An MDM Server is a ZENworks Primary Server with an MDM role, that acts as a gateway server and is the sole access point for managing mobile devices. To ensure that the ZENworks Server and the enrolled mobile devices can communicate with each other at all times, an MDM role must be assigned to at least one Primary Server in the zone. Apart from allowing devices to contact ZENworks, MDM Servers allow ZENworks to establish outbound connections to perform activities such as contact the push notification server to send relevant notifications to devices and manage VPP subscriptions. If the outbound connection is initiated from ZENworks Control Center (ZCC) whose ZENworks Server does not have outbound access, then this server will route these requests through one of the MDM Servers.
IMPORTANT:If the MDM Server is in the DMZ, then you need to ensure that the MDM Server is able to access the ZooKeeper service on port 6789. If the MDM Server is unable to access the ZooKeeper service, then some mobile management features might not work as expected. For more information on the ZooKeeper service, see ZENworks Primary Server and Satellite Reference.
If you plan to use a Primary Server as an MDM server, to ensure communication with iOS, iPadOSand Mac devices, you need to ensure that the issued certificate meets the following criteria:
Validity of the certificate does not exceed 2 years.
Alternate DNS name is specified in the certificate.
EKU (Extended Key Usage) value is specified as Server Authentication.
Key Size should be at least 2048 bits.
Signature hash algorithm should be from the SHA-2 family.
NOTE:If there are multiple MDM Servers in the zone, all these would be used for outbound connections, but inbound connections will be limited to those servers to which devices have enrolled.
For more information on reminting the MDM Server Certificate, see ZENworks SSL Management Reference.