Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently Asked Questions (FAQs) about Virtual Mobile Infrastructure(VMI)

    • Updated:
    • 25 May 2016
    • Product/Version:
    • Virtual Mobile Infrastructure 3.0
    • Virtual Mobile Infrastructure 5.0
    • Platform:
    • Citrix XenServer 5.5
    • Virtual Appliance 5.1
    • VMware ESX - 5.0
Summary

This article answers the common questions about Virtual Mobile Infrastructure (VMI). The product was also called Safe Mobile Workforce (TMSMW) before.

Details
Public
  • The Virtual Mobile Infrastructure solution hosts mobile operating systems on centralized servers, making them accessible over a network using an efficient remote display protocol and rendering technology.
  • It enables clear separation of corporate / personal data & workspace

For users, this means they can access the same mobile environment with their applications and data from any location, without being tied to a single device.

For IT administrators, this means a more centralized, efficient workspace that is easier to manage and maintain.

  • Using a Web-based management console, administrators can create and provision secure mobile workspace with applications, data and customized mobile system to end users.
  • Using an Android/iOS/Windows device, an employee can logon to the workspace over the air to remotely access the mobile workspace.
  • Enterprises can continue to manage and update the workspaces.
  • If necessary, they can remotely remove a user’s entire workspace, including all corporate applications and data.

System requirements for Client

Virtual Mobile Infrastructure client supports both phone and tablet that run on iOS, Android or Windows. Below are the compatible OS versions:

  • iOS 6.0 or later
  • Android 2.3 or later
  • Windows 8.1/Windows Phone 8.1

System requirements for TMVMI Server

Virtual Mobile Infrastructure Server is delivered as a Linux-based appliance and is packaged as an ISO file. Below are the requirements:

  • Processor: 64-bit x86 four-core
  • Memory: 4-GB
  • Hard disk: 30 GB available for installation
  • Network Cards (NIC): One 1-GB NICs

System requirements for TMVMI Secure Access

Secure Access is delivered as a Linux-based appliance and is packaged as an ISO file. Below are the requirements:

  • Processor: 64-bit x86 four-core
  • Memory: 4-GB
  • Hard disk: 30 GB available for installation
  • Network Cards (NIC): One 1-GB NICs

System requirements for bare metal machines

Virtual Mobile Infrastructure Server can be installed on bare metal machines or virtual machine. The following machines are supported:

  • Dell R510
  • Dell R520
  • Dell R710
  • Dell R720
  • Dell R810
  • IBM X3550
  • HP DL380G6

Virtual Mobile Infrastructure Server can be installed on the following virtual machine versions:

  • VMWare ESX 4.1
  • VMWare ESXi 4.1/5.1/5.5
  • VMWare Workstation 9/10
  • VMWare Fusion 5/6
  • Windows 2012 HyperV
  • Citrix XenServer 6

It supports following CPU type:

  • Intel processors support SSSE3
 
Virtual Mobile Infrastructure is supported on the indicated platform versions. All other earlier platform versions may work in conjunction with Virtual Mobile Infrastructure. However, these versions are not officially tested by Virtual Mobile Infrastructure.

Below are the two (2) kinds of load balance that TMVMI support:

  • TMVMI secure access load balance. IT can put multiple Secure Access in intranet and export them through an L4 switch device. Client can access a FQDN (VMI.company.com) and the L4 switch device relay the request to one of Secure Access. Secure Access will relay the request to TMVMI Server.
  • TMVMI Server load balance. IT can deploy multiple TMVMI server (one is master server and others are slave server). TMVMI will allocate new user to the server that has largest available seat number.
    • Available Seat Number = (Server Capacity) – (Active User number).
  • The Secure Access provides Internet access on mobile clients. It receives mobile client enrollment request and relay to TMVMI server. IT admin can just open one IP address and one port number for mobile client access.
  • Secure Access can be deployed to in DMZ or intranet. It only needs one network card if there is a separation between internet mobile devices and Secure Access. It needs two network cards if it is deployed as a bridge mode (one NIC is for mobile clients to access from internet, the other NIC is to connect to the internal TMVMI servers).
  • Internet mobile clients use HTTPS to connect Secure Access. Then, Secure Access relays the client requests to the TMVMI.
  • Secure Access controls its export ports by iptables to ensure the security. TMVMI server also controls its export ports by iptables to ensure the security.
  • If you want to deploy secure access as bridge mode, you need two network cards for secure access. One for internet access, the other for secure access to connect to TMVMI server.
  • If you want to deploy secure access in the intranet, you can just configure one network card for it. You need use L4 switch or other network device which can relay the internet traffic to secure access.
  • You need to make sure that secure access can connect to TMVMI server’s eth0 (for mobile client access).

