- 03.1. Service Account for API commands
- 03.2. Network configurations
- 03.3. Tenant settings
- 03.4. Admin settings
Before you can use the EBF Onboarder, you first need to make some preparations:
- You have to create a Service Account dedicated to the EBF Onboarder which has the roles for API commands required on the source and target UEM server (see chapter 03.1).
- You need to prepare your network and your UEM servers to allow the EBF network/servers to communicate with your environment (see chapter 03.2).
- You can change several settings which have an impact on various aspects of the device migration – including settings for the sending of emails (see chapter 03.3).
- You can create several admin accounts with customized rights so that the migration can be done by several admins (see chapter 03.4).
03.1. Service Account for API commands
EBF Onboarder requires a Service Account which has the roles for API commands on each source and target UEM system to allow the software to find the devices and migrate them from one system to another.
EBF Onboarder can take advantage of your LDAP if you are using one. The EBF Onboarder will use the users’ email addresses to trace their devices and by default, registers the devices with the same email addresses on the target system.
NOTE: LDAP is not connected to the EBF Onboarder. The EBF Onboarder is only using the user attributes from the source system (which can be connected to LDAP).
EBF Onboarder will not create any user on the target system, but expects the user to be already existing with the same email address. If the email address is different, you can customize the target email address with the ‘Transformation Tool’ (see chapter 06).
03.1.1. Prerequisites for the source system
Depending on your source system, there are specific prerequisites which the Service Account which sets up the migration project needs to fulfill:
Source system | Service Account Requirements |
BlackBerry UEM | The user must be a BAS user with the right to read groups and devices. The port is normally 18084 (e.g. uem.acme.org:18084). |
MobileIron |
|
Workspace ONE /AirWatch | The user must have API access and must know his API Key and optional PIN.
|
MaaS360 | The user must have the Administrator role. For API access, billingId, platformId, appId, appVersion and appAccessKey as well as host name and user/password are required. Further information can be found here. |
Jamf Pro | The user must have the Administrator role. |
Microsoft Intune | You have to use a Local User (e.g.: serviceonboarder@yourprefix.onmicrosoft.com) and make this account a ‘Limited Administrator’ with the roles: ‘Intune Administrator’ and ‘User Administrator’. During the first access, you will see a dialog to give consent to the EBF Onboarder app. Consent should be granted by a ‘Global Administrator‘. |
XenMobile | The user must have the Administrator role. |
Good for Enterprise | The user must have the Administrator role and must know the Domain Key. |
SAP Afaria | The user must be a Customer Admin on a T-Systems hosted Afaria instance. |
Sophos Mobile Control | The user must have the Administrator role and known Customer. |
Meraki (Cisco) | You need to enter host, API Key, username and password. |
SOTI | You need to enter host, admin username and password. |
Xinca | You need to enter host, network ID and API Key. |
03.1.2. Prerequisites for the target system
ATTENTION for Microsoft Intune, MobileIron and Workspace ONE as a target system: Please read the separate documentation in addition to this one to learn more about the prerequisites. You can find them here.
03.1.3. Prerequisites for the Apple Volume Purchase Program (VPP)
The EBF Onboarder is able to migrate Windows, Android, iOS and macOS devices. But it does not migrate your VPP licenses. This needs to be done with the Apple Business Manager or Apple School Manager. You must configure the VPP connection on the target UEM system prior to the migration process with the EBF Onboarder. The licenses will be detected as released on the source UEM system and will be available to use on the target UEM system (please see the Apple documentation as this can request time for the synchronization).
03.2. Network configurations
This section will describe how you must prepare your network configurations to use the EBF Onboarder.
03.2.1. UEM Server configuration settings
Your firewall rules or any network control appliance settings should allow your EBF Onboarder server to access your UEM servers through APIs.
Please add the following addresses to your network appliances to authorize the communication with the EBF Onboarder server:
Hostname | TCP IP Address |
gate.ebf.de | 176.28.60.179 |
app-out.ebf.com | 62.138.245.79 |
NOTE: If you are using other redirections to protect your server and are using specific ports (different from 443), please verify that the EBF Onboarder servers are allowed to reach the specific port as well.
ATTENTION for MobileIron as a source or target system: Please read the separate documentation in addition to this one to learn more about the server communication settings. You can find it here.
03.2.2. SMTP server communication settings
If you want to customize the sender email address and adapt it to your enterprise email address, you can do that either using the EBF SMTP server or your own SMTP server. Please read chapter 03.3.6.1.3 if you want to use the EBF SMTP server and chapter 03.3.6.2 if you want to use your own SMTP server to learn more about the necessary adjustments.
03.2.3. Device network configurations
Devices need to connect to HTTPS port 443 to your EBF Onboarder server (see chapter 03.2.1). Moreover, please make sure that all relevant ports for your UEM system are accessible for your devices.
