Aerohive and JAMF Software

MDM Configuration Guide

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 2

About This Guide

This guide explains how to configure Aerohive APs for use with the JAMF Software Casper Suite in order to enforce
enrollment of Apple Mac OS X-based computers and iOS-based mobile devices with the JAMF Software mobile
device management platform and how to configure Aerohive to apply and enforce network access policies
based on the client device operating system. The guide also introduces some helpful HiveManager tools and
provides a few troubleshooting tips to help identify and resolve common configuration mistakes issues that could
occur during deployment.

This guide is intended as a resource for all Aerohive administrators to aid in the deployment of their Aerohive
products. If you would like to see an explanation for anything that is not covered in this guide—or anywhere else in
Aerohive product documentation—please contact techpubs@aerohive.com. We welcome your suggestions and
will strive to provide the documentation you need to use Aerohive products more effectively.

To register, get product documentation, and download software updates, visit www.aerohive.com/support.

Copyright © 2012 Aerohive Networks, Inc. All rights reserved

Aerohive Networks, Inc.

330 Gibraltar Drive

Sunnyvale, CA 94089

P/N 330083-02, Rev. A

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 3

Contents
Aerohive Networks and JAMF Software MDM .............................................................................................................................. 4

How the Integration Works ............................................................................................................................................................ 4

Configure Basic Aerohive and JAMF Software Integration with HiveManager Express Mode ............................................ 6

Configure SSID ................................................................................................................................................................................. 6

Deploy a Configuration to an Aerohive AP............................................................................................................................... 7

Configure Integration with Advanced Policies in HiveManager Enterprise Mode ................................................................ 8

Configure SSID ................................................................................................................................................................................. 8

Configure User Profiles and Firewall Settings.............................................................................................................................. 9

Configure OS Detection ..............................................................................................................................................................10

Deploy a Configuration to an Aerohive AP .............................................................................................................................10

Network Design and Configuration Tips .......................................................................................................................................11

Useful Troubleshooting Tips .............................................................................................................................................................13

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 4

Aerohive Networks and JAMF Software MDM

Aerohive Networks and JAMF Software together deliver a comprehensive connectivity and management solution
for Apple mobile devices and computers. Through the Aerohive HiveOS operating system and the Aerohive
Cooperative Control protocols, you can use Aerohive APs and routers to control network access and performance
with no need for agents or on-device software, basing access decisions on device type, user identity, time of day,
location, or applications. Meanwhile, JAMF Software delivers agent-based capabilities, delivering device policy
controls, application and content delivery, inventory insight, and remote controls for Apple devices.

Through the integration of Aerohive and JAMF Software, administrators will be able to accomplish the following:
 Automatically enroll and re-enroll Apple iOS- and Mac OS X-based devices to the JAMF Software server
 Control user and device access to the network and network resources
 Distribute Apple App Store apps, custom apps and eBooks to iOS devices
 Configure and deploy security and configuration profiles to devices running iOS and Mac OS X (10.7 or
higher)
 Add printers, run scripts, manage preferences, and restrict software usage for computers running Mac OS
X.
 Manage iOS and Mac OS X inventory

How the Integration Works

When a client joins an Aerohive wireless network protected by JAMF Software, the AP immediately quarantines the
new device in a walled garden, limiting the client’s access to the network until Aerohive can determine the device
operating system and enrollment status with the JAMF Software Server (JSS).

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 5

As the client device obtains an IP address from the DHCP server, the Aerohive AP examines the DHCP exchange to
identify the client operating system. Devices determined to be running an operating system other than Mac OS X or
Apple iOS are released from the walled garden and will receive access to the network as defined by the relevant
Aerohive user profile.

The user profile can be used to define Layer 3/4 firewall policies, service level agreements, quality of service
settings, and time of day access controls. The user profile may be dynamically applied to client devices based on
user identity, location, device type, and other criteria.

Meanwhile, devices detected to be running Mac OS X or Apple iOS remain in the walled garden while the
Aerohive AP contacts the JSS to determine the MDM enrollment status of the Apple device. The JSS queries its
database to determine whether the Apple device is managed, then returns a response to the Aerohive AP.

If the JSS returns that the client device is managed, the device is released from the walled garden, receiving
network access as defined by the relevant Aerohive user profile.

On the other hand, unmanaged Apple devices will remain in the walled garden until the device becomes
managed. To aid in the enrollment of the unmanaged device to the JSS, the Aerohive AP will redirect all HTTP
requests by the client device to the JSS enrollment web page, easily enabling the user to self-enroll to the JSS. Users
need only to log in using their corporate credentials, then click through a simple process on the device to bring the
device under management. At this point, the device will be released from the walled garden and permitted
access to the network as defined by the relevant Aerohive user profile.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 6

Configure Basic Aerohive and JAMF Software Integration with

HiveManager Express Mode
Aerohive HiveManager Express mode allows administrators to quickly set up a uniform, company-wide wireless
policy. Optimized for ease of use, Express mode applies the same user profile -- including firewall policies, access
schedules, and QoS settings -- to all devices connected to an SSID. In the following example, you integrate an
Aerohive wireless network with JAMF Software using Express mode. The example shows how to quickly configure the
JSS-integrated wireless network and deploy the configuration to an Aerohive AP.

