VMware Workspace ONE Community
gmanjohal
Enthusiast
Enthusiast
‎04-05-2022 09:20 AM

Product Provisioning / Android FTPS

Hi all, 

I'm in the middle of setting up an FTPS Relay server to provision and manage our rugged Android estate (we're a Zebra house), however I'm wondering if the following is true, and if possible any workarounds:

Essentially in order for the device to connect to the relay server, it requires a cert (ftps), I'm told if we go down the self-signed certificate route, I would need to first enable the Android keystore & then transfer the certificate prior to enrolment, then begin provisioning. To me this seems surreal as to secure the device for provisioning, I'd need to transfer the cert from a 'non-secure' ftp server. 

 

Second option would be to use a public cert, as the Trusted keystore on the device should automatically trust the cert due to having it's root CA already installed, however Zebra wouldn't confirm this would be 100% possible. 

 

I don't really want to buy a certificate to be in the same situation if I had just used a self-signed cert, any advice?

Labels (1)
Labels
0 Kudos
3 Replies
Kjaspreet
VMware Employee
VMware Employee
‎04-25-2022 05:56 AM

Hello! 

Information on how to configure a Relay Server in the Airwatch Console for product provisioning is available in this KB article. 

Additional information is also available in this article. 

Thank you. 

Jaspreet

 

0 Kudos
gmanjohal
Enthusiast
Enthusiast
‎05-23-2022 09:32 AM

Thanks Jaspreet, 

it's more to do with the Stage Now product, Zebra have advised to use SN to transfer the internal cert to the scanner first, as that will allow connection to the relay server which is using an internal cert, the problem is the security around using SN in passive mode to transfer the cert initially, I was wondering if anyone had come across a secure way of doing this and not using ftps. 

0 Kudos
KrisHornsleth
Enthusiast
Enthusiast
‎09-21-2023 05:30 AM

Hopefully you have already figured this out, but for others that stumble across this later.

The whole point of the certificate is to establish a trust relationship with the server.  If you have an internal PKI, you can do this without purchasing a 3rd party certificate.  Create a stage now profile using the "config" payload that does not require any network access.  From there use the FileMgr and CertMgr to copy the file to the device and install the certificate (root only).  

The result is a bunch of barcodes.  I think in my case it was 5 pdf barcodes.  On any device you're planning to stage scan these barcodes before you scan your barcodes published from WorkSpace One.

0 Kudos