Web Settings Guide II: Web Settings Overview
Settings
General
The General section contains mainly settings that are used to define endpoints for the Management Console, the Self Service Portal, and for device enrollments and communications. In addition, you can define several security settings Administrators and Users and you can define the Default Time Zone for System Users.
Sites
This section defines endpoint for your Silverback environment. In the majority of deployments, these settings should remain default unless extra configuration has occurred on the server.
| Setting | Description |
|---|---|
| Admin URL | URL for the admin console. This shouldn’t be changed unless the website on the server itself has been changed first. |
| STS URL | URL for the Secure Token Service. This shouldn’t be changed unless the website on the server itself has been changed first. |
| SSP URL | URL for the Self Service Portal. This shouldn’t be changed unless the website on the server itself has been changed first. |
| Companion URL | URL for Companion clients to checkin. This shouldn’t be changed unless the website on the server itself has been changed first. |
| Activation URL | URL for activations. This shouldn’t be changed unless the website on the server itself has been changed first. |
| SharePoint URL | URL for Companion clients to access Sharepoint details. This shouldn’t be changed unless the website on the server itself has been changed first. |
| Windows Enrollment Server | URL for Windows 10/11 enrollments. This shouldn’t be changed unless the website on the server itself has been changed first. |
Security
In the security section you can define rights for administrators to clear passcodes and to provision devices o behalf of users. In addition, you can define the maximum failed login attempts value for the Silverback Management Console and the Self-Service Portal.
| Setting | Description |
|---|---|
| Allow Admins to Clear Passcodes | This determines if administrators will have the ability to reset passcodes on devices. |
| Allow Admins to provision devices on behalf of users | This determines if administrators will have the ability to provision devices on behalf of users. |
| Maximum Failed Login Attempts for Console Users | The number of failed attempts before console user’s accounts are locked out. Once locked out, another administrator will need to unlock the account. |
Default Time Zone
In this are you can define the set Default Time Zone for System Users. This will define the preselected Time Zone when creating a new System User in the Management Console and will be used as the Default Time Zone for System Users that were created based on administrative logins with Active Directory users. Please refer to Create a new System User for additional information.
| Setting | Description |
|---|---|
| Default Time Zone | Change the Default Time Zone for System Users by choosing your desired Time Zone from the drop down list. |
Android
Android Cloud Messaging Settings
This determines the company information used to push to users. In most installations, the generic Silverback settings are used. If you require your own internal push settings for any reason, this is where you configure them.
| Setting | Description |
|---|---|
| Send URL | The endpoint to send FCM push notifications to devices. This should not be changed. |
| Project ID | The Project ID used for push notifications. This should not be changed. |
| Companion MDM Poll Interval | Defines the periodic task interval for Companion to check for pending commands. This interval will be set during the enrollment and a change will only affect new enrollments. |
Samsung License Keys
This area is dedicated for Samsung License Keys. You can enter here your corporate owned Samsung Knox Premium Licenses Key to use additional premium features for Samsung Knox devices.
| Setting | Description |
|---|---|
| Samsung ELM License | The ELM license key was used to call APIs from the Knox Standard and Knox Premium SDKs which has been replaced with the Samsung KPE License key. |
| Samsung KPE License | The KPE license key is used to activate specific Knox Platform for Enterprise features by the MDM vendor during the enrollment. Do not change this key. If available, add your individual KPE Premium license key in the Knox Service Plugin configuration |
| Samsung KNOX License | The KNOX Premium License key was used to activate Knox Workspace containers. Knox Workspace containers are deprecated and replaced by Android Enterprise Work Profiles with Knox 3.4 |
Google Play Settings
This setting should not be modified. This tells Silverback which Google Play app to use for the deprecated Android legacy device enrollment.
| Setting | Description |
|---|---|
| Google Play Enabled | Determines if Silverback should use the Google Play Companion Client. This should not be changed. |
| Google Play App URL | The Google Play link for the Companion App. This should not be changed. |
Activation URLs
This setting should not be modified.
| Setting | Description |
|---|---|
| Matrix42 API automatic activation URL | Related settings for the Matrix42 Mobile Portal, which is used for the automatic activation of Android Enterprise. |
| Matrix42 API manual activation URL | Related settings for the Matrix42 Mobile Portal, which is used for the manual activation of Android Enterprise. |
APNS
This section should generally not be modified. These settings control how Apple Push Notification Service certificates are requested and how the server should connect to Apple endpoint to send push messages. In addition, it contains an option to enable a Push Notification Message Logging for deep dive troubleshooting scenarios, which should only be enabled on the advice of our support organization.