MDM Enrollment enforcement was added to HiveManager Express Mode in 5.1r2.

By default, Express mode utilizes DHCP Option 55 to provide device OS detection.

Configure SSID
1. Click Configuration, ensure your AP is shown, then click Continue.
2. Enter the following in the New SSID dialog box, leave the other settings as they are, then click Save:

Profile Name: Employees (The SSID field will automatically update to reflect the same value.)

WPA/WPA2 PSK (Personal): (select)

PSK Key Value: Aerohive!

In the Optional Settings section, expand Advanced, and then enter the following in the Mobile Device
Management subsection:

Enable MDM Enrollment: (select)

MDM Type: Casper Suite

OS Object: (select) iPod/iPhone/iPad and MacOS

For Mac OS X support, ensure APs are running 5.1r2 or above. For Apple iOS support, ensure APs are running
5.1r1 or above.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 7

JSS Root URL: Enter the root URL of JSS.

Use the format of https://server:port. If the JSS is hosted on TCP 443, you do not need to enter a TCP port.
However, an on-premise JSS instance uses TCP port 8443 by default.

JSS User Name: Enter administrator credentials for the JSS Server.

JSS Password: Enter and confirm the JSS administrator password.

Administrators may use a limited rights account to the JSS. The JSS Administrator account only requires READ
API privileges for the Computers and Mobile Devices categories within the JSS. Please consult JAMF Software
Casper Suite documentation for further information.

Deploy a Configuration to an Aerohive AP

1. Click Continue to save the configuration and move to the Upload My Configuration panel.

2. Select the APs to which the SSID will be deployed.

3. Click Upload and then click Yes in the confirmation dialog box that appears.

4. After the configuration upload completes, click Reboot then click Yes in the confirmation dialog.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 8

Configure Integration with Advanced Policies in HiveManager

Enterprise Mode
Delivering enterprise-class sophistication and features, HiveManager Enterprise mode can assign differing user
profiles to devices based on device OS, user identity, location, and other criteria, providing administrators with
granular controls over access to the network.

In the following example, you integrate an Aerohive wireless network with JAMF Software using Enterprise mode.
The example shows how to configure the JSS-integrated wireless network, define multiple Aerohive user profiles to
assign different firewall rules based on device operating system, and then deploy the policies to an Aerohive AP.

Configure SSID
1. Click Configuration, highlight QuickStart-Wireless-Only, click , and then click Clone.

2. In the Clone Network Policy dialog box, enter the following, and then click Clone:
Name: MDM_Policy

Description: Enter a useful note about the policy for future reference.

Hive: Retain the default selection.

The Configure Interfaces & User Access panel appears.

3. For SSIDs, click Choose, highlight QS-SSID in the Choose SSIDs dialog box that appears, and then click >
Clone.

4. Enter the following in the Clone SSID dialog box, leave the other settings as they are, and then click Save:
Profile Name: Employees (The SSID field will automatically update to reflect the same value.)

WPA/WPA2 PSK (Personal): (select)

PSK Key Value: Aerohive!

To view the default password, clear Obscure Password.

In the Optional Settings section, expand Advanced, and then enter the following in the Mobile Device
Management subsection:

Enable MDM Enrollment: (select)

MDM Type: Casper Suite

OS Object: (select) iPod/iPhone/iPad and MacOS

For Mac OS X support, ensure Aerohive HiveManager and APs are running 5.1r2 or above. Apple iOS support
requires 5.1r1 or above.

JSS Root URL: Enter the root URL of JSS.

Use the format of https://server:port. If the JSS is hosted on TCP 443, you do not need to enter a TCP port.
However, an on-premise JSS instance uses TCP port 8443 by default.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 9

JSS User Name: Enter administrator credentials for the JSS Server.

JSS Password: Enter and confirm the JSS administrator password.

Administrators may use a limited rights account to the JSS in this step. The JSS Administrator account only
requires READ API privileges for the Computers and Mobile Devices categories within the JSS. Please consult
JAMF Software Casper Suite documentation for further information.

5. The Choose SSIDs dialog box reappears. Ensure the Employees SSID is highlighted in yellow then click OK.

Configure User Profiles and Firewall Settings

In this example, we will configure two user profiles. The default user profile will be applied to all wireless clients
except Mac OS X and iOS devices and will assign firewall rules designed for guests, blocking access to internal
resources while permitting access to the Internet. The second user profile will only be applied to Mac OS X and iOS
devices, and will allow access to all network resources on the corporate network and to the Internet.

