Enterprise Mobile Manager

Unable to connect the device to EMM Server


When a device is connected to Wi-Fi and has no cellular data connection, push notifications are not received.


Devices using APNs need a direct connection to Apple’s server. If a device is unable to connect using cellular data, it will attempt to use Wi-Fi where available. If there is a proxy server on the Wi-Fi network, the device will not be able to use APNs, because APNs require a direct and persistent connection from device to server.
For APNs traffic to pass through a firewall, the following ports need to be open:
TCP port 5223 (used by devices to communicate to the APNs servers)
TCP port 2195 (used to send notifications to the APNs)
TCP port 2196 (used by the APNs feedback service)
TCP Port 443 (used as a fallback on Wi-Fi only, when devices are unable to communicate to APNs on port 5223)
The APNs servers use load balancing. iOS devices will not always connect to the same public IP address for notifications. The entire address block is assigned to Apple, so the best way is to allow this range in the firewall settings.

Google Android
The ports to open are: 5228, 5229, and 5230. Generally Google Cloud Messaging uses port 5228 only, but sometimes it uses 5229 and 5230, too. GCM doesn’t provide specific IPs, so you have to allow connections to all IP addresses contained in the IP blocks listed in Google’s ASN of 15169.

AppTec EMM
The ports to open are: 443, 8080 and 8081. Port 80 is optional for redirecting http traffic to the console to https.

Unable to import AD into EMM Server in the Cloud


The import of Active Directory into the EMM Server works only in the Virtual Appliance within the local environment. Generally, security settings don´t allow a connection to Active Directory from outside of a firewall.

How to extract the Intermediate Certificate from Firefox

  1. Open the Web-interface of your EMM in Firefox.
  2. Click on the little Lock on the left side of the URL bar.
  3. In the Popup click on “More Information“.
  4. In the window that opens up choose the Security tab and click on “View Certificate“.
  5. In the next window switch to the “Details” tab.
  6. In the section “Certificate Hierarchy“, select the certificate between the certificate of the appliance and the Root CA.
  7. Click on “Export” on the bottom left and save the file.

How to copy the device log from Android devices

Note: Some menus on your device might look different from the screenshots (Google Nexus 5).

  1. 1. Extract the Folders “platform-tools” and “usb_driver” from the zip file.
    (e.g. drag and drop to the desktop).
  2. 2. Enable USB-Debugging
    a. Enable “Developer options”.
    a.I. Go to “Settings” > “About phone“.
    a.II. Scroll down to “Build number“.
    a.III. Press the entry multiple times, until you get a message telling you that you are a developer now.
    b. Go to “Settings” > “Developer options“.
    c. Enable “USB debugging“.
  3. Make sure the device is unlocked while doing each step from now.
  4. Connect the device to a computer.
  5. Open the device manager.
  6. If not already installed. Install the USB driver for your device.
    a. In the device manager right click the device and select “Update driver Software“.
    b. Press “Browse my computer for driver software“.
    c. Select the folder with the device driver and press “Next“.
    d. If a “Windows Security” windows pops up, check the name and publisher and if valid press “Install“.
    e. If everything went fine you should see this window:
  7. Open a command prompt (wintaste+R to open run, type in cmd and press enter) and navigate into the “platform-tools” folder.
  8. Run “adb devices –l” to get a list of connected devices.
  9. When the device asks if you want to allow USB debugging confirm with “OK
  10. Rerun “adb devices –l“. Now the device should show up in the list together with some information about it.
  11. Run “adb logcat -v long > Device.log“. Wait 10 Seconds, and then stop the command by pressing CTRL+C.
  12. The Log file should be in the “platform-tools” folder.
  13. (Optional) Disable “USB debugging” and “Developer options” in the Settings

General Questions

How to create an APNS Certificate?

To create an APNS Certificate you need an Apple-ID. It’s recommended not to use a personalized Apple-ID, please use an Apple-ID used for your corporation.

If you own an Apple-ID, press “General Settings” and follow the steps in “Apple Configuration“.

How to renew an APNS Certificate?

  1. Go to “General Settings” and select “Apple Configuration”. If you’ve already uploaded a APNS certificate, the window should look like this:
  2. Download the “signedPushCertificate.txt”, open the Apple Push Certificate Portal and sign in with the same Apple ID you used to create the APNS Certificate currently installed in the EMM.
  3. You should see a list of your Push Certificates. You can determine the right one, by comparing the validity dates or the Topic (click on the little information button next to the certificate in the Apple Push Certifcate Portal to see the Topic).
  4. Press “Renew” under actions for the right certificate.
  5. You should see a new dialog. Here you select the “signedPushCertificate.txt” that you have downloaded in step 2. and press “Upload”.
  6. After pressing “Upload” you will get a confirmation window, where you’ll see the new expiration date of the certificate. Press “Download” to save the file to your computer.
  7. In the console go back to “General Settings” – “Apple Configuration” as seen in the screenshot for step 1. Click “Browse”, select the newly created and downloaded certificate and press “Upload”.
  8. Check the validity date. The certificate should be valid for another year.

What happens if I change my APNS Certificate or don't renew it annually?

The devices don’t get any configuration from the AppTec MDM Server anymore and have to be enrolled again.

