Integration of Headwind MDM into a corporate network

External service

The most common way to deploy Headwind MDM is to set up an external server (outside of the corporate network) and assign a subdomain of your company’s domain to it.

Headwind MDM as an external service

All entities (administrators, external mobile devices using SIM cards, internal mobile devices using corporate WiFi) are communicating with Headwind MDM server through Internet by connecting to the MDM server’s domain name.

Despite this deployment is very easy to set up (here is the instruction), it may not be compliant with the corporate IT security rules.

Service deployed on a corporate resource

MDM service can be deployed on a host belonging to a corporate network. A corporate server usually has an internal IP address. Access to this server from the Internet is provided by a corporate firewall.

Headwind MDM in the corporate network

The company’s IT admin is responsible to set up the traffic forwarding on a firewall for all required ports.

Note that the MDM server must be available locally (Headwind MDM creates a HTTPS connection to itself to download the mobile agent and calculate its checksum). Also, internal users like mobile devices using a corporate WiFi must be able to communicate with the MDM server. Therefore, the IT admin is responsible for proper DNS configuration (at least locally, using /etc/hosts).

Here is the manual how to set up port forwarding when Headwind MDM is behind a firewall.

Service deployed in LAN

Since Headwind MDM doesn’t require any cloud services to work with, it can be installed in the local or private network.

Headwind MDM in LAN

If Headwind MDM is installed in LAN, the mobile devices must use either VPN or a private APN to become a part of the corporate network.

When installing Headwind MDM in a private network, the IT admin must take care of the following issues:

  • Use a real domain (available on the Internet), because you must issue an SSL certificate for it;
  • LetsEncrypt cannot renew certificates in a private network, so you need to purchase a commercial SSL certificate (the longer is its validity, the better);
  • Device enrollment in local network may fail. We recommend using a separate WAN having access to the Internet for the device enrollment.

Read more about the Headwind MDM installation in a local network here.

Remote control module

The remote control module (aPuppet) is powered by a different web server (nginx) and uses ports different from the Headwind MDM ports. The list of ports used by aPuppet is here. The IT admin must take care for opening these ports.

It is recommended to deploy aPuppet on a different host.

APuppet Remote Control, standalone

Even if the aPuppet web interface will have another domain name, the remote control module is seamlessly integrated into the web panel, so the admin shouldn’t bother about the domain name.

APuppet can also be configured to run on the same host where Headwind MDM is installed. This option is available in the Premium version only.

APuppet Remote Control, embedded

When running aPuppet behind a firewall, take care for opening UDP ports (aPuppet uses UDP to make the remote control faster and more responsive). Default UDP port range is 10000 – 10500.