| Setting | Description |
|---|---|
| Matrix42 Accounts URL | Used when generating an Apple Push Notification Service certificate. |
| Matrix42 Signing API URL | Used when generating an Apple Push Notification Service certificate. |
| APNS Port | The port to communicate with Apple for push messages. |
| APNS Gateway | The Apple server to send push message requests to. |
| Enable Push Notification Message Logging | This option should only be temporary enabled on the advice of our support organization. If enabled, Silverback will log Push Notification Messages in the Management Console Log section with an additional option to generate log files on your server for reviewing the internal communication between Silverback and the responsible project that is transforming Push Messages into a HTTP2 request to the Apple Push Notification Service. |
App Portal and SMS
App Portal
These settings control the behavior of the App Portal for devices, and also how application information is retrieved from Apple.
| Setting | Description |
|---|---|
| URL | The URL for devices to access the App Portal – This shouldn’t be changed unless the website on the server itself has been changed first. |
| Device App Portal Refresh Interval | While the user has the App Portal open on their device, the page will automatically refresh for them at this interval. This ensures the user’s available application list is up to date. |
| Device App Portal Managed App List Interval | While the user has the App Portal open on their device, the server will request a managed app list from the device at this interval. This ensures that the status for managed apps (Install, Uninstall, Upgrade etc.) is current. |
| iOS AppInfo URL Template | This is the URL used to retrieve app information from Apple. This should not be changed. |
SMS Server
Silverback integrates with SMS Providers so that user’s can receive SMS messages when they create enrollments. Currently, Silverback by Matrix42 supports the RedCoal SMS Provider for Australian customers, AerialLink v4 and MessageBird for the rest of the world.
| Setting | Description |
|---|---|
| Send Provisioning SMS to Users | Determines if the server should send SMSs to users. |
| SMS Sender Label | If supported by the SMS Provider, this will appear as the “From:” label for the users. |
| SMS Provider | Selects the SMS Provider. |
| RedCoal Serial Number | The serial number for the RedCoal account. This should not be changed. |
| RedCoal SMS Keys | Authentication key for the RedCoal account. This should not be changed. |
| RedCoal Endpoint URL | The RedCoal API endpoint. This should not be changed. |
| AerialLink v4 URL | The SMS Endpoint. This should not be changed. |
| AeriaLink V4 API Code | The API Code for access to sending SMS. This should not be changed. |
| AeriaLink V4 API Key | The API Key for access to sending SMS. This should not be changed. |
| AeriaLink V4 API Secret | The API Secret for access to sending SMS. This should not be changed. |
| AreiaLink Use international number format | Determines if the endpoint should expect international SMS in + format. Generally this should be left to the default settings. |
| Message Bird API URL | The URL for the MessageBird API. This should not be changed. |
| Message Bird Authorization Token | The access token for connecting and sending messages. This should not be changed. In case you are as well a Message Bird customer you can change the default token to your own by Set. With restore default, the default Silverback authorization Token will be used again. |
| Message Bird Country Code for Local Numbers | If you want to use a local number format to send messages, enter the default country code here. |
Certificates
Silverback Root Certification Authority
Silverback deploys device identity certificates to devices that will be managed. For security reasons, an individual certificate is generated for each device and Silverback contains an internal Root Certification Authority that issues certificates to the devices. The settings that are set with the certificates are configured in this section.
| Setting | Description |
|---|---|
| Certificate | Silverback Root CA certificate. This certificate must be located in the Local Computer Certificate Store. |
| Country | The country that will be placed in the certificate information for devices. |
| Organization | The organization that will be placed in the certificate information for devices. |
| Location | The location that will be placed in the certificate information for devices. |
| Expiry Length (years) | How long the device issued certificates should last before expiring |
Certificate Deployment Method
The Certificate Deployment option relates to certificates deployed for services like Exchange ActiveSync, Wi-Fi, and VPN.
| Setting | Description |
|---|---|
| Certificate Deployment |
Enterprise Certificate – Administrators will provide a single certificate to be issued to all users for services like Exchange ActiveSync, Wi-Fi, and VPN. Individual Client - If this is selected, a Microsoft Enterprise Certification Authority will be utilized to request, issue, and distribute individual certificates to devices that can be used for services like Exchange ActiveSync, Wi-Fi, and VPN. |
Corporate Certification Authority
| Setting | Description |
|---|---|
| Certification Authority |
Enter here your Corporate Certification Authority for Certificate Based Authentication in the following format: ca.imagoverum.com\domain-server-CA Open a command prompt on your Certification Authority and type certutil, press enter and take the value displayed in config. By default, the Certificate Authority Address is set to DEFAULT, which will tell the computer to automatically find the Certificate Authority. |
Templates
| Setting | Description |
|---|---|
| Template Name | Defines the template used for individual ActiveSync, Wi-Fi and VPN certificates. Please refer to Certification Authority Integration Guides for additional information. |
Certificate Renewal
This section is only enabled if Individual Client certificates are enabled. This section determines certificate renewal settings.