How do I move users between groups?

You have two options:

  1. You just drag and drop a user from one group to another.
  2. While you have selected a user, press the gear icon, choose “Edit User” and select the new group in “Usergroup“.

How do I move devices between users?

Drag and drop the device from user to another.

Is it possible to change setting per device?

In the Enterprise Mobile Manager you can change settings per group or/and device.

That settings made on device level have a higher priority than settings on group level. If group settings get overwritten in the device settings, a blue square shows up on the left side of that setting. You can reset the setting back to the group setting by pressing this blue area.

Is it possible to buy new SMS-Credits?

Yes, please contact our sales department for further requests.

Is it possible to switch between black- and whitelisting on group level or is this reserved to global settings?

At the moment this is only available as a global setting. At the moment you have to choose between the two methods, but it’s possible to black- or whitelist Apps on group level.

While enrolling a device I get an error saying "Network Connection Failure"

Please make sure that you’ve opened the necessary ports in you firewall configuration. For further information see the architectural diagram.

What kind of certificate is needed to run the virtual appliance?

You need an official certificate signed by a trusted certificate authority. It’s possible to use wildcard certificates. You cannot use a self-signed certificate because they are not accepted by Apple and Android devices.

While enrolling an iOS device the certificate in the certificate installation shows up as "Not Verified".

Please check if the certificate uploaded in step 2 of the appliance configuration is correct. Also check if you have uploaded the right intermediate certificate. If you upload new certificates don’t forget to save the changes by pressing “Configure Appliance” in step 5.

What do you use the username and password for that show up in step 3 of the configuration?

This is the account for the license manager. You can use it as login for the console to manage the licenses on multi-client appliances and to export the configuration for backup and maintenance purposes.

While enrolling an Android device I get an error in the app that says "Exception:java.security.cert.CertPathValidatorException: Trust anchor for certification path not found"

Please check if the certificate uploaded in step 2 of the appliance configuration is correct. Also check if you have uploaded the right intermediate certificate. If you upload new certificates don’t forget to save the changes by pressing “Configure Appliance” in step 5.

I can't login as root user

You can’t login to the appliance as root user. To work with root permissions you need to use the “sudo” command line utility.

If I install GoolePlayStore Apps via the Console but the GooglePlaystore is disabled in the SysApp Restrictions settings, will the apps still be updated automatically?

The updates will be installed automatically if the automatic updates were activated prior restricting the GooglePlayStore. There is no Interface available to us to get the apps to automatically update.

Troubleshooting Certificate Errors using XCA and OpenSSL

What is XCA?
“X Certificate and Key management is an interface for managing asymetric keys like RSA or DSA. It is intended as a small CA for creation and signing certificates. It uses the OpenSSL library for the cryptographic operations”

Getting XCA
Download and install XCA from http://sourceforge.net/projects/xca/ (on some Linux Distributions it can also be installed via the package manager)

Setting up XCA
Create a new Management Database:

After creating the file you will be asked to add a password protection. You can also leave the password blank and press “OK”

Check if private key is password protected with XCA
Drag and Drop the Key file into XCA. If it’s protected, you’ll get asked for the password. After importing you can remove the password from the file by exporting the key and leaving “Encrypt the Key with as password” unchecked.

Check if private key matches the certificate with XCA
Drag and Drop the Server Private Key and the Server Certificate into XCA. Go to the Certificates Tab and double click the server certificate. The entry for “Key” should show the name of the private key in green, if the right private key was imported into XCA.

If the key can’t be found, it will show up as “Not available”.

Check the intermediate certificate file for the correct certificate chain with XCA
Drag and Drop the intermediate certificate and server certificate into XCA. Go to the
“Certificates” tab. The server certificate should show up below the whole certificate chain.

Check if the correct certificate chain gets delivered by the server using openssl
You can see the certificate chain delivered by the server to the clients by issuing the following command:

openssl s_client –connect <your EMM VA Domain>:<Port>

Please check the Ports for the Webinterface (default: 443) and the Device Server (default: 8080).

The first lines show the certificate chain. In the screenshot you see the result of google.com on port 443

As you can see we have three entries. Depending on your Certificate Provider it could show more on your appliance. Entry number 0 is the server certificate.
Every entries “i:/C=….” should match the next entries “s:/C=…” entry, otherwise the Certificate Chain is broken.


Questions? Simply contact us at:


© 2016 AppTec GmbH
The information provided in this document does not warrant or assume any legal liability or responsibility for the accuracy and completeness. This document is meant to provide a general structure on the discussed issue. Thus it is not meant to document specific licensing terms. Please refer to your license agreements, available product licensing information and other sources provided by respective software vendor to review valid terms and conditions for license compliance reconciliation.

This documentation is protected by copyright. All rights reserved by AppTec GmbH. Any other usage, in particular, dissemination to third parties, storage within a data system, distribution, editing, speech, presentation, and performance are prohibited. This applies for the document in parts and as a whole. This document is subject to changes.

Reprints, even of excerpts, are only permitted after written consent of AppTec GmbH. The software described in this documentation is continuously developed, which may result in differences between the documentation and the actual software. This documentation is not exhaustive and does not claim to cover the complete functionality of the software.