During secure access installation, you can configure the eth0 network card. If you want to configure eth1 network card for secure access, do the following:

  1. Login to command console with admin account.
  2. Type “enable” to enable privileged mode.
  3. Type “configure network interface ipv4 eth1 <ipaddress> <submask>” command to configure eth1 IP address. For example, <ipaddress> could be “10.64.88.30”, <submask> could be “255.255.252.0”.

One user can use multiple devices to logon his unique user account to remote access his virtual mobile workspace.

 
Virtual Mobile Infrastructure only hosts one session for one user. So one user can only use one device to logon at the same time.
  • TMVMI makes sure all the data and app running on hosted servers, not running on local devices.
  • TMVMI only supports online mode.

Each user has one virtual mobile workspace and it is hosted in the Virtual Mobile Infrastructure server. It has the following types of status:

  • Active: User logged on; user’s virtual mobile instance is alive; user is using the virtual mobile instance.
  • Idle: User logged on; user’s virtual mobile instance is alive; user is not using the virtual mobile instance.
  • Offline: User logged out; user’s virtual mobile instance is not alive.
 
An IT administrator can manually disable a user from the web console. After disabling, the user cannot logon to access its virtual mobile instance anymore.

Users cannot install or remove applications by themselves in the workspace. The applications can be only distributed to users by the IT administrator through profile.

  • TMVMI workspace has no phone module embedded.
  • User can trigger a phone call from the workspace, but the call will be done using the real device’s call function module.
  • Since TMVMI does not have a phone module, user cannot send SMS out.
  • Camera – supported
  • Bluetooth – Bluetooth depends on wireless module and wireless connections which are not included in workspace (hosted on enterprise servers)
  • GPS – supported
  • Audio – supported in TMVMI 5.0
  • Video – supported in TMVMI 5.0

In the current version, it is restricted to copy or paste any data between real device and virtual workspace.

In future versions, copy or paste from real device to virtual workspace can be configured. But by default, the copy/paste function from virtual workspace to real device will be always disallowed to assure security.

Below are the options for you to connect back:

  • Use VPN to connect to the server
  • Directly connect to secure access of TMVMI

SSL is used for the connection between mobile clients and secure access.

If the mobile client is disconnected from the network, it will try to reconnect once. If it fails to reconnect, it will give a message “Can’t connect to server”. Click the message to reconnect.

Workspace supports two kinds of input method. One is Sample Soft Keyboard (inside input method) in the workspace, the other is My Soft Keyboard.

Workspace uses My Soft Keyboard by default. My Soft Keyboard uses device input method to input inside workspace. It can sync your device language and locale.

You can switch between My Soft Keyboard and Sample Soft Keyboard.

Eth0 is the Network interface for accessing management web console and for mobile devices to access server. To change the network configuration, do the following:

  1. Login to command console with admin account
  2. Type “enable” command to enable privileged mode.
  3. To change the eth0 IP address , enter:

    configure network interface ipv4 eth0 <ipaddress> <submask>

    (For example, <ipaddress> could be “10.64.88.10”, <submask> could be “255.255.252.0”.)

  4. To change the default gateway of your TMVMI server, enter:

    configure network route default ipv4 <ipaddress>”

    Where <ipaddress> could be “10.64.88.1”.

  5. To change DNS server address, enter:

    configure network dns ipv4 <ipaddress>

    Where <ipaddress> could be “8.8.8.8”.