| Setting | Description |
|---|---|
| Renew certificates when expiry is within (days) | When Silverback detects that a certificate it issued will expire this many days from today’s date, it will renew the certificate. For example if this setting is set to 180, and the certificate expiry is 1 year, it will automatically renew half-way through the year. |
| Exchange Certificate Template Validity (years) | Silverback will use this provided validity to automatically renew the certificate if it can’t get the expiry information from the certificate itself. |
Windows Certificate Settings
| Setting | Description |
|---|---|
| Enrollment Issuing CA | The CA that will issue certificates to Windows 10/11 devices. This should be in the Local Computer store, and the Network Service account should have permissions to manage the private key. Please refer to our Certification Authority Integration Guides for additional information. |
| CEP Encryption Agent | CEP Encryption Agent Certificate for certificate enrollment. |
| Exchange Enrollment Agent | Exchange Enrollment Agent Certificate for certificate enrollment. |
S/MIME Settings
| Setting | Description |
|---|---|
| Encryption Template | Specify here the Template for encryption purpose. Please refer to our Certification Authority Integration Guides. |
| Encryption Certificate Subject Name | Specify here your Certificate Subject Name. Please refer to our Certification Authority Integration Guides. |
| Signing Template Name | Specify here your Template for signing purpose. Please refer to our Certification Authority Integration Guides. |
| Signing Certificate Subject Name | Specify here your Certificate Subject Name. Please refer to our Certification Authority Integration Guides. |
| Agent Certificate | Select here your Agent Certificate for requesting certificates on behalf of a user. Please refer to our Certification Authority Integration Guides. |
Cloud Connector
The Cloud Connector allows Silverback servers outside of your LAN to communicate with your local resources. The Cloud Connector is an outbound only session and is mutually authenticated and encrypted. This means that the Cloud Connector client must be configured to use the Silverback server’s public key, so that the server can decrypt the client traffic.
Cloud Connector Settings
| Setting | Description |
|---|---|
| Tunnel URL | The URL for cloud connector connectivity – This shouldn’t be changed unless the website on the server itself has been changed first. |
| Send LDAP Requests through Tunnel | Whether or not LDAP Requests should be sent down the cloud connector tunnel. |
| Request Client Certificates through Tunnel | Whether or not Client Certificate Generation should be sent down the cloud connector tunnel. |
| Enable Traffic Log | Whether traffic information from the Cloud Connector should be logged. This should only be enabled for troubleshooting. |
| Tunnel Security Principal | The local account that is running the cloud connector tunnel on the server. |
| Client Certificate Thumbprint (public key) | The public key thumbprint of the cloud connector client certificate. Used to encrypt traffic sent to the cloud connector client. |
| Silverback Server Tunnel Certificate (private key) | The private key thumbprint of the server’s client certificate, Used to decrypt traffic sent to the server from the client. |
Exchange Protection
This settings defines if the Exchange Protection will be used with the Cloud Connector. Only enable the exchange protection here if you have a Cloud Connector present.
| Setting | Description |
|---|---|
| Enable Exchange Protection Service | Enables the Exchange Protection Service with the usage of the Cloud Connector services instead of the Silverback Maintenance Services. |
| Exchange Task Interval | This is the interval at which exchange protection will be executed. Note that by default this setting is quite large. This is due to the fact that if exchange protection is enabled, but not configured correctly, large amount of traffic can be generated against the Exchange Environment. If Exchange protection is configured then this setting should be reduced to the desired frequency. Ideally 1 minute. |
| Max Exchange Concurrency | Maximum number of concurrent Exchange Protection Requests to send at one time. |
| Exchange Protection Max Try | Maximum number of times Silverback tries to protect the server. |
Companion
| Setting | Description |
|---|---|
| Queue Device Inventory on Companion Check-in | Whether the Silverback server should perform a full device inventory when the Companion Client checks in. This is useful if you allow automated unblocked, as the user will be able to rectify the problem, then scan Companion to get unblocked. |
| Companion Blocked Message | The push message sent to the user’s Companion client when they are blocked. |
| Companion Unlocked Message | The push message sent to the user’s Companion client when they are unblocked. |
| Companion Grade Period Push Message | The message to send to the user to remind them to check in. |
Connection String
These settings are representing the connection information for the database. The information presented in this section is taken from your current Silverback Connection string in the Registry under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\MATRIX42\SILVERBACK. Changes made in this section will not be adopted. To change the database connection string, you will need to delete the Silverback Connection string from the Registry, restart the IIS and reopen localhost/admin to enter your new connection string. Please refer to our Migration Guide for additional information.
