01. Introduction
There is a general documentation available for the EBF Onboarder, where you can find information about its prerequisites and the whole migration project. It describes how you can setup a migration project, how you can setup invitation emails and reminders which guide your users through the migration. It also tells you how to initiate the migration process and how to track the migration status.
This documentation complements the general EBF Onboarder documentation and provides more detailed information for the source systems Ivanti EPMM, Neurons / MobileIron Core and Cloud and Ivanti EPM(Landesk).
ATTENTION:
This documentation does not replace any Ivanti/MobileIron documentation. It is only describing prerequisites for the EBF Onboarder. Please consult the Ivanti/MobileIron documentation and support if necessary.
02. Prerequisites for the source system Ivanti EPMM / MobileIron Core
02.1. Service Account
You need to create an Admin Account in your source system which is dedicated to the EBF Onboarder. It must be assigned to Global Space and you must ensure that it has the API User role and all roles listed below in order to be able to migrate the devices.
Admin roles can be changed in your Ivanti/MobileIron Admin Portal by selecting the account in the tab ‘Admin’. Here click on ‘Actions’ >> ‘Edit Roles’.
| Selection in the roles | Selected permissions show | |
| Device Management | View device page, device details View device dashboard Manage devices Manage devices, restricted Wipe device Add device Manage device enrollment (iOS only) Delete retired device Apply and remove device label Send message to device Change device ownership Export to CSV Retire device |
View device View device details View device dashboard Other device actions Push profiles in device details Edit comments in device details Wipe device Add device Device enrollment (iOS only) Delete retired device Apply and remove device label Send message to device Change device ownership Export to CSV Retire device |
| Privacy Control | View apps and ibooks in device details | View device View device details View apps and ibooks in device details |
| Label Management | View label Manage label |
View label View device View device details Edit label |
| User Management | View User | View user |
| App Management (To Create A Web Clip) | View app View app inventory View app dashboard Manage app Distribute app Import and edit app |
View App Catalog View Installed Apps View app dashboard Manage app related settings Apply and remove application label and send message to an app Import app and edit app configurations Please read chapter 02.2.2 regarding the required Admin Portal access. |
| Configuration Management | View configuration Manage configuration Apply and remove configuration label |
View configuration Add and edit configuration Apply and remove configuration label |
| Settings and Services Management | View settings and services Manage settings and services |
View settings and services Edit settings and services |
| Other Roles | View device feature usage data API Mobile App |
View device feature usage data Access V1 API Mobile App Access |
Please also pay attention to chapter 02.2.2 regarding the /mifs access.
ATTENTION:
Make sure that ‚Enforce single sessions’ is NOT selected for the EBF Onboarder account in ‘Other roles’ to allow the Ivanti/MobileIron environment to accept several attempts of communication with the same Admin Account coming from different migrations at the exact same time.
02.2. Network configurations
02.2.1. HTTPS port or redirected port
All API command connections from the Ivanti/MobileIron-Onboarder server are made on port 443. If you don’t use port 443, you have to make sure that the firewall rules on your site will allow the Onboarder server to access the port you have chosen to access your Ivanti/MobileIron server environment. Please also make sure, that the „Portal ACLs“ on the EPMM/Core will allow the API access.
NOTE:
Please read the general documentation to learn more about the IP whitelisting.
02.2.2. Portal access
The Service Account for the EBF Onboarder needs to have access to the Admin Portal, User Portal and API commands and must be able to log into port https 443 by default. The Service Account with API user role also needs to be able to search users on the target MDM system.
ATTENTION:
If you have disabled port 443 for security reasons and are using a different port, please make sure that your firewall rules allow the EBF Onboarder servers and gate systems to access your login portal (/mifs).
NOTE:
Please read the general documentation to get the IP addresses which are associated to the MobileIron EBF Onboarder server and the gate.ebf.de.
02.2.3. Ivanti EPMM/MobileIron Core 11.7 Support: Force Retire
If the EPMM/Core version 11.6 or higher is running on your source system, a device can remain in the status “Retire Pending” if the retire command was not confirmed by the device. This will cause the migration to stop as the EBF Onboarder will only continue the migration if the retirement was confirmed at the source MDM system.
