Using SHA-1 and SHA-2 Certificates on the Same Deployment Server
About this task
Different devices use different Signature Hash Algorithms (SHA) for communications with the server:
- Some Windows Mobile/CE devices support only SHA-1 (and not SHA-2)
- Android 10+ and iOS 13+ devices support only SHA-2 or higher
You can manage SHA-1 and SHA-2 devices on the same Deployment server (DS) using two different ports to receive incoming connections from the corresponding devices.
Note:
- Only Windows Mobile/CE devices support the second port. You must upgrade Windows Mobile/CE agents to the 15.4.x version that is compatible with the mixed SHA mode.
- For help when changing the DS and DSE binding used by the already enrolled devices, contact SOTI Support.
To configure a single DS to manage SHA-1 and SHA-2 devices:
Procedure
- Open SOTI MobiControl Administration Utility (see SOTI MobiControl Administration Utility).
-
On the Deployment Server tab, select the Enable
Additional Port checkbox and select OK in
the info box that opens (see Deployment Server).
Port 1 and Port 2 fields appear next to the DS address fields.
-
Enter a new Port 2 listener port for the Primary Agent Address and Device Management Address. By default, these are set to "5497" and "444," respectively.
Note: It is important to choose a listener port that is not already in use by a different application running on the same server.
- On the Ports tab, enter the port numbers for Port 1 and Port 2 (see Ports).
- On the Certificates tab (see Certificates), generate a new SHA-1 or SHA-2 SOTI MobiControl Root CA.
-
On the Certificates tab, generate new DS and DS Extensions (DSE) certificates and bind them to Port 1 (SHA-2) and Port 2 (SHA-1).
Note: The algorithm selection (SHA-1/SHA-2) must match the SOTI MobiControl Root CA from which you are generating the certificate.
- In the SOTI MobiControl console, right-click the device group where all the SHA-1 Windows devices reside and select Advanced Configurations to open the Advanced Configuration dialog box (see Advanced Configurations).
- From the drop-down list in the top right corner, select "Windows Mobile/CE."
- Select the Deployment Server Priority List link on the list to open the Deployment Server Priority List dialog box (see Deployment Server Priority List).
- Select the relevant server name on the list to open the Server Priority List tab.
- From the Port drop-down list, select "Port 2."
- Select OK to save the change and close the dialog box.
- In the Advanced Configuration dialog box, select Save.
- Restart SOTI MobiControl services.