| Setting | Description |
|---|---|
| Use Azure SQL | Defines if the Database is hosted on Azure SQL. |
| Database Server Address | The network address or DNS name of the SQL server that holds the Silverback database. |
| Failover Database Server Address | If needed, you can also specify a separate server to fail-over to in the event the database server is un-reachable. |
| Database Name | The name of the Silverback database. |
| Use SQL Authentication | Whether Silverback should use a defined username and password for SQL, or assume permissions for itself (e.g. if the Silverback server is granted permissions on the database, then it will authenticate as itself). |
| Username | If using SQL authentication, it defines the username which will be used for the SQL authentication. |
| Password | If using SQL authentication, it defines the password which will be used for the SQL authentication. |
| Web Settings Certificate | The web settings encryption certificate. This is used to encrypt the web settings in this page. If you migrate to another server you must move the certificate so this thumbprint matches a certificate that is available on the local machine for Silverback. Please refer to the Migration Guide for additional information. |
Device Types
In this section, you can define which device types you want to manage in your system. For example, if you only want to manage iPhone devices, you can disable all other platforms. As a result, your Silverback Management Console will hide some options for other platforms and only the enabled platforms will be available in Tags, for example. Please note that enrollment of not activated platforms can only be prevented if no Simple Enrollment method is configured for the Self Service Portal. Disabling the Simple Enrollment will result in users being prompted to enter their generated or received OTP on the Activate page, and only allowed platforms will be allowed when visiting this page. If the Simple Enrollment is desired, another way to prevent active management of unwanted platforms is to use the Enforce Hardware Authentication Lockdown Policy set to Block in the System Tag for the specific device type while leaving the device type enabled. In general, the following Device Types can be defined:
| Vendor | Device Types |
|---|---|
| Apple | iPad, iPhone, iPod, macOS, AppleTV |
| Android, Samsung Knox | |
| Microsoft | Windows |
Export and Import
This section allows you to export the Settings Administration settings so that you can keep a backup of these settings or move these to another server. The export and import will retain all settings, but it’s critical that the web settings encryption certificate is the same, or when uploaded, the import will not be able to be read by the server.
| Setting | Description |
|---|---|
| Download Export | Clicking the link will download a full export of all the settings. Note that this is encrypted with the servers web settings encryption certificate. |
| Import | Upload a previously exported configuration file. This will only be readable by the server if the same web settings encryption certificate is used. |
LDAP
These settings govern how the system connects to LDAP sources, and also what information should be captures for users. Please refer to Installation Guide IV: LDAP Connection for additional examples.
| Setting | Description |
|---|---|
| LDAP Connection | |
| LDAP Type | The type of LDAP Source. Supported types are AD, Domino, and Novell. |
| LDAP Server | The network address of the LDAP server. |
| LDAP Port | The network port to use for LDAP server connections. |
| LDAP SSL | Determines if LDAP/S is used or not. Ensure when activating that your Silverback server is able to communicate proper to your Active Directory on an encrypted level. |
| LDAP Lookup Username | Binds a username for LDAP Lookups and anonymous binds will be used if this is not specified but checking the LDAP connection requires a provided LDAP Lookup Username. |
| LDAP Lookup Password | Binds a corresponding password for the LDAP Lookup username. Checking the LDAP connection requires a provided LDAP Lookup Password. |
| LDAP Filter | |
| Base DN | The Base DN is used as the starting point for all LDAP users and administrators lookups and as a fall back if the item in the LDAP Mapping section does not work. |
| User Filter | Users must match this filter when using the SSP or they cannot create enrolments. This filter acts also as a fall back if the item in the LDAP Mapping section does not work. |
| LDAP Attributes | |
| Username Field | The LDAP property of users username field. |
| Device Email Field | The LDAP property used for the user’s email address. |
| User Email Field | The LDAP property used for the user’s Email username. |
| Certificate Username Field | The LDAP property used for the user’s certificate username. |
| VPN Username Field | The LDAP property used for the user’s VPN username. |
| Wi-Fi Username Field | The LDAP property used for the user’s Wi-Fi username. |
| Wi-Fi Proxy Username Field | The LDAP property used for the user’s WiFi Proxy username. |
| SMIME Username Field | The LDAP property used for the user’s SMIME Certificate username. (*deprecated) |
| Global HTTP Proxy User Field | The LDAP property used for the user’s Proxy settings if enabled by profiles. |
| First Name Field | The LDAP property used for the user’s First Name. |
| Surname Field | The LDAP property used for the user’s Last Name. |
| Custom LDAP Variables | |
| Custom LDAP Var0 | First custom variable to be returned for the user. This variable can be used for System Variables when generating profiles and is useful if you need to populate a miscellaneous value into a profile for a user that isn’t covered by the standard values above. |
| Custom LDAP Var1 | Second custom variable to be returned for the user. This variable can be used for System Variables when generating profiles and is useful if you need to populate a miscellaneous value into a profile for a user that isn’t covered by the standard values above. |
| Custom LDAP Var2 | Third custom variable to be returned for the user. This variable can be used for System Variables when generating profiles and is useful if you need to populate a miscellaneous value into a profile for a user that isn’t covered by the standard values above. |
| Additional Settings | |
| LDAP Request Page Size | How many items should return per page in LDAP request. For large LDAP Results, this can reduce issues with missing users for Tag Population. |
| LDAP Referral Chasing Option | Determines if the server should “chase” referrals to other LDAP Sources. |
| Number of LDAP Request Retries | How many attempts should be made for an LDAP request before the system will fail. |
| Sleep Seconds Between Filter Tasks | Setting to specify static delay between LDAP filter tasks. We recommend to keep the empty specified value. |
LDAP Mapping
In this section you can configure how user’s UPNs should map to LDAP. If your environment has multiple UPN suffixes, then these can be specified in each row. When a user enrolls and enters their username, the UPN suffix is used and matched to this list and if a match is found, the Base DN and Filter will be used to ensure the user can enroll. Please refer to Multiple Domain Connection with LDAP Mappings for additional information.
