What Permissions are needed for MobiControl to run as a Service Account?

What Permissions are needed for MobiControl to run as a Service Account?

Not everyone can run MobiControl server components as Local System. Some may wish to run MobiControl Server components as a Service Account that is registered in a domain.

What Permissions are needed for MobiControl to run as a Service Account?

  • 01 September 2017
  • SOTI MobiControl
  • 2 Answers
  • 1 Upvote
  • 0 Follower
  • 481 Views
    • 2 Answers
    • 1 Upvote
    • 0 Follower

2 Answers

Order By:   Standard | Newest | Votes
TJ Bukoski | posted this 01 September 2017

Service account must be provided full access to the following MobiControl folders

  • C:\Program Files\SOTI\MobiControl
  • C:\ProgramData\SOTI

As some MobiControl configurations are encrypted using machine keys, service account must be granted access to the folder - C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

 

Deployment Server is a host for multiple services. The service account must have rights to listen to certain ports and addresses.

By default, MobiControl uses 443 port for HTTPS services and port 80 for HTTP services. These ports are configurable. Service account must have rights to host services using configured ports.

Deployment Server hosts services like these:

  • Enrollment services for iOS and Windows Modern devices as well for Printers
  • Self-service portal
  • Application Catalogue
  • Profile Catalogue

To provide rights to host these services on their default addresses, run the following script (assuming services hosted on port 80 and 443)

 

 netsh http add urlacl url=https://+:443/CertificateEnrollment/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/Enroll/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/Enrollment/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/EnrollmentServer/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/FederatedEnrollment/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/IdentityServices/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/mc/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/mdmServiceConfig/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/MobiControl/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/ssp/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/MyDevice/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/MyDevices/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/DeviceManagement.svc  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/WP8Management/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/ApplicationProvider.svc  user=%ACCOUNT%
 netsh http add urlacl url=http://+:80/mc/pas/  user=%ACCOUNT%
 netsh http add urlacl url=http://+:5495/mc/admin user=%ACCOUNT%
 netsh http add urlacl url=http://+:5495/mc/cache user=%ACCOUNT%

 

Deployment Service also hosts Device Administration service and Caching service that both utilize net.tcp binding and port 5495.

For this to work,

  1. Net.TCP port Sharing service must be enabled (https://msdn.microsoft.com/en-us/library/ms733925(v=vs.110).aspx )
  2. Service account must be granted TCP port sharing rights. (https://msdn.microsoft.com/en-us/library/aa702669)

To grant rights, service account security ID (SID) must be added to SMSvcHost.exe.config configuration file. To determine service account SID, run the following command in CMD.

   wmic useraccount get name,sid

  • 0
  • 1
TJ Bukoski | posted this 01 September 2017

To start Management Services, service account must be granted additional rights.

Rights to start to HTTP/HTTPS endpoints

Management Services is a host for multiple services. Service account must have rights to listen to certain ports and addresses.

By default, MobiControl uses 443 port for HTTPS services and port 80 for HTTP services. These ports are configurable. Service account must have rights to host services using configured ports.

Management Service hosts service like these:

  • Management Services (both legacy and API)
  • HTTP redirection service
  • HTML5 remote control service
  • Exchange Active Sync Policy service
  • Enterprise Resource Gateway Policy service
  • Cisco ISE services

To provide rights to host these services on their default addresses, run the following script (assuming services hosted on port 80 and 443)

 

 netsh http add urlacl url=https://+:443/MobiControl/ user=%ACCOUNT%
 netsh http add urlacl url=http://+:80/MobiControl/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/mc/xas/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/mc/proxy/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/ciscoise/  user=%ACCOUNT%
 netsh http add urlacl url=https://+:443/rc/ user=%ACCOUNT%

Please note: previous version of MobiControl (prior to recent 13.3 MR release) were hosting APIs on https://*:443/MobiControl/ and instructions for service account included a command to provide rights to this uri. As API services is no longer hosted on * (they are hosted on +), it is necessary to remove that right, i.e. if the right is present please execute

 netsh http delete urlacl url=https://*:443/MobiControl/

 

  • 0
  • 1
Feedback