Ways to Activate LINK

Owned by Maureen Blando
Jun 16, 2023
5 min read

When a new user is first added to LINK, that user’s device(s) must be provisioned in LINK. This process is known as “activation”, and it involves send the requisite data to the new device to:

 

  1. Tell the device how to find the LINK gateway

  1. Store a controller-signed certificate on the device, which is required to access the gateway

 

Activation data can be transmitted to a user via an MDM “App Configuration Policy.” This policy is used to send the gateway location and an activation certificate to each MDM-enrolled mobile device. MDM-enrolled devices can then activate Link with a 6-character activation code.

 

Configuring Code-Based Activation in the Link Controller

 

Code-based activation is configured in the Link Controller on the “Settings” tab. The first step is to change the launch link type to be “Activation Code” in the “Controller Settings” pane on the “Settings” tab. To do so, change the link type using the dropdown pictured here:

 

 

 

Please make sure that the “Attach a QR code …” and “Attach an hxl file …” are both toggled off.

 

Configuring Code-Based Activation in MDM

 

The next step is to create the required “App Configuration Policy” in your MDM solution. The instructions provided here are generic, and may be adapted to any MDM solution.

 

Link must be distributed via MDM, so the first step is to add the Link app to your MDM configuration and to distribute Link from the iOS App Store or the Google Play store. Define the group of users who should receive the Link app and ensure that this user group matches the group that you have configured as users in the Link Controller.

 

Next, create an app configuration profile for the Link app. The profile parameters are generally specified in XML (on iOS) or in JSON (on Android) as name/value pairs.

 

For example, the following configuration structure is used for iOS devices:

 

<dict>

   <key>LaunchLinkPassword</key>

   <string>ENTER PASSWORD</string>

   <key>LaunchLinkGateway</key>

   <string>10.0.0.32</string>

   <key>LaunchLinkProxy</string>

   <string>demo.mobilehelix.com</string>

   <key>LaunchLinkPort</string>

   <string>443</string>

   <key>LaunchLinkKey</key>

   <string>-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----</string>

 <key>LaunchLinkCert</key>

 <string>-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----</string>

<key>LaunchLinkCACert</key>

<string>-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----</string>

</dict>

 

And the following configuration structure is used on Android devices:

 

{

    "kind": "androidenterprise#managedConfiguration",

    "productId": "app:com.mobilehelix.link",

    "managedProperty": [

        {

            "key": "LaunchLinkPassword",

            "valueString": "ENTER PASSWORD"

        },

        {

            "key": "LaunchLinkGateway",

            "valueString": "10.0.0.32"

        },

        {

            "key": "LaunchLinkProxy",

            "valueString": " demo.mobilehelix.com "

        },

        {

            "key": "LaunchLinkPort",

            "valueString": "443"

        },

        {

            "key": "LaunchLinkKey",

            "valueString": ">-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----"

        },

        {

            "key": "LaunchLinkCert",

            "valueString": ">-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----"

        },

        {

            "key": "LaunchLinkCACert",

            "valueString": ">-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----"

        }

    ]

}

 

For Android, many MDM providers (such as InTune) also provide a user interface for entering individual key/value pairs and generating the JSON configuration. You may use the GUI method for creating the configuration JSON as well.

 

The parameters to be supplied here are as follows:

 

  1. “LaunchLinkPassword” - Generate a unique password. This should be a long, complex password. Enter the same value in this MDM XML configuration that you enter on the Settings tab in the Link Controller in the box titled “Launch Link ID Encryption Passphrase” in the Link Controller.

  1. “LaunchLinkGateway” - Enter the public IP address or DNS name of your gateway.

  1. “LaunchLinkProxy” – If you are using a DMZ proxy, enter the public DNS name that is routed to the DMZ proxy here.

  1. “LaunchLinkPort” – Enter the public port of the proxy here. This will generally be port 443.

  1. “LaunchLinkKey” – on the Settings tab in the Controller, scroll down to the Downloads pane. Click on the hyperlink titled “Download a PEM text file with a private key and certificate pair to use as MDM settings for provisioning”. Open this file in a text editor. Copy the RSA Private key portion into the XML configuration.

  1. “LaunchLinkCert” – using the same file downloaded in step 5, copy the certificate here.

  1. “LaunchLinkCACert” – on the Settings tab, downloads pane, click on the hyperlink titled “Download a PEM text file with the Root CA Cert for this Link Controller”. Open this file in a text editor, and copy the encoded certificate here.

 

This configuration profile should be pushed to all users of the Link app.

 

Activation by Email

 

The most common way to activate the LINK app is with an email. This email can be sent to any email account that the user can access, including a webmail (Outlook Web Application) email client. This email contains a 6-character activation code.

 

To customize the contents of the email, edit the email template on the Settings tab of the Controller in the pane titled “Provisioning Email”.  The “Any Device, Delegated Login” email template is the correct one to edit. The activation code will replace “{0}” in the template email that you write. This template must be modified, as the default template is designed for hyperlinks not activation code.

 

After making any changes to the launch email template, click the “Save” button to ensure that your changes are saved.

 

Sending Activation Emails to a Personal Address

 

In general, activation emails are sent to the email address configured in a User’s record on the Users tab in LINK. Selecting “Resend Activation Email” from the “Actions” menu will do exactly this.

 

However, an activation email can be sent to an alternative address. To do so, simply edit the user record with the pencil icon, then use the “Send Device Welcome” button at the top-right of the screen. This will present a dialog box that allows you to enter an email address. This email address will not be stored permanently in the user’s record – it is intended as a one-time opportunity to change where an activation email is sent.

 

Launch LINK Policies

 

Launch Link policies are configured as part of a user’s login policies on the Policies tab in the LINK Controller (see first screen shot below). The main policies governing launch links are:

 

  1. Number of permitted usages (i.e., how many times can the user tap on the launch link to activate a device). A launch link that permits multiple usages

can be used on multiple devices. If this is not desired, the usage count should be limited to 1. This usage count limit can be combined with a day limit by setting the expiration of the embedded certificate in a launch link (see second screen shot below).

  1. Length of time before the launch link expires. Expired launch links are no longer valid.

 

Configuring launch link policies on the Policies tab in the Controller:

 

 

Limiting usages (first text box) and days (second text box):

Mobile Helix, Inc.