A two-way transitive trust relationship between the domain configured in the LDAP section and the domains entered in the LDAP Mapping settings is required.
| Setting | Description |
|---|---|
| UPN Suffix | UPN Suffix to match when the user enrolls. |
| Base DN | Base DN to use for lookups for this UPN Suffix. |
| LDAP Filter | LDAP Filter to use for lookups for this UPN Suffix. |
Payload
Profile Signing Certificate
For Apple devices enrollments, the installed MDM will be signed with the certificate selected in the section and should reflect your SSL certificate bound in the Internet Information Service for your Silverback Website. When the certificate is expired, you will need to replace it at your IIS and in this section to ensure new devices can be provisioned successfully. After replacing the certificate, the signing status for already managed devices will move to Not verified for the MDM profile, but it won't affect the device management. New enrollments made with the new certificate will be indicated as signed on the devices. Please refer to Replace SSL Certificate for additional information.
| Setting Name | Description |
|---|---|
| Certificate | Defines the certificate that will be used for signing the MDM profiles. The drop down list displays certificates installed in the Local Computer Certificate Store on your server. |
Payload Settings
This section contains settings that are sent to the device as part of MDM Enrolment. The URLs for Checkin and MDM should not be reconfigured unless the Silverback Websites have been reconfigured first. The VPP Service Endpoint is specific to Apple and should not be reconfigured.
| Setting Name | Description |
|---|---|
| Checkin URL | URL for enrolling devices to checkin for MDM functions. This shouldn’t be changed unless the website on the server itself has been changed. |
| MDM URL | URL for devices to establish MDM sessions. This shouldn’t be changed unless the website on the server itself has been changed. |
| VPP Service Endpoint | URL used to communicate with Apple for VPP App Licensing. This should not be changed. |
Block App Store
To allow you to block access to the Apple iTunes store and still allow users to install App Store Applications, a special mechanism will enable the App Store momentarily and then disable it again. While the App Store is Unblocked, Silverback will attempt to install the application according to the Max Attempts setting, sleeping for the Sleep Time in between events, until the user has installed or canceled the app installation.
During this window, the user may be able to install another application, however the Application Whitelist policy will detect this, and perform the appropriate action on the user’s device.
| Setting Name | Description |
|---|---|
| Max Attempts | Number of times Silverback will attempt app installation when the App Store is blocked. |
| Sleep Time (seconds) | Amount of time in seconds between attempts that the Silverback server will wait before sending another request. |
iOS Single App Mode Re-enablement Automation Workflow
For devices that are locked into Single Application Mode, these applications cannot be updated while the device is locked. This can cause issues because sometimes these apps need to be updated and it’s not viable to manually update the devices apps. The workflow is designed to remove the device from Single App Mode, update the application and then lock the device again. The device does not tell the server when it’s done upgrading, so the server needs to check constantly to ensure the device is locked as soon as the app is done updating. This setting determines how many times the server will check the device to see if the app is updated before stopping. If the applications are large or your users are in poor coverage, it’s recommended to increase this value to allow the devices adequate time to update before we attempt to lock again.
| Setting Name | Description |
|---|---|
| Maximum number of times to check if application is installed before attempting to re-enable SAM. | The number of times Silverback will attempt app installation when the App Store is blocked. |
Exchange User Passwords
| Setting Name | Description |
|---|---|
| Include User Password in Exchange Profile |
Determines if the Exchange ActiveSync profile should include the user’s password. Passwords are only captured if devices are enrolled from the Self-Service Portal on iOS and iPadOS devices and if Password Caching is turned on prior to the device enrollment. |
Concurrency Settings
Limit the number of devices that can communicate with the server at any given time. These settings control the system behavior for this.