  • TMVMI sends an invitation email to invite local users, which contains the password. If you do not have an SMTP server, you cannot receive it.
  • TMVMI provides a way to get local user password without email. You can select the user, click Reset button to reset user password, and then you can get the new password in a dialog window as below screenshot.
  • Optimized remote access protocol – RMX (Remote Mobile eXperience) protocol for iOS/Android/Windows.
  • RMX can intelligently switch between different encoding algorithms according to network conditions and hardware profile of client device.
  • RMX (Remote Mobile eXperience) choose different protocols for different devices.
  • CSR (client side rendering) protocol: All Android devices with available memory >=100M and physical memory >=500M and support OpenGL 2.0.
  • H.264 encoding with VNC protocol: Windows 8.1/Windows phone 8.1 devices.
  • OpenGL CSR protocol: All iOS devices.

External storage is a feature used to save user data in an external server that supports NAS. When an administrator enables this feature, all the user data will be stored into an external server instead of a local server. Follow the steps below to configure external storage:

  1. For multiple servers support, you must enable external storage.
    1. Configure a new folder in external storage server and set related privilege.
    2. Create a new folder in external storage server (e.g. mkdir test01).
    3. Set privilege (e.g. chmod 777 test01).
    4. Configure exports (e.g. vim /etc/exports).
    5. Add the new created path and set shared privilege (e.g. /root/test01 10.64.67.*(rw,sync,no_root_squash) 10.64.66.* (rw,sync,no_root_squash) 10.64.90.* (rw, sync,no_root_squash)).
    6. Restart NFS service e.g. service nfs restart.
  2. Configure external storage information in TMVMI server.
    Test connection and save the settings, you can start to use external storage now. (e.g. IP address: 10.64.66.231, Path:/root/test01).

You can use system recovery to do any the following:

  • Rescue your operating system
  • Change password
  • Repair grub
  • Install or repair the system software
  • Fix the Linux kernel
  • Export data when the system crashes

Using the system recovery

  1. Modify the BIOS to let system boot from CD-ROM drives, then insert installation disc and restart the server.
  2. Select System Recovery from the installation UI.
  3. Select your language and keyboard type.
  4. Select Local CD/DVD contains rescue image.
  5. In the Setup Networking page, you can select No if you don’t want to change network card IP address.
  6. In the Rescue page, select Continue to mount CD under “/mnt/sysimage”.
  7. Click OK to mount CD as “/mnt/sysimage”.
  8. Select Shell Start shell to open command line. You can use the bash command line now. You can rescue your system on the mode.

Changing the root password

  1. Input “chroot /mnt/sysimage”.
  2. Under the shell, input “passwd root” to set new password for root.
  3. Type “exit” to exit current shell.

Repairing the grub

  1. Type “chroot /mnt/sysimage”.
  2. Enter “fdisk -l” to check current device. It will show “/dev/sda” in our system.
  3. Type “grub-install /dev/sda” to repair grub.
  4. You can check the result if repair was successful.
  5. Type “exit” to exit current shell.

Installing or repairing the software

  1. Input “chroot /mnt/sysimage”.
  2. Enter “mkdir /mnt/source” to create a folder and set it as the mount directory.
  3. Type “mount /dev/dvd /mnt/source”.
  4. Type “rpm –ivh /mnt/source/TMVMI/****.rpm” to install rpm package.
  5. Reboot the system to check if the rpm installed.

Fixing the Linux kernel

  1. Iinput “mount /dev/dvd  mnt/source”.
  2. Type “rpm -ivh /mnt/source/TMVMI/kernel-3.4.0+-1.x86_64.rpm --root=/mnt/sysimage/ -- force”.

Your kernel will be installed.

Exporting data when system crashes

  1. Input “chroot /mnt/sysimage”.
  2. Configure the IP address for the network card.
  3. Copy the file to another device with using the command:

    scp [options] source dest” to export data

    For example: “scp –r /home/account/ root@10.64.90.125:/home/”

  • Each user must set a lock screen of Pattern/PIN/Password for his workspace. If forgotten, users could ask the administrator for help.
  • Administrators can do the following to clear the lock screen:
      1. Logon to the web console.
      2. Go to Users tab, and select the user.
      3. Find the Clear workspace screen lock option, click Clear.

    Now, the user has returned to default lock screen settings. The lock screen can be set again by choosing from the lock screen options (e.g. None, Pattern, PIN or Password).