1. In the User Profile column, click Add/Remove, highlight default-profile(0), click , and then click Clone.

2. In the Clone User Profile panel, enter the following information, then click Save:
Name: Apple_Devices
Description: Enter a useful note about the policy for future reference.
Attribute Number: 101
VLAN-only Assignment: 1

3. To create a second new user profile, again highlight default-profile(0), click , and then click Clone.

4. In the Clone User Profile panel, enter the following information, and then click Save:
Name: All_Devices
Description: Enter a useful note about the policy for future reference.
Attribute Number: 100
VLAN-only Assignment: 1

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 10

Expand User Firewalls. In the IP Firewall Policy section, enter the following information:

From Access: Guest-Internet-Access-Only

Default Action: Deny

Expand Client Classification Policy, and select Enable user profile reassignment based on client
classification rules. Click New, enter the first rule, then click Apply.

OS Object: iPod/iPhone/iPad
Reassigned User Profile: Apple_Devices

Click New again, enter the second rule, click Apply and then click Save:

OS Object: MacOS
Reassigned User Profile: Apple_Devices

5. The Choose User Profiles dialog box reappears. Ensure All_Devices(100) is highlighted, select Enable user
profile reassignment based on client classification rules, and then click Save.

Configure OS Detection
1. Click Modify next to Additional Settings.

2. Expand Service Settings. For Management Options, ensure the policy that matches your Hive name is selected,
and then click .

3. The Management Options > Edit panel appears. In the Service Control subsection, enter the following
information, and then click Save:

Enable OS Detection: (select)

Client OS Detection Methods: Use DHCP option 55 contents: (select)

For new instances of HiveManager, both Enable OS Detection and Use DHCP option 55 contents will be
checked by default. However, HiveManager instances upgraded from a previous version may have different
settings that are migrated from the old version. Please ensure the above values are selected.

4. Click Save to close the Additional Settings panel.

Deploy a Configuration to an Aerohive AP

6. Click Continue to save the network policy and move to the AP provisioning panel.

7. Select the APs to which the policy will be deployed.

In this view, HiveManager will by default show unconfigured APs and APs already configured with the current
network policy. To deploy the current network policy to an AP already using a different network policy, select
None from the Filter drop-down list, then select the desired AP.

8. Click Upload and then click Yes in the confirmation dialog box that appears.

9. After the configuration upload completes, click Reboot then click Yes in the confirmation dialog.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 11

Network Design and Configuration Tips

Using the JAMF Software Casper Suite, administrators can create and deploy configuration policies to managed
Apple devices connected to the managed Aerohive Wi-Fi network or to any Internet-accessible network
connection in the world. JAMF Software leverages Apple’s Push Notification service to maintain connectivity
between JSS and Apple devices in the field, allowing administrators to maintain policy on the device, collect
inventory data, and to make software and other content available to users.

The two figures below show the workflow on how JSS administrators can keep Apple devices up to date, regardless
of the network to which the device connects.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 12

To keep Apple iOS devices up to date, administrators must ensure proper communications between the various
Aerohive, JAMF Software, and Apple network components. To ensure proper network connectivity, please ensure
network firewalls are configured to permit TCP traffic as shown below.

Source Destination Port

APs JSS TCP 8443 (or TCP 443)
Apple Devices JSS TCP 8443 (or TCP 443)
Apple Devices APNs TCP 5223
JSS APNs TCP 2195, TCP 2196
JSS LDAP Server (if necessary) TCP 389

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 13

Useful Troubleshooting Tips

The effective quarantine of un-enrolled Apple devices and the application of user profiles (including network
firewall policies) relies on the accurate detection of client operating system at the edge of the network.

1. Administrators can view the operating system of connected client devices from HiveManager from the Monitor
> Clients > Active Clients page.

HiveManager Enterprise shown. Client OS is not currently shown for Active Clients in HiveManager Express.

When MDM integration with JAMF Software is enabled, Aerohive will perform the enrollment check on all
devices classified with the operating system Mac OS X or Apple iOS.

If using both DHCP Option 55 and HTTP User Agent-based OS detection, iOS devices may be classified
individually as an iPad, an iPhone, or an iPod. Devices classified as such will also be subject to the
enrollment check. Apple computers may show up as Mac OS X or Mac OS X Lion. Both classifications
will be subject to the enrollment check.

2. From the Active Clients page, administrators can also perform a manual enrollment check of any Apple device
currently connected to the wireless network. To perform the enrollment check, select one or more clients on
which to perform the operation, then click Operation > Show MDM Enrollment.

This HiveManager tool runs the following command on an AP:

exec jss-check mobile-device <mac-address> enroll-status

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.

 Aerohive and JAMF Software MDM Deployment Guide

Deployment Guide Supplement | 14

3. If the MDM Enrollment check returns this error, make sure the following conditions are met:

 The AP can connect to the JSS on the defined management port (TCP 8443 or TCP 443)
 The correct JSS username and password are configured for use on the SSID.
 The JSS username has the correct privilege level within the JSS (API Privilege, Computers = READ, Mobile
Devices = READ).

For further information about Aerohive features and functionality, you can access all Aerohive technical
documentation and training materials from www.aerohive.com/techdocs.

To learn more about Aerohive products visit www.aerohive.com/techdocs

Aerohive Networks, Inc.