The status “Retire Pending” has been introduced to the Admin Portal with EPMM/Core version 11.6. With EPMM/Core version 11.7, the “Force Retire” command was added to allow to remove these devices without the confirmation of the device.
If you are running EPMM/Core version 11.6 or higher and want the EBF Onboarder to send out “Force Retire” commands to the devices right away, please take the following steps in the EBF Onboarder portal:
- Go to ‘Settings’ >> ‘Tenant Settings’.
- Set “Timeout (seconds) after unenrollment” to 46.
- Click on ‘Save Settings’. From now on the EBF Onboarder will send “Force Retire” commands to the devices.
02.2.4. Connected Cloud
If your Source MDM system is a Ivanti/MobileIron Connected Cloud (an EPMM/Core with domain mobileiron.net) and you experience that devices are only retired after opening the Mobile@Work app on the device, you should add two other permissions to the API-user:
Device Management > Force device check-in
Other Roles > Migration
02.3. User role
Make sure that the EBF Onboarder Service Account and all users that will be part of the migration project have access to the ‘User Portal’ by assigning the role ‘User Portal’.
02.4. Webclips
A webclip is sent to the device when the invitation is sent to the user.
If you want to turn this of you do so in the Tenant Settings:
- Go to ‘Settings’ >> ‘Tenant Settings’.
- Check: Disable web clips from ivanti
- Click on ‘Save Settings’.
From now on the EBF Onboarder will no longer create Webclips.
NOTE:
In the next main release, we will turn the Webclip creation off by default. A client needs to enable it if required.
03. Prerequisites for the source system Ivanti Neurons / MobileIron Cloud
03.1. Service Account
You need to create a Service Account in your source system which is dedicated to the EBF Onboarder. It must have the API User role and all roles listed below in order to be able to migrate the devices.
Admin roles can be changed in your Ivanti/Mobileiron Admin Portal by seleting the account in the tab ‘Users’. Here click on ‘Actions’ >> ‘Append Roles’.
| Role requirements for your Service Account | Applying to Space |
| User Read Only | Cross-space |
| Send/Cancel Wipe | Cross-space |
| Device Management | Space-specific |
| App & Content Read Only | Space-specific |
| Device Actions | Space-specific |
Please apply All Spaces to the user.
03.2. Device selection
You should create new manual or filter labels and add the users/devices chosen for migration to them. The labels should be created before setting up the project in the EBF Onboarder portal.
If you are migrating a lot of devices, it is recommended to create waves of 500 to 1000 devices.
04. Prerequisites for the source system Ivanti EPM (Landesk)
04.1. Connection information
To connect to the source system the following data is required:
- The external reachable hostname/IP of the system on port 443.
- The username and password of an administrator user of the Ivanti E.
04.2. Devices
04.2.1. Device Selection
The device selection will show you “All Devices” and lists for the OS we found and identified. We create our own OS list by reading the available devices operating systems on the source.
04.2.2. Column Set
If the devices do not show the proper information in the EBF Onboarder project, like missing names and serial numbers, you need to apply another column set to your Ivanti EPM. We created a custom column set, that the Onboarder will use to fetch the required information.
You can find the ldms import file attached in steps.