  1. Upload certificate and private key to TMVMI server (using winscp tool or scp tool), then do the following:
    • Place the private key in /etc/pki/tls/private/
    • Place the certificate file in /etc/pki/tls/certs/
  2. After uploading, modify the configuration file /etc/httpd/conf.d/wsgi-vmi.conf, and change the lines to correspond with their file name. Look for the following:
    • For the certificate file: SSLCertificateFile /etc/pki/tls/certs/xxxx.crt
    • For the private key file: SSLCertificateKeyFile /etc/pki/tls/private/xxxx.key
  3. Restart the Apache service, using the following command:

    service httpd restart

The new certificate will take effect.

  1. Upload the certificate (p12 format) to Secure Access (using winscp tool or scp tool), then place the certificate in /vmi/gateway/.
  2. If you have password for your certificate, use the command to generate the key:

    /vmi/gateway/cs -e xxxx

    Where xxxx is your password.

  3. After uploading, modify the configuration file ”/vmi/gateway/configuration.json”, and change the lines to correspond with their file name. Look for the following:
    • For the certificate files:
      • ssl_cert_file: xxxx.p12
      • ssl_key_password: xxxx (Keep this empty if you don’t have a password)
  4. Restart Secure Access, using the following command:

    service vmigateway restart

The new certificate will take effect.

Exporting user data from TMVMI server

  1. Stop TMVMI server from the Servers tab of the web console.
  2. Login to TMVMI server command line console, and using the scp tool, copy the following folders to your computer:
    • /gluster
    • /vmi/data/
  3. Start TMVMI server from the Servers tab of the web console.

Importing user data to TMVMI server

  1. Stop TMVMI server from the Servers tab of the web console.
  2. Login to TMVMI server command line console, copy the previously exported folders to the TMVMI server’s same folder:
    • /gluster
    • /vmi/data/
  3. Start TMVMI server from the Servers tab of the web console.

Export user data from External Storage

  1. Keep external storage connected to the server.
  2. Stop TMVMI server from the web console Servers tab.
  3. Login to TMVMI server command line console, and then use the scp tool to copy the folder /gluster.
  4. Place a copy of the /gluster folder to the external storage.
  5. Start TMVMI server from web console Servers tab.

Importing user data to External Storage

  1. Login to the web console and go to Administration > System Settings tab.
  2. Enable the external storage. 
  3. Stop TMVMI server from web console Servers tab.
  4. Login TMVMI server command line console, copy the previously exported “/gluster” folder to the External Storage’s /gluster folder.
  5. Start TMVMI server from web console Servers tab.

Exporting the database from TMVMI server:

  1. Login to TMVMI server command line console,
  2. Enter the following command:

    mysqldump -uvmi -pvmi4trend vmi> vmi.sql

  3. Use the scp tools to copy the vmi.sql to your computer.

Importing the database to TMVMI server:

  1. Use the scp tools to copy the database file “vmi.sql” to the TMVMI server.
  2. Login to TMVMI server command line console.
  3. Enter the following command:

    mysql -uvmi -pvmi4trend vmi < vmi.sql

  • If a problem is encountered only on the first screen and no other screen follows, try to press the TAB button.
  • Bring the cursor to the line after “initrd=initrd.img”, and then add “xdriver=vesa nomodeset”, then press ENTER to continue. The installation will now be successful.

Workspace supports two kinds of input method. One is Sample Soft Keyboard (inside input method) in the workspace, and the other is My Soft Keyboard. The “My Soft Keyboard” can be turned off from the IT admin side. Do the following:

  1. Modify /vmi/manager/web_console/settings.py and set ‘VIME_ENABLE = False’.
  2. Remove the following files located in the in same folder:
    • setting.pyc
    • setting.pyo
  3. Restart the TMVMI and Apache services using the following commands:
    • service vmiengine restart
    • service httpd restart
  4. Change all profiles which has been deployed to users (e.g. Change a wallpaper).

Now users’ workspace will only have one input method left inside.

  • UNIA instances can share server’s storage/memory/CPU, but with some limitations.
  • Server storage is shared for every instance, administrators can limit this by going to Profile > Storage Limit settings.
  • Memory is also shared for every instance, but has limitation: at most 1G for each instance.
  • CPU is also shared for each instance, but has a limitation of at most 2 cores for each instance.