| Setting | Description |
|---|---|
| Minimum number of devices in the system before concurrency limit is enabled | Once the number of devices that exist in the console reaches this limit the concurrency settings will be enabled. The graph in Pending Commands will not show until this number is reached. |
| Period in minutes between limit flush to db | The amount of time in minutes before the device limit (defined in the Admin tab > Pending Commands section) will be saved to the database. It’s recommended to set this value to be large if you don’t intend to change the limit. |
| Minutes before device count cache is cleared | The number of devices in the system is cached. This means that potentially the above limit could be exceeded before the concurrency settings are enabled. This setting defines how long until the number of devices in the system is refreshed. |
| Seconds before statistics SQL query will timeout | The graph in the admin page may timeout if the request is large or the system is under load. This setting determines how long the SQL query will execute before timing out. |
| Interval for getting statistics data in minutes | How often the system should get updated statistics data. |
| Limit of rows for statistics request | How much data should be sampled for the statistics. The sytem will query the executed commands, sort by how long the commands took (descending) and then take this number of items for it’s statistics. |
| Percentage of request limit before statistics check | The system will recalculate how many devices should be checking in, this is the percentage of the current limit that the system should wait for, before checking statistics. |
Password Caching
Silverback has the option to cache passwords when the users perform the device enrollment through the Self-Service Portal and password caching has been set to Cache User Passwords prior to the authentication in the Self-Service Portal. Cached passwords are stored encrypted in the database and can be embedded into several profiles sent to the user’s devices. If a password is captured for a device, it's presented as ****** for {UserPassword} in the System Variables in the Device Information. In case your company policy dictates that passwords are not allowed to be cached, then keep the default value Don't cache user passwords. Otherwise, by selecting Cache for number of uses, the passwords can be cached for a defined number of uses before being destroyed.
If you have no concerns for the amount of time a password is cached, enter a large number and this will ensure the users shouldn’t need to ever enter a password.
| Setting | Description |
|---|---|
| Cache User Passwords | Whether user passwords should be cached from enrollment (encrypted) and used to inject into profiles, like Exchange ActiveSync, so the user doesn’t have to enter the password. |
| Cache user passwords for number of uses | If you allow caching, you nominate how many times this password can be used before being cleared. While the passwords are encrypted, it’s still never good to leave these in the database. After this number of uses, the password will be cleared. It’s suggested you set this to the number of settings you want to push that need a password. For example, if the user only needs the password for Exchange ActiveSync and your Wi-Fi settings, enter “2”, this will ensure that after the user has all their needed profiles, the password will be cleared. |
Pending Commands
This section displays a count for all pending commands in the system. In certain troubleshooting scenarios it might be necessary to clear these commands. This should generally be avoided because primarily it can cause a large amount of load on the system while the commands are cleared, but also that devices may lose important commands that were previously queued for them. If devices lose these commands, it might be necessary to block and unblock the device, or re-enroll the device to rectify.
| Setting | Description |
|---|---|
| Clear Pending Commands | Clicking this will clear all of the pending commands in the system. |
Service Bus
A Service Bus is a fully managed enterprise integration message broker and acts as a reliable and secure platform for asynchronous transfer of data and state. This technology is used to send and update information from Silverback to the Unified User Experience and is dedicated to replace the Silverback Data Provider inside the Software Asset and Service Management in te future. Microsoft Azure Service Bus as a cloud solution as well as RabbitMQ as an open-source software for on-premises scenarios are supported.
Please refer to the Service Bus Integration Guide.
| Setting | Options | Description |
|---|---|---|
| Service Bus Type |
|
Choose here either Azure or RabbitMQ as Service Bus provider |
| Connection string | e.g. Endpoint=sb://imagoverum.servicebus.windows.n...erum.uem.topic | Enter here the connection string which includes the authentication settings to send messages over the Service Bus |
| Topic/Exchange | e.g. matrux42.uem.topic |
Enter here your Topic for Azure Service Bus or the Exchange for RabbitMQ. Messages are sent to a topic and delivered to one or more associated subscriptions |
| Subscription/Queue | e.g. matrix42.uux.subscription | Add here your create Subscription for Azure Service Bus or the Queue for RabbitMQ. |
| Instance Identifier | e.g. Silverback/2C7A7EAF-91BC-4ECB-981C-2231E5A00DF7 | The identifier will be automatically created during the first installation and can't be changed. |
| Instance Display Name | e.g. Silverback | The instance display name will be shown in the Digital Workspace Platform as your friendly name for your Silverback node. |
| Sync All Data | Allows you to start a full sync between Silverback and the Unified User Experience. |
Services
These settings mainly govern the timing of backend events in the system. The Silverback service runs on the server constantly in the background and follows these settings. While in most cases these settings can be tuned to be as “live” as possible. If performance degradation is experienced, these settings can be tuned to even out the load on the server.