The following steps are required to import the column set:
- You need to make the file available for the Ivanti EPM Server:
Create a new fileonboarder.ldmson the Ivanti EPM Server or network drive and paste the code:<?xml version="1.0"?> <ExportableContainer xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" LastSavedBy="SWAPP100\Administrator" Revision="0" SourceCore="SWAPP100" Guid="fake" SaveType="Inherit"> <DuplicateReferences /> <SyncEnabled>No</SyncEnabled> <RemoteConsole>SWAPP100</RemoteConsole> <LastSavedDate>0001-01-01T00:00:00+01:00</LastSavedDate> <Name>Onboarder</Name> <AssemblyVer>11.0.0.0</AssemblyVer> <Items> <Exportable xsi:type="EQuery" LastSavedBy="SWAPP100\Administrator" Revision="11" SourceCore="SWAPP100.support.hosting.ebf.de" Owner="1" Guid="SWAPP100.support.hosting.ebf.de_v914" SaveType="Inherit"> <DuplicateReferences /> <SyncEnabled>Yes</SyncEnabled> <RemoteConsole>SWAPP100</RemoteConsole> <LastSavedDate>2024-06-28T15:19:15.467+02:00</LastSavedDate> <Notes /> <Name>Onboarder</Name> <Groups> <string>1</string> </Groups> <AssemblyVer>11.0.0.0</AssemblyVer> <QueryType>2</QueryType> <Filter /> <QuerySQL>SELECT DISTINCT A0.DISPLAYNAME, A0.TYPE, A1.OSTYPE, A2.GROUPNAME, A0.DEVICEID, A0.DOMAINNAME, A0.HARDWAREID, A0.SERIALNUMBER, A3.DISPLAYNAME, A3.DOMAINEMAIL, A3.EMAILADDR, A3.FIRSTNAME, A3.FULLNAME, A3.COMPUTER_IDN, A3.MDMEMAILADDR, A4.DISPLAYNAME, A4.NAME, A0.COMPUTER_IDN, A0.MDMID FROM Computer A0 (nolock) LEFT OUTER JOIN Operating_System A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN MP_MemberOfGroup A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn LEFT OUTER JOIN LDAPUserAttrV A3 (nolock) ON A0.Computer_Idn = A3.Computer_Idn LEFT OUTER JOIN LDAPMachineGroups A4 (nolock) ON A0.Computer_Idn = A4.Computer_Idn ORDER BY A0.DISPLAYNAME</QuerySQL> <QueryFields> <QueryField> <Alias>Device Name</Alias> <BNF>"Computer"."Display Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Type</Alias> <BNF>"Computer"."Type"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>OS Name</Alias> <BNF>"Computer"."OS"."Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Name</Alias> <BNF>"Computer"."Groups"."Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Device ID</Alias> <BNF>"Computer"."Device ID"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Domain Name</Alias> <BNF>"Computer"."Domain Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Hardware ID</Alias> <BNF>"Computer"."Hardware ID"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Serial Number</Alias> <BNF>"Computer"."Serial Number"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Display Name</Alias> <BNF>"Computer"."LDAP User"."Primary Owner"."Display Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Domain Email</Alias> <BNF>"Computer"."LDAP User"."Primary Owner"."Domain Email"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Email</Alias> <BNF>"Computer"."LDAP User"."Primary Owner"."Email"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>First Name</Alias> <BNF>"Computer"."LDAP User"."Primary Owner"."First Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Full Name</Alias> <BNF>"Computer"."LDAP User"."Primary Owner"."Full Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>UserID</Alias> <BNF>"Computer"."LDAP User"."Primary Owner"."ID"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>MDM Email</Alias> <BNF>"Computer"."LDAP User"."Primary Owner"."MDM Email"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>Display NameLDAP</Alias> <BNF>"Computer"."LDAP Groups"."Machine"."Display Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>MachineName</Alias> <BNF>"Computer"."LDAP Groups"."Machine"."Name"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>ID</Alias> <BNF>"Computer"."ID"</BNF> <Qualifier /> </QueryField> <QueryField> <Alias>MDM ID</Alias> <BNF>"Computer"."MDM ID"</BNF> <Qualifier /> </QueryField> </QueryFields> <QuerySorts> <QuerySort> <BNF>"Computer"."Display Name"</BNF> </QuerySort> </QuerySorts> </Exportable> </Items> </ExportableContainer> - To Import the file, you need to open the Ivanti Management Console, open Administration > Column set configuration.
Column Sets will open. - Right click Public column sets and select Import.
- Select the
onboarder.ldmsfile - You will be prompted for the Import options.
Select Insert items into selected group or owner and press Import. - Afterwards delete the old project (to also get back the licenses) and create a new one.
All required data will now show up in the EBF Onboarder and can be used.