You can check the log files on secure access “/var/log/vmi/gateway”, and select the log files with latest time stamp. You can check the following:

  • If secure access is disconnected with server, you can find following log:
    [2014-Mar-18 23:36:57.432070] ERROR [HttpTunnelHandler::handleConnectServer] Fail to connect: 10.64.90.242:443 Error: system:32 - Broken pipe
    
  • If secure access is connected with server, you can find following log:
    [2014-Feb-08 19:05:25.838492] DEBUG [CcsProcess::Run]
    
    [2014-Feb-08 19:05:26.790625] WARN udpate ip ranges: 10.64.90.105 port ranges: 5900-6155
  • You can download mobile applications from Google Play, Apple App Store, and Windows Store.
  • If your device does not have Google Play, you can download from server side and secure access.
  • For server side, use the IP address: http://eth0  (For android only)
  • If you want to download the mobile agent from secure access, you must enable http from the configuration file. Do the following:
    1. Login to secure access command console, edit the line “http_port” to “http_port:80” in the file /vmi/gateway/configuration.json, and then save the file.
    2. Restart service using the command “service vmigateway restart”.
    3. Use the IP address: http://<secureAccess>    (For android only)
  • If you downloaded 3rd party apps from app store, and distributed the apps from TMVMI application centers, you may contact the 3rd party apps vendor if you can use them for more licenses.
  • TMVMI assumes that the customer already have had apps ready, and uploaded to TMVMI server.
  • You can configure the anti-capture screen from your device and PC connect software. The feature only supports Android client.
  • By default, the feature is turned off. If you want to enable the anti-capture screen, follow these steps:
    1. Login to the web console, go to the Servers Tab, and then click Stop Server.
    2. Open the terminal of the server, and modify the “/vmi/manager/web_portal/settings.py” file. And edit the value of the following entry:
      ANTI_SCREEN=“False“ to ANTI_SCREEN="True“
    3. Remove located setting.pyc and setting.pyo in same folder.
    4. Restart the services using the following commands:

      Service vmiengine restart

      Service httpd restart

    5. Start server on the web console.

We are using the app wrapper technology for SSO immediate effect, no need to re-develop for the company. We implement the app wrapper by:

  1. Decompiling the APK uploaded by the user.
  2. Analyzing the APK, find what input-boxes need to fill and find where the input-boxes are. The keywords being searched are:
    • "user", "usr" or "email“ for username fields
    • "password", "pswd" or "pwd“ for password fields
  3. Finding important UI widgets and Activity/Fragment classes.
  4. Integrating SSO Info Provider into the APK.
  5. Repacking the APK.

App wrapper has the following limitations:

  • APK signature checking: If APK has signature checking, wrapped APK may not run correctly.
  • Code obfuscation: If APK developer using code obfuscation, wrapper may not able to find important functions for wrapping.
  • Function: Even wrapping succeed, the code we injected into APK still may not work well.

If you use Internet Explorer, and you find that apps fail to upload, there may be a permission issue. To solve this issue, follow the instructions from this Microsoft article: You may receive an "Access Denied" or a "Permission Denied" scripting error message when you browse a secure Web site that contains multiple frames.

  • The TMVMI versions 3.0 and earlier is based on Android 4.0.4 and TMVMI 5.0 is based on Android 5.1. It means that any APK that can run on Android 4.0.4/5.1 will have no problems when running on VMI workspace.
  • Some third-party applications display strange in UNIA. After some tests, it was found that the apps also have the same issue on the real device.
  • TMVMI only supports what the Android version provides (Android 4.0.4/5.1). This means that we cannot add OS features.
  1. Download the upgrade package, and rename it to “upgrade.tar.bz2”.
  2. Copy the file to the server path /gluster/upload.
  3. Open command line and login with admin account.
  4. Type “enable”, then type “upgrade”.
  5. After the upgrade done, manually restart the machine.

The server will be upgraded after the restart.

