Using SHA-1 and SHA-2 Certificates on the Same Deployment Server

About this task

Different devices use different Signature Hash Algorithms (SHA) for communications with the server:

  • Some Windows Mobile/CE devices support only SHA-1 (and not SHA-2)
  • Android 10+ and iOS 13+ devices support only SHA-2 or higher

You can manage SHA-1 and SHA-2 devices on the same Deployment server (DS) using two different ports to receive incoming connections from the corresponding devices.

Note:
  • Only Windows Mobile/CE devices support the second port. You must upgrade Windows Mobile/CE agents to the 15.4.x version that is compatible with the mixed SHA mode.
  • For assistance when changing the DS and DSE binding used by the already enrolled devices, contact SOTI Support.

To configure a single DS to manage SHA-1 and SHA-2 devices:

Procedure

  1. Open SOTI MobiControl Administration Utility (see SOTI MobiControl Administration Utility).
  2. On the Deployment Server tab, select the Enable Additional Port check box and click OK in the info box that opens (see Deployment Server).
    Port 1 and Port 2 fields appear next to the DS address fields.
  3. Enter a new Port 2 listener port for the Primary Agent Address and Device Management Address. By default, these are set to "5497" and "444," respectively.
    Note: It is important to choose a listener port that is not already in use by a different application running on the same server.
  4. On the Ports tab, enter the port numbers for Port 1 and Port 2 (see Ports).
  5. On the Certificates tab (see Certificates), generate a new SHA-1 or SHA-2 SOTI MobiControl Root CA.
  6. On the Certificates tab, generate new DS and DS Extensions (DSE) certificates and bind them to Port 1 (SHA-2) and Port 2 (SHA-1).
    Note: The algorithm selection (SHA-1/SHA-2) must match the SOTI MobiControl Root CA from which you are generating the certificate.
  7. In the SOTI MobiControl console, right-click the device group where all the SHA-1 Windows devices reside and select Advanced Configurations to open the Advanced Configuration dialog box (see Advanced Configurations).
  8. From the drop-down list in the top right corner, select "Windows Mobile/CE."
  9. Click the Deployment Server Priority List link on the list to open the Deployment Server Priority List dialog box (see Deployment Server Priority List).
  10. Click the relevant server name on the list to open the Server Priority List tab.
  11. From the Port drop-down list, select "Port 2."
  12. Click OK to save the change and close the dialog box.
  13. In the Advanced Configuration dialog box, click Save.
  14. Restart SOTI MobiControl services.

Results

From now on, all SHA-1 Windows Mobile/CE devices will try connecting only to Port 2, which is bound to SHA-1-generated certificates.