03.3. Tenant settings
You can change several settings which refer to all migration projects and have an impact on various aspects of the device migration – including settings for the sending of emails.
To do that go to ‘Settings’ > ‘Tenant Settings’:
03.3.1. Password request customization
During the migration process the user might need to enter a password that is linked to his account on the target system. The password can belong to one of the following:
- LDAP account
- Active Directory account
- Specific UserID
- User’s email address
To give users an indication of which password to enter, you have the possibility to customize the text which is displayed to your users and helps them choose the correct password.
To do that go to ‘Settings’ >> ‘Tenant Settings’ >> ‘General Settings’, enter a text which indicates which password the user needs to enter in the field ‘Migration: Password Field Caption’ and save your changes:
03.3.2. Language enforcement
You can define the language of the EBF Onboarder portal.
To do that go to ‘Settings’ >> ‘Tenant Settings’ >> ‘General Settings’, select a language in the dropdown for ‘Enforce Language’ and save your changes:
03.3.3. Timeout after unenrollment customization
At one point of the migration process the devices will be retired from the source system. The time which a device is allowed to take for retiring from the source system is limited by default to 30 seconds, for Apple DEP to 60 seconds.
The duration of the retiring process depends, for example, on the network capacities. If one or several test users receive an error in the test phase, this indicates that it takes too long to get the retiring acknowledgement from the source system.
As long as the retiring acknowledgement is not confirmed by the source system, the EBF Onboarder will not proceed to the next step which is the registration at the target system. Thus, you need to increase the timeout parameter in order to allow the communication between the source system and the device to take place.
To do that go to ‘Settings’ >> ‘Tenant Settings’ >> ‘General Settings’, increase the number for ‘Timeout (seconds) after unenrollment’ and save your changes:
03.3.4. Activate Debug console
It can happen that the retiring process takes too long or fails. This is usually the case if a user has insufficient rights or if he has lost network connection (e.g. because the Wi-Fi configuration was removed during the retiring process).
You are able to read the messages that have been exchanged between the device and the source UEM system during the migration process in order to analyze why the migration has failed. It might be useful to share these messages with the EBF support team.
To read those messages go to ‘Settings’ >> ‘Tenant Settings’ >> ‘General Settings’, select ‘Show debug console while migration’ and save your changes:
03.3.5. Android Enterprise device migration
If you need to migrate Android Enterprise devices, an app is required for the migration process. The Android companion app is available at the Google Play Store and is called ‘EBF Onboarder Helper’.
The app can be downloaded manually by the user, but it can also be pushed to the device automatically during the migration process in order to save time, be more user-friendly and to make the app available in case that users are not allowed to download apps from the public App Store.
To allow the EBF Onboarder to side load the app during the migration process, go to ‘Settings’ >> ‘Tenant Settings’ >> ‘General Settings’, select ‘Enable side load for Android companion app’ and save your changes:
NOTE:
- Please read chapter 05.1.2 to learn how to prepare an Android Enterprise device migration.
- This does not apply for Android Legacy devices. Android Legacy devices, by default, can migrate with the link which is automatically generated by the EBF Onboarder.
03.3.6. Email settings
By default, invitations are sent from the EBF SMTP server – with several options for customization (see chapter 03.3.6.1). But you can also use your own SMTP server to do this (see chapter 03.3.6.2).
Email sending using the EBF SMTP server
By default, the EBF Onboarder sends invitations, reminders and/or welcome messages to your users from the EBF SMTP server and uses a ‘noreply.onboarder@ebf.com’ address. But you can change the sender name, the ‘reply to’ email address and the sender email address.
Sender name customization
You can change the visible name of the sender so that your users can easily identify the sender.
ATTENTION: It is just the name that is replaced. The sender email address will remain the same (noreply.onboarder@ebf.com). See chapter 03.3.6.1.3 to learn how to change the sender email address.
To change the sender name, go to ‘Settings’ >> ‘Tenant Settings’ >> ‘General Settings’, enter the name that users should see as sender name in the field ‘Notification: From Name’ and save your changes:
NOTE: It’s recommended to send a test message to the admin’s email address afterwards to check if all settings are correct (see chapter 05.4).
‘Reply to’ email address customization
You can replace the ‘Reply to’ email address so that your users can directly contact your IT help desk, for example, if they need more information regarding their device migration.
To do that go to ‘Settings’ >> ‘Tenant Settings’ >> ‘General Settings’, enter the email address that users should reply to in the field ‘Notification: ReplyTo (optional)’ and save your changes:
NOTE: It’s recommended to send a test message to the admin’s email address afterwards to check if all settings are correct (see chapter 05.4).
Sender email address customization
You can customize the sender email address to adapt it to your company email address.