 
You can only upgrade from TMVMI 1.5 GM server and above. This upgrade process only support TMVMI versions 1.0/1.5/2.0/2.1 to TMVMI 3.0. For TMVMI 5.0, you need to migrate from TMVMI 3.0 to TMVMI 5.0

You may get the “Unable to Continue, Trend Micro Virtual Mobile Infrastructure does not support your current hardware” error during TMVMI server installation on Microsoft HyperV. To solve the error, you can try the following:

  • Your bare metal CPU may be not support Intel SSSE3. You may need to change to another bare metal before installing again.
  • If you confirm that your bare metal CPU supports Intel SSSE3, you can the check HyperV Processor Compatibility configuration. Make sure you uncheck the item “Migrate to a physical computer with a different processor version” and then try again.
  • The reason is that you use AD administrator privilege account as authentication user. As Windows security policy may forbid to query administrator account information from AD, and this may cause “Test Connection failed”.
  • The solution is that you use a user privilege account as authentication user. Then you can connect to AD successfully.
  • When you try to change external storage, you may meet an error about you can’t disable previous external storage. The reason is that TMVMI cannot unmount the old external storage, because it is not in the same subnet.
  • The solution is you make TMVMI and old external storage in a same subnet, and disable it. Then you can connect to your new external storage successfully.
  • The traffic from the Internet mobile device to TMVMI Server consists of two parts; first part is the login authentication packages, and the second part is RMX packages that come after the authentication.  (RMX is a Trend optimized remote access protocol for iOS/Android/Windows to display the image of the workspace)
  • Between the internet mobile device and TMVMI Secure Access, there’s only Https. Login authentication and RMX are both encrypted as HTTPS.
  • Between the TMVMI Secure Access and TMVMI Server, there are Https and RMX. Below are the ports that are used:
    • Https port: 443
    • RMX port: 5901-6923

Common server SSL certificate will be acceptable.

We have a feature called v-Notification, it can send notification to the real mobile phone if there’s any notification from virtual Workspace (e.g. email, calendar, etc.). It means that the virtual phone notification can be displayed on real phone’s notification bar. Below is the workflow:
  • The user login to the virtual phone, and run an app. It will switch the virtual phone to background. If the v-app has a v-notification in the virtual phone, user will receive a notification on real phone.
  • If the user clicks the received notification on the real phone, it will launch the virtual phone to the foreground.

Because there can be users that keeps using the wrong password causing the AD account to be locked, we provided the “Restriction Settings for Unsuccessful Signin” configuration. This configuration can be enabled or disabled. You can make configurations based on AD lock account policy of your company.

You can configure it by following the steps below:

  1. Login to the web console.
  2. Go to Administration > System Settings > Mobile Client > Restriction Settings for Unsuccessful Signin.
  3. You can enable it, and set a condition that the mobile client cannot login within x seconds after x times of failed login.
  • Yes, each virtual phone receives an IP when it is created. TMVMI server assigns the IP address, not the DHCP server.
  • TMVMI uses NAT. It means that all virtual phone share TMVMI eth0 IP address, just use NAT port forward traffic. No need to allocate IP for virtual phone.
Currently we do not support this. If a new device want to login to the virtual phone, previous one will be kicked off.

Secure Access does not check the AD credentials; it just forwards the AD information to TMVMI server, and TMVMI server do the authentication with AD server. Secure Access just works as a transparent proxy server that forwards the mobile client request to TMVMI server.

You need to follow these firewall port rules:

  • SA to TMVMI TCP 443 accept
  • SA to TMVMI TCP 5900-TCP 6923 accept
  • Internal client to TMVMI TCP 443 accept
  • Internal client to TMVMI TCP 5900-TCP 6923 accept
  • Internet client to SA TCP 443 accept
  • Admin to TMVMI Management IP TCP 443 accept
  • TMVMI to AD TCP 389 accept (for AD sync)
  • TMVMI to SMTP TCP 25 accept (for Exchange ActiveSync)

TMVMI enhances its security from communication, storage and all components. It also applies the following security measures:

  • Zero enterprise data reside on employees devices
  • All traffic are encrypted with SSL
  • Multi-factor authentication
  • Managed virtual workspace
  • Security hardened client app
  • Single sign On

This can happen if you installed SC TMVMI server, then re-install EN TMVMI server. The web console may still show SC language because of your browser’s cache. To avoid this, you should be clear the browser’s cache then login again to the web console.

