What Permissions are needed for MobiControl to run as a Service Account?
- 01 September 2017
- SOTI MobiControl
2 Answers- 1 Upvote
- 0 Follower
2 Answers
Service account must be provided full access to the following MobiControl folders
- C:\Program Files\SOTI\MobiControl
- C:\ProgramData\SOTI
As some MobiControl configurations are encrypted using machine keys, service account must be granted access to the folder - C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Deployment Server is a host for multiple services. The service account must have rights to listen to certain ports and addresses.
By default, MobiControl uses 443 port for HTTPS services and port 80 for HTTP services. These ports are configurable. Service account must have rights to host services using configured ports.
Deployment Server hosts services like these:
- Enrollment services for iOS and Windows Modern devices as well for Printers
- Self-service portal
- Application Catalogue
- Profile Catalogue
To provide rights to host these services on their default addresses, run the following script (assuming services hosted on port 80 and 443)
netsh http add urlacl url=https://+:443/CertificateEnrollment/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/Enroll/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/Enrollment/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/EnrollmentServer/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/FederatedEnrollment/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/IdentityServices/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/mc/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/mdmServiceConfig/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/MobiControl/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/ssp/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/MyDevice/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/MyDevices/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/DeviceManagement.svc user=%ACCOUNT% netsh http add urlacl url=https://+:443/WP8Management/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/ApplicationProvider.svc user=%ACCOUNT% netsh http add urlacl url=http://+:80/mc/pas/ user=%ACCOUNT% netsh http add urlacl url=http://+:5495/mc/admin user=%ACCOUNT% netsh http add urlacl url=http://+:5495/mc/cache user=%ACCOUNT%
Deployment Service also hosts Device Administration service and Caching service that both utilize net.tcp binding and port 5495.
For this to work,
- Net.TCP port Sharing service must be enabled (https://msdn.microsoft.com/en-us/library/ms733925(v=vs.110).aspx )
- Service account must be granted TCP port sharing rights. (https://msdn.microsoft.com/en-us/library/aa702669)
To grant rights, service account security ID (SID) must be added to SMSvcHost.exe.config configuration file. To determine service account SID, run the following command in CMD.
wmic useraccount get name,sid
To start Management Services, service account must be granted additional rights.
Rights to start to HTTP/HTTPS endpoints
Management Services is a host for multiple services. Service account must have rights to listen to certain ports and addresses.
By default, MobiControl uses 443 port for HTTPS services and port 80 for HTTP services. These ports are configurable. Service account must have rights to host services using configured ports.
Management Service hosts service like these:
- Management Services (both legacy and API)
- HTTP redirection service
- HTML5 remote control service
- Exchange Active Sync Policy service
- Enterprise Resource Gateway Policy service
- Cisco ISE services
To provide rights to host these services on their default addresses, run the following script (assuming services hosted on port 80 and 443)
netsh http add urlacl url=https://+:443/MobiControl/ user=%ACCOUNT% netsh http add urlacl url=http://+:80/MobiControl/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/mc/xas/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/mc/proxy/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/ciscoise/ user=%ACCOUNT% netsh http add urlacl url=https://+:443/rc/ user=%ACCOUNT%
Please note: previous version of MobiControl (prior to recent 13.3 MR release) were hosting APIs on https://*:443/MobiControl/ and instructions for service account included a command to provide rights to this uri. As API services is no longer hosted on * (they are hosted on +), it is necessary to remove that right, i.e. if the right is present please execute
netsh http delete urlacl url=https://*:443/MobiControl/