ATTENTION:
- As you are using the EBF SMTP server, you have to make sure that your mail system accepts EBF messages which appear to be sent by your own SMTP domain, but are sent by the EBF SMTP server. You may need to change the whitelisting rules for this and you need to add the following IP address to your SPF record:
SMTP PORT Hostnames IP Address Port 25 smtp-out.ebf.com 176.28.60.183
62.138.245.88
- You also have to verify that the server will not block the email address after a certain amount of mails which might happen for SPAM protection reasons.
- After making all necessary changes you have to contact the EBF support (support@ebf.com) as the EBF team needs to put the spoofing in place for you and help you test your network and SMTP configurations. Please provide your sender email address and details of the SPF record to the EBF team.
To change the sender email address, go to ‘Settings’ >> ‘Tenant Settings’ >> ‘SMTP Settings’ and
- enter the EBF SMTP server (smtp.ebf.de) in the field ‘SMTP host’,
- enter ‘25’ in the field ‘SMTP Port’,
- enter the email address your-address@yourdomain.com that users should see as sender email address in the field ‘From Email’,
- leave the other fields empty:
NOTE:
- Save your settings only if you are sure that EBF has prepared the spoofing for you for this new ‘From Email’ address.
- If you want to go back to the SMTP default settings, just clear all the fields and save this.
- It’s recommended to send a test message to the admin’s email address to check if all settings are correct (see chapter 05.4).
Email sending using using your own SMTP server
If you want to use your own SMTP server to send the emails generated by the EBF Onboarder, you need to get an account from your SMTP team to configure the SMTP server on your EBF Onboarder tenant.
You need to add the following IP addresses to your firewall settings:
Hostnames | IP address |
gate.ebf.de | 176.28.60.179 |
app-out.ebf.com | 62.138.245.79 |
To configure the SMTP server on your EBF Onboarder tenant, go to ‘Settings’ >> ‘Tenant Settings’ >> ‘SMTP Settings’ and
- enter the name or IP address of your SMTP server,
- enter the SMTP Port your server is using,
- enter the name of the SMTP Service Account and its password,
- enter the email address your-address@yourdomain.com that users should see as sender email address in the field ‘From Email’:
NOTE:
- EBF default encryption for SMTP is TLS 1.2.
- If you want to go back to the SMTP default settings, just clear all the fields and save this.
- It’s recommended to send a test message to the admin’s email address to check if all settings are correct (see chapter 05.4).
03.4. Admin settings
The EBF Onboarder has multi-admin capacity. It provides the opportunity to create several admin accounts that are able to access and use the EBF Onboarder portal with customized rights. The advantage of this multi-admin capacity is that different admins (e.g. from different sites around the world) can conduct the migration of the devices for which they are responsible.
All admins and rights are managed by one super admin or top admin of the tenant. By default, the first administrator who has registered the tenant for his company is the super admin.
- The super admin can create the other admins for the tenant and is the only admin which is able to change the tenant settings (e.g. SMTP settings of the tenant, see chapter 03.3).
- Admins can, by default, manage and monitor all existing migrations without being allowed to change the tenant settings. They are able to change the settings of invitations and reminders and to launch a migration.
There are two additional roles/rights you can add to an admin:
- ‘Create migrations’: This admin can create new migrations.
- ‘Manage administrators’: This admin can create new admin accounts.
03.4.1. Admin accounts overview
To get an overview of all admin accounts you can go to ‘Settings’ >> ‘Admin Settings’:
A list of all admin accounts that have already been created for the tenant will be displayed. The first one in the list is the super admin. The column ‘Administrative rights’ provides information about the rights of the account:
03.4.2. Admin accounts setup
To create a new admin account the super admin or an admin with the right ‘Manage administrators’ needs to know the name and email address of the admin he wants to add. This is necessary since an invitation will be sent to the person as soon as he has been added as an admin. The invitation will ask him to choose his own password which is needed to access the EBF Onboarder tenant as an administrator.
The invitation will be sent by ‘<target> Onboarder’ from the email address ’noreply.onboarder@ebf.com‘ and the subject ‘New Account’.
NOTE: The invitation will be sent to the person as soon as you click on ‘Save Admin’. Thus, it is recommended that you inform the person in advance in order to avoid that he is surprised to receive the invitation from the EBF Onboarder. Also make sure that he understands that he has only 30 minutes to choose his password and activate his account.
The super admin or an admin with the right ‘Manage administrators’ needs to take the following steps to add another admin:
- Go to ‘Settings’ >> ‘Admin Settings’.
- Click on ‘New Admin’.
- Enter the name and email address of the new admin and select the rights which he should receive:
NOTE: If you don’t select any of these rights, the admin account will, by default, be able to manage and monitor all existing migrations. He will be able to change the settings of invitations and reminders and to launch a migration.
- Click on ‘Save Admin’. An invitation will now be sent to the person’s email address.