TMVMI is a customized Android system, it is based on x86 processor, so there are some application compatibility issue.

You can refer to the table below for the reason why the apps cannot run on TMVMI:

App that does not run on TMVMIReason
WeChatThe app contains native code (not Java code), and TMVMI have some compatibility issues on native code.
Quick OfficeGoogle Framework is not included in TMVMI.
FirefoxARM version of Firefox cannot run in TMVMI, because TMVMI is based on an x86 processor. You can use the x86 version Firefox.
Lollipop Screen RecorderThis is an Android 5.0 feature. TMVMI is based on Android 4.0.4.

All external mobile clients that connect to TMVMI Secure Access server with HTTPS connection, and ciphers supported are here. See the list below:

DHE-RSA-AES256-SHASSLv3Kx=DHAu=RSAEnc=AES(256)Mac=SHA1
AES256-SHASSLv3Kx=RSAAu=RSAEnc=AES(256)Mac=SHA1
EDH-RSA-DES-CBC3-SHASSLv3Kx=DHAu=RSAEnc=3DES(168)Mac=SHA1
DES-CBC3-SHASSLv3Kx=RSAAu=RSAEnc=3DES(168)Mac=SHA1
DES-CBC3-MD5SSLv2Kx=RSAAu=RSAEnc=3DES(168)Mac=MD5
DHE-RSA-SEED-SHASSLv3Kx=DHAu=RSAEnc=SEED(128)Mac=SHA1
SEED-SHASSLv3Kx=RSAAu=RSAEnc=SEED(128)Mac=SHA1
RC4-SHASSLv3Kx=RSAAu=RSAEnc=RC4(128)Mac=SHA1
RC4-MD5SSLv3Kx=RSAAu=RSAEnc=RC4(128)Mac=MD5
RC2-CBC-MD5SSLv2Kx=RSAAu=RSAEnc=RC2(128)Mac=MD5
RC4-MD5SSLv2Kx=RSAAu=RSAEnc=RC4(128)Mac=MD5
DHE-RSA-AES128-SHASSLv3Kx=DHAu=RSAEnc=AES(128)Mac=SHA1
AES128-SHASSLv3Kx=RSAAu=RSAEnc=AES(128)Mac=SHA1

The mobile client negotiates with TMVMI server to choose the cipher that will be used to encrypt the connection during enrollment.

To find what network cards are supported, you can use the command below:

modprobe -l | grep drivers/net

Below is the list of supported network cards:

  • kernel/drivers/net/ethernet/broadcom/bnx2.ko
  • kernel/drivers/net/ethernet/broadcom/cnic.ko
  • kernel/drivers/net/ethernet/broadcom/bnx2x/bnx2x.ko
  • kernel/drivers/net/ethernet/broadcom/tg3.ko
  • kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko
  • kernel/drivers/net/ethernet/intel/igb/igb.ko
  • kernel/drivers/net/ethernet/intel/igbvf/igbvf.ko
  • kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
  • kernel/drivers/net/ethernet/intel/ixgbevf/ixgbevf.ko
  • kernel/drivers/net/ethernet/intel/ixgb/ixgb.ko
  • kernel/drivers/net/macvlan.ko
  • kernel/drivers/net/mdio.ko
  • kernel/drivers/net/tun.ko
  • kernel/drivers/net/veth.ko
  • kernel/drivers/net/ppp/ppp_generic.ko
  • kernel/drivers/net/ppp/pppox.ko
  • kernel/drivers/net/ppp/pppoe.ko
  • kernel/drivers/net/slip/slhc.ko
  • kernel/drivers/net/vmxnet3/vmxnet3.ko
  • kernel/drivers/net/hyperv/hv_netvsc.ko

During the installation of VMI Server and Secure Access, it is not recommended to use IP Addresses within 192.168.248.0/21 (Range: 192.168.248.0 to 192.168.255.255). The reason is that VMI distributes the IP Addresses to each virtual phone user. VMI uses NAT to share the Server IP address with workspaces. This means that the admin will assign an IP address for eth0, and then, VMI will create a subnet inside to allocate to the virtual phones.

