Java Applet.
  • MDM Agent - The MDM Agent is installed on devices for enrollment.  The Remote Management Agent has a binary dependency on the MDM Agent, and cannot function unless the MDM Agent is installed.
  • Command Channel - The Command Channel is a WebSocket connection to RMS to register a particular device to RMS.  This channel will stay alive and wait for a data channel request.  There is one Command Channel per device remote management session.
  • Data Channel - The Data Channel is a WebSocket connection to RMS formed in response to a connection request from the Web Console.  The Data Channel will relay information between the device and Web Console.  There can be more than one Data Channel per device remote management session.

RMS Process Flow

A RMS connection is initiation between the AirWatch Admin Console and a device with the following process:

  1. An administrator opens the Java-based Remote Management Web Console applet for a particular device from the AirWatch Admin Console.  Upon opening the Web Console, a Connect command will be issued from the AirWatch Admin Console to AWCM.
  2. The AWCM server will send the Connect command directly to the device through the MDM Agent installed on the device.
  3. The Remote Management Agent on the device will initiate the Connect Channel with the RMS server.  At the same time, the Web Console will connect to the RMS server.
  4. The RMS will connect to the Device Services server to confirm that the device is enrolled and was able to properly authenticate its connection request.
  5. When the connection is established, data will be sent between the Web Console and Remote Management Agent on the device through RMS.  Any command issued to the device, and any data transmitted back, will follow this connection path.

RMS-ProcessFlow.png

Tunnel Agent Process Flow

 When transmitting data to and from a device, the following process flow will take place:

  1. The AWCM server will issue a Connect command to the MDM Agent on the device.
  2. The MDM Agent will invoke the Remote Management Agent to connect to RMS.
  3. The Remote Management Agent will initiate a Command Channel with RMS.
  4. Numerous Data Channels will be opened and transmit data to and from the Tunnel Agent as the administrator performs actions through the Web Console.

TunnelAgent-ProcessFlow.png

Installation

RMS is installed with the standard AirWatch Admin Console installer.  When selecting the AirWatch Features to install make sure Remote Management Server is selected under the AirWatch Device Services section.  If not already installed, the AirWatch installer will automatically install the Java Runtime Environment (JRE).  If installed separately, make sure to download the latest x64 build of the 1.8 version of the JRE, minimum version JRE 1.8 Update 51.  If you run into any issues after installing the JRE, you may need to update the TS_JAVA_HOME variable under System Environment variables to point to a newer version of the JRE and then restart the service.

Server Configuration

After the initial install, RMS must be configured in the AirWach Admin Console by navigating to Settings > System > Enterprise Integration > Remote Management.  Specify the TCP port on which RMS listens for connections from the Web Console and whether these connections should be secured through SSL.  If SSL is enabled, you must upload a .PFX file containing the private key of a certificate used to encrypt the traffic.

If you have already configured RMS and are simply renewing the certificate used, select the Renew Cert option.  This will allow you to update the configuration without re-specifying the rest of the settings.

After selecting the appropriate configurations, select Download Remote Management Config Setup.  You will be asked to specify a password for the included certificates.  Copy the .ZIP file to the RMS server, extract the contents, and run RemoteManagementConfigSetup.exe.  Enter in the certificate password and specify the target path of the Remote Management Installation Directory (by default {Directory}\RemoteControl\TunnelServer).  Select Configure and the settings will be applied to the environment.

RMS-TargetPath.png

Client Configuration

Additionally, you must configure the client-side settings for RMS.  In the AirWatch Admin Console, navigate to Settings > Advanced > Site URLs.  Select Enable Tunnel Server and specify both the Web Tunnel Server Url and Web Tunnel Server Port.  These settings are what a device will use to connect to RMS.

Additionally Agent Settings for the appropriate device platform must be configured under Settings > Devices & Users > {Platform} > Agent Settings.  Currently the QNX, Windows Rugged, Android, and OSX platforms are supported.  Under the Remote Management section, change the Mode to Web Socket.  Save the Agent Settings to push the update to devices.

Load Balancer Configuration

If using a high availability setup behind a load balancer, make sure the load balancer is configured for persistence as both the Web Console and Remote Management Agent require connections that always terminate at the same RMS node.  The initial HTTP request from both components includes a header named AW-Device-UDID that contains the device UDID.  If your load balancer does not support pesistence based on HTTP headers, then a high availability configuration for RMS cannot be supported.

If a HA setup is used, make sure the configuration under Site URLs actually point to the load balancer.  Load balancers can check if an RMS server is active by pinging {RMS_URL}/health.  The expected response is simply 200.

Have more questions? Submit a request

0 Comments

Article is closed for comments.