Documente Academic
Documente Profesional
Documente Cultură
This guide is intended as a resource for all Aerohive administrators to aid in the deployment of their Aerohive
products. If you would like to see an explanation for anything that is not covered in this guide—or anywhere else in
Aerohive product documentation—please contact techpubs@aerohive.com. We welcome your suggestions and
will strive to provide the documentation you need to use Aerohive products more effectively.
To register, get product documentation, and download software updates, visit www.aerohive.com/support.
Sunnyvale, CA 94089
Contents
Aerohive Networks and JAMF Software MDM .............................................................................................................................. 4
Configure Basic Aerohive and JAMF Software Integration with HiveManager Express Mode ............................................ 6
Through the integration of Aerohive and JAMF Software, administrators will be able to accomplish the following:
Automatically enroll and re-enroll Apple iOS- and Mac OS X-based devices to the JAMF Software server
Control user and device access to the network and network resources
Distribute Apple App Store apps, custom apps and eBooks to iOS devices
Configure and deploy security and configuration profiles to devices running iOS and Mac OS X (10.7 or
higher)
Add printers, run scripts, manage preferences, and restrict software usage for computers running Mac OS
X.
Manage iOS and Mac OS X inventory
As the client device obtains an IP address from the DHCP server, the Aerohive AP examines the DHCP exchange to
identify the client operating system. Devices determined to be running an operating system other than Mac OS X or
Apple iOS are released from the walled garden and will receive access to the network as defined by the relevant
Aerohive user profile.
The user profile can be used to define Layer 3/4 firewall policies, service level agreements, quality of service
settings, and time of day access controls. The user profile may be dynamically applied to client devices based on
user identity, location, device type, and other criteria.
Meanwhile, devices detected to be running Mac OS X or Apple iOS remain in the walled garden while the
Aerohive AP contacts the JSS to determine the MDM enrollment status of the Apple device. The JSS queries its
database to determine whether the Apple device is managed, then returns a response to the Aerohive AP.
If the JSS returns that the client device is managed, the device is released from the walled garden, receiving
network access as defined by the relevant Aerohive user profile.
On the other hand, unmanaged Apple devices will remain in the walled garden until the device becomes
managed. To aid in the enrollment of the unmanaged device to the JSS, the Aerohive AP will redirect all HTTP
requests by the client device to the JSS enrollment web page, easily enabling the user to self-enroll to the JSS. Users
need only to log in using their corporate credentials, then click through a simple process on the device to bring the
device under management. At this point, the device will be released from the walled garden and permitted
access to the network as defined by the relevant Aerohive user profile.
Configure SSID
1. Click Configuration, ensure your AP is shown, then click Continue.
2. Enter the following in the New SSID dialog box, leave the other settings as they are, then click Save:
Profile Name: Employees (The SSID field will automatically update to reflect the same value.)
In the Optional Settings section, expand Advanced, and then enter the following in the Mobile Device
Management subsection:
For Mac OS X support, ensure APs are running 5.1r2 or above. For Apple iOS support, ensure APs are running
5.1r1 or above.
Use the format of https://server:port. If the JSS is hosted on TCP 443, you do not need to enter a TCP port.
However, an on-premise JSS instance uses TCP port 8443 by default.
JSS User Name: Enter administrator credentials for the JSS Server.
Administrators may use a limited rights account to the JSS. The JSS Administrator account only requires READ
API privileges for the Computers and Mobile Devices categories within the JSS. Please consult JAMF Software
Casper Suite documentation for further information.
3. Click Upload and then click Yes in the confirmation dialog box that appears.
4. After the configuration upload completes, click Reboot then click Yes in the confirmation dialog.
In the following example, you integrate an Aerohive wireless network with JAMF Software using Enterprise mode.
The example shows how to configure the JSS-integrated wireless network, define multiple Aerohive user profiles to
assign different firewall rules based on device operating system, and then deploy the policies to an Aerohive AP.
Configure SSID
1. Click Configuration, highlight QuickStart-Wireless-Only, click , and then click Clone.
2. In the Clone Network Policy dialog box, enter the following, and then click Clone:
Name: MDM_Policy
Description: Enter a useful note about the policy for future reference.
3. For SSIDs, click Choose, highlight QS-SSID in the Choose SSIDs dialog box that appears, and then click >
Clone.