It is needed that the eth0 IP address and Secure Access does not fall in the VMI subnet. Otherwise your mobile device will not connect to the virtual phone because of IP conflict. If this happens, you can use a tool to configure the network, but it can only stay as a Class-C network range. Do the following:

  1. Use ssh to connect your TMVMI server, use following commands:

    cd /vmi/manager

    python nat_config.pyc

    Parameter error:

    nat_config <gateway> <netmask> <ip_start> <ip_end>

  2. Check if the configuration took effect. You can use either of these methods:
    • Use ifconfig command, and check if the address changed to the new gateway.
    • Open the file /etc/libvirt/qemu/networks/default.xml, and check if you can see your new configured gateway, netmask, and IP start and end.

VMI provides an app named TMVMI App Push, which enables secure and easy provisioning of applications to the VMI server.

If you have a paid Google Play app on your mobile device, we don’t suggest you to upload it app to VMI console. This is because you may encounter an error, and sharing the paid app will violate some Google’s policies.

  1. Login to the secure access command console.
  2. Look for the following lines in the /vmi/gateway/configuration.json file, then change the IP Address to the eth0 of management server:
    "parameters":
    {
    "server": "192.168.10.111
    },
    
  3. Save the file.
  4. Restart the service using the command: “service vmigateway restart”.

If you want to play video through secure access, you need to do one of the following:

  • Deploy a public HTTPS certificate on secure access (Recommended).
  • Open an HTTP port on secure access

To open an HTTP port, follow the steps below:

  1. Stop the VMI Server(s).
  2. Login to the secure access command console.
  3. In the /vmi/gateway/configuration.json file, look for "http_port" and change it to "http_port:[NEW PORT NUMBER]".
     
    [NEW PORT NUMBER] indicates the new value that should be entered.
  4. Restart the VMI gateway service by using the command "service vmigateway restart".
  5. Login to the TMVMI management server command console.
  6. In the /vmi/manager/web_portal/settings.py file, change the line "SA_HTTP_PORT=80" to "SA_HTTP_PORT"=[NEW PORT NUMBER]", and then save the file.
  7. Restart the httpd and vmiengine services by using the following commands:

    "service httpd restart"

    "service vmiengine restart"

Enable syslog in VMI server

  1. Open Terminal on VMI server, and log on with the user account: root.
  2. Enter the following commands:
    • cd /vmi/manager
    • python rsyslog-config.pyc [server IP]
       
      The [server IP] is the IP of syslog Collector.

To check syslog in syslog collector, make sure that the TCP Port 514 is opened in the syslog collector.

For example, if the syslog collector is CentOS, do following steps to check syslog:

  1. Open the Terminal on the syslog collector.
  2. Copy the configration file from VMI server to syslog collector. The configuration file is located in /vmi/manager/etc/rsyslog/rsyslog-remote.conf.
  3. Copy the rsyslog-remote.conf file to /etc/rsyslog.d of the syslog collector.
  4. Enter the following commands in the Terminal:

    service iptables stop

    service rsyslog restart

    tail –f /tmp/vmi.log

The SSO fails when using the company's Exchange Server, and the error "You don’t have permission to sync with this server." appears.

The issue can happen if you have exceeded the maximum number of mobile devices that you bind to exchange server.

To fix the issue, follow the steps below:

  1. Login to the Outlook Web App.
  2. Go to b>Option> Telephone > Mobile.
  3. Delete unused mobile device.
  4. Tap NEXT to try SSO again.
TMVMI only supports the video player that uses the Android system MediaPlayer API to play videos.

TMVMI allows the administrator to change the QR code scan quality. To change the quality, follow the steps below:

  1. Open Terminal on the VMI server, and log on with the user account: root.
  2. Enter the command "vim /vmi/unia/gm/system/etc/video.conf" to change the settings.
  3. Change the value of Quality, from 0 to 1, then save the settings.
  4. Enter the command "vim /var/unia/gm/system/etc/video.conf" to change the settings.
  5. Change the value of Quality, from 0 to 1, then save the settings. The changes will take effect after the next user login.
Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
1113339
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.