Silverback Windows Services
| Setting | Description |
|---|---|
| Daily Inventory Start Time | Clicking this will clear all of the pending commands in the system. |
| Send Daily Inventory Every (hours) | The number of hours since the last inventory task before another will be started. E.g. if the Poll Time is 6:00, and the Poll Interval is set to 1, then every hour after 6:00 a full inventory will be performed. |
| Data Retention Poll Time | The time of day that the system should commence the data retention clean up. Data retention is the period in which things like Logs are kept. The clean up task can be SQL intensive, so its recommend this Poll Time is set to a quiet period for user activity. |
| Clear Pending Records (minutes) | How often the system should clean up expired pending enrollments. Pending enrollments may no longer be valid, but they still exist in the system and should be cleaned up regularly. |
| Check for pending emails to send every (minutes) | Emails sent by Silverback are first queued in the database. This task determines when the system will check for pending emails and send them. |
| Send Inventory Requests in batches of | The daily inventory will send this many requests in a group, before waiting for the Delayed Interval (below). |
| Send Inventory Request Batches every (minutes) | The number of minutes before sending the next group of device inventory tasks. This should be configured particularly for large deployments. For example, if the Total Messages to Send is “20” and this setting is “10”, then 20 devices will be told to check in for inventory every 10 minutes at the Poll Interval. |
| Refresh LDAP User Info every (minutes) | How many minutes should pass before the system refreshes user data from LDAP. This lookup refreshes user information, for example if a user married and changed the surname in LDAP, then this task would detect the change and update the user information in the console. |
| Attempt pushes to removed devices for (days) | Removed devices in some scenarios may still have an MDM profile installed, for example if the device is deleted, but the MDM Profile fails to be removed. Silverback will continue to push to removed devices, to ensure that the MDM Profile is removed. It will continue for the number of days configured in this setting. |
| Attempt pushes to removed devices every (minutes) | How long the system should wait before sending pushes to removed devices. |
| LDAP Info Update Service Task | Whether the system should update user information from LDAP. |
| Bulk Import Processing Task Interval (minutes) | Bulk import jobs (e.g. for Bulk Pending Enrollments) are queued in the database. This task will start processing the bulk jobs and this interval is how often the system will look for jobs to start. |
| Data Retention Task Timeout (minutes) | The data retention task, as mentioned above can be SQL intensive, and depending on the number of users, may take a long time to execute. This timeout can be increased if the data retention job is not completing. |
| Compliance Dashboard Task Timeout (minutes) | The Compliance Dashboard, harvests data from the database to display, this can be quite SQL intensive, so in the event that this job is failing, the timeout can be increased to allow appropriate time to execute. |
Epic Windows Services
| Setting | Description |
|---|---|
| Message Companion Users to checkin every (minutes) | For Companion clients, how often the users should be told to check in via push notification. This is currently a global setting that overrides the notification settings in the Companion setting of the admin console. |
| Check for grace period violations every (minutes) | The amount of time that the system will check for grace period violations. That is, the system will check, at this interval for devices that haven’t checked in within the grace period defined in the Companion settings in the admin console. |
| Apns Port | Port for the Apple Push Notification Service. |
| Apns Gateway | Server for the Apple Push Notification Service. |
Batch Application Install Requests
| Setting | Description |
|---|---|
| Send app installations in batches of | When pushing an application to a large number of devices, the system can be slowed by too many devices downloading the app at once. This setting allows you to send app installations in batches to ensure smooth load. |
| Send batches every (minutes) | Defines how long the system should wait before sending the next batch of app installation pushes. |
Queuing Service
The queuing service is an underlying service that creates an efficient way for Silverback to manage command execution. This is used by the Device Enrollment program, Samsung UMC and also for handling LDAP information processing. There are two key components for the Queue Service, the Command Queue and the Schedule Queue.
Queuing Service Settings
Command Queue is for item that should execute at a device interval and are not typically time sensitive, items are added to a queue and are checked at the defined interval.
| Setting | Description |
|---|---|
| Service Polling Interval (seconds) | The time in seconds that the Command Queue should be checked. Only Device Enrollment Program, and Samsung UMC Commands are used by this feature. If you do not utilize either of these, then this value can be safely set to a large value. |
Scheduled Process Settings
Schedule Queue is for items that need to be processed regularly and within an expected time frame, such as LDAP information processing. For the settings, the choice between Daily and Continuous will depend on how ‘live’ the LDAP data needs to be and the Time Interval settings will depend on the load. One scenario would be a large amount of LDAP information that takes a long time to process, for this you would ideally select Daily, and specify the time window to be early morning or late night so the server can process this when the server is not too busy. Another scenario would be the need to have the LDAP data as live as possible. For this you would select continuous, and then adjust the “Process Task Over” time to allow for the amount of data you need to process.
| Setting | Description | |
|---|---|---|
| Process Type |
|
Determines which items settings you are editing. LDAP Filter is for processing LDAP Filters for Tag population, whereas LDAP Device Update is for fetching LDAP information for current users and devices. |
| Scheduled Type |
|
Either Continuous or Daily. Continuous will process everything within the defined time frame, and then repeat when that time period has expired, continuously. Daily will execute the LDAP requests once daily, and execute over the defined start and end time. |
| Process Task Over | e.g. 240 Minutes | For the Continuous cycle, this is the time that LDAP requests will be processed within. |
| Start / End Time |
e.g. Start Time 0:00 - 23:59 e.g. End Time 0:00 - 23:59 |
For the Daily cycle. This is the time window that the items should be processed each day. |
Silversync
Silversync is the Mobile Content Solution in Matrix42 Silverback. Within this section, you can define alternative settings for the remote communication endpoint for Silversync, the Silversync Security Principal, and the M42 Push Notification Host URL but in general, all of these settings should not be changed.