4. Enter the following in the Clone SSID dialog box, leave the other settings as they are, and then click Save:
Profile Name: Employees (The SSID field will automatically update to reflect the same value.)
In the Optional Settings section, expand Advanced, and then enter the following in the Mobile Device
Management subsection:
For Mac OS X support, ensure Aerohive HiveManager and APs are running 5.1r2 or above. Apple iOS support
requires 5.1r1 or above.
Use the format of https://server:port. If the JSS is hosted on TCP 443, you do not need to enter a TCP port.
However, an on-premise JSS instance uses TCP port 8443 by default.
JSS User Name: Enter administrator credentials for the JSS Server.
Administrators may use a limited rights account to the JSS in this step. The JSS Administrator account only
requires READ API privileges for the Computers and Mobile Devices categories within the JSS. Please consult
JAMF Software Casper Suite documentation for further information.
5. The Choose SSIDs dialog box reappears. Ensure the Employees SSID is highlighted in yellow then click OK.
1. In the User Profile column, click Add/Remove, highlight default-profile(0), click , and then click Clone.
2. In the Clone User Profile panel, enter the following information, then click Save:
Name: Apple_Devices
Description: Enter a useful note about the policy for future reference.
Attribute Number: 101
VLAN-only Assignment: 1
3. To create a second new user profile, again highlight default-profile(0), click , and then click Clone.
4. In the Clone User Profile panel, enter the following information, and then click Save:
Name: All_Devices
Description: Enter a useful note about the policy for future reference.
Attribute Number: 100
VLAN-only Assignment: 1
Expand User Firewalls. In the IP Firewall Policy section, enter the following information:
Expand Client Classification Policy, and select Enable user profile reassignment based on client
classification rules. Click New, enter the first rule, then click Apply.
OS Object: iPod/iPhone/iPad
Reassigned User Profile: Apple_Devices
Click New again, enter the second rule, click Apply and then click Save:
OS Object: MacOS
Reassigned User Profile: Apple_Devices
5. The Choose User Profiles dialog box reappears. Ensure All_Devices(100) is highlighted, select Enable user
profile reassignment based on client classification rules, and then click Save.
Configure OS Detection
1. Click Modify next to Additional Settings.
2. Expand Service Settings. For Management Options, ensure the policy that matches your Hive name is selected,
and then click .
3. The Management Options > Edit panel appears. In the Service Control subsection, enter the following
information, and then click Save:
For new instances of HiveManager, both Enable OS Detection and Use DHCP option 55 contents will be
checked by default. However, HiveManager instances upgraded from a previous version may have different
settings that are migrated from the old version. Please ensure the above values are selected.
8. Click Upload and then click Yes in the confirmation dialog box that appears.
9. After the configuration upload completes, click Reboot then click Yes in the confirmation dialog.
The two figures below show the workflow on how JSS administrators can keep Apple devices up to date, regardless
of the network to which the device connects.
To keep Apple iOS devices up to date, administrators must ensure proper communications between the various
Aerohive, JAMF Software, and Apple network components. To ensure proper network connectivity, please ensure
network firewalls are configured to permit TCP traffic as shown below.
1. Administrators can view the operating system of connected client devices from HiveManager from the Monitor
> Clients > Active Clients page.
HiveManager Enterprise shown. Client OS is not currently shown for Active Clients in HiveManager Express.
When MDM integration with JAMF Software is enabled, Aerohive will perform the enrollment check on all
devices classified with the operating system Mac OS X or Apple iOS.
If using both DHCP Option 55 and HTTP User Agent-based OS detection, iOS devices may be classified
individually as an iPad, an iPhone, or an iPod. Devices classified as such will also be subject to the
enrollment check. Apple computers may show up as Mac OS X or Mac OS X Lion. Both classifications
will be subject to the enrollment check.
2. From the Active Clients page, administrators can also perform a manual enrollment check of any Apple device
currently connected to the wireless network. To perform the enrollment check, select one or more clients on
which to perform the operation, then click Operation > Show MDM Enrollment.
3. If the MDM Enrollment check returns this error, make sure the following conditions are met:
The AP can connect to the JSS on the defined management port (TCP 8443 or TCP 443)
The correct JSS username and password are configured for use on the SSID.
The JSS username has the correct privilege level within the JSS (API Privilege, Computers = READ, Mobile
Devices = READ).
For further information about Aerohive features and functionality, you can access all Aerohive technical
documentation and training materials from www.aerohive.com/techdocs.