| Setting | Description |
|---|---|
| Silversync Remote Configuration Endpoint URL | The URL for the system to communicate with Silversync. This shouldn’t be changed unless the website on the server itself has been changed first. |
| Silversync Security Principal | The account that Silversync should run as. Generally, this shouldn’t be changed. |
| M42 Push Notification Host URL | The endpoint for push notifications for Silversync clients. Generally, this shouldn’t be changed. |
SMTP
SMTP Server
Emails are sent for various functions in Silverback. This may be informing a user of an enrollment, or email administrators about users violating policy. Generally an SMTP Relay that supports anonymous relaying internally would be used. If you require authentication on the proxy, please specify the username and password.
| Setting | Description |
|---|---|
| SMTP Server | The network address oft he SMTP Server or Relay. |
| SMTP Port | The SMTP Port to use. |
| Username | If the SMTP server requires authentication, specify the username. If no username is provided it is assumed to be anonymous. |
| Password | If the SMTP server requires authentication, specify the password. If no password is provided it is assumed to be anonymous. |
| SSL/TLS | Whether or not the system uses SSL/TLS with SMTP. |
Email Template
This section governs settings surrounding the email template. At this point in time, this is essentially useful for users and administrators to see where the email came from.
| Setting | Description |
|---|---|
| Sent From |
The address that should appear as the “From“ address when the user receives the email. Some services may require the same username in the SMTP Server Settings and in Sent From field when using SSL/TLS. |
Windows
Windows Push Notification Services
| Setting Name | Description |
|---|---|
| WNS App ID | The App ID generated when creating the fake push application for 8.1 devices. |
| WNS Package Family Name (PFN) | The PFN token generated when creating the fake push application for 8.1 devices. |
| WNS App Store URI | The URI generated when creating the fake push application for 8.1 devices. |
| WNS App Secret | The authentication token generated when creating the fake push application for 8.1 devices. |
Device Management Client
This section covers settings relating specifically to enrollments. In general these settings shouldn’t be changed.
| Setting Name | Description |
|---|---|
| Use Indentation | Internal WP setting, do not change. |
| WPMDM_OmaDmRetry NumRetries | The number of initial polls after enrollment. |
| WPMDM_OmaDmRetry RetryInterval | The time in between polls after enrollment. |
| WPMDM_OmaDmRetry AuxNumRetries | The number of polls to attempt after the first series of polls have been used. |
| WPMDM_OmaDmRetry AuxRetryInterval | The time in between polls after the first retry interval has been used. |
| WPMDM_OmaDmRetry Aux2NumRetries | After the above settings have been exhausted, this number of retries will be followed. Note that this should be set to 0, and never changed. This ensures the device will continue to check in. If this is changed to another number, the device will check in that many times, and then stop. |
| WPMDM_OmaDmRetry Aux2RetryInterval | The interval between check-ins for the above setting. |
| Exchange Profile Includes Random Password When Empty | In some scenarios, the exchange profile will fail to install if there is no password specified. This setting tells the server to insert a random password if it doesn’t have the users password. This will ensure that the profile is installed, and the user will be prompted for their password. |
Windows devices inventory intervals
For Windows devices, because the checkin interval can be driven by the client, to reduce load the tasks that are performed each checkin can be limited. The settings in this table determine how often these should be queried on a device when it checks in – not how often a push will be sent to query these. For example, for Certificate List, these settings mean that if a device checks in, and it has been X minutes since the last certificate list was gathered from the device, a certificate list query will be executed.
| Setting Name | Description |
|---|---|
| Queue Certificate List after | Number of minutes since the last certificate list, before it will be queued again. |
| Queue Push Token Info after | Number of minutes since the last push token information query, before it will be queued again. |
| Queue Device Info after | Number of minutes since the last device information query, before it will be queued again. |
| Queue Security Info after | Number of minutes since the last security info check, before it will be queued again. |
| Queue Installed App List after | Number of minutes since the last installed application list, before it will be queued again. |
| Queue Managed App List after | Number of minutes since the last managed application list, before it will be queued again. |
WP Settings
This section covers settings for Windows Phones, which are largely deprecated.
The EAS settings however, govern some basic settings for Exchange Protection features. In general these settings should not be changed.
| Setting Name | Description |
|---|---|
| EAS Datetime Format | The date format to use for EAS Display items for Exchange ActiveSync Quarantine. |
| EAS Schema URL | The schema location for EAS. This should not be changed. |