Mobile Device Management (MDM)

What is it?

MDM is a system that allows for centralised control of all your Clevertouch screens no matter where you are in the world. MDM saves time for every IT department, as there’s no need to attend each screen to run diagnostics, complete setting changes, or upload new files or apps. You can also push key message notifications to each screen.

Why is it important?

As more technology is introduced into all environments, there is a need to be able to monitor all tech, update settings and assess any situation before going to the screen. The demand on time for the IT department will become ever more important and MDM is an important update to help reduce time at the screen.

Unlike other off-the-shelve systems, our MDM manufacturer Radix (a recognised world leader in MDM for Android devices) has designed a system that will not only shut down and wipe the screen but will also shut down the on-board Android system. This is a world’s first and exclusive to us and helps with securing the touchscreen.

Key facts:

  • Control hundreds of Clevertouch devices remotely
  • Create groups to make sure each screen has the most suitable apps and files for where it is used, such as C-Suite, Design Studios, Maths Class, Reception Class, corporate boardroom, huddle room, etc.
  • Install APKs (android apps), policies and files
  • Push messages directly to the Clevertouch display, ideal for security announcements
  • Anti-theft module – Lock, unlock and reset displays
  • Restart or shutdown multiple screens remotely by a single click
  • Shutdown down the onboard android system.
  • Wipe the screen

For more information on using your Clevertouch - please visit: gettingstarted.clevertouch.com

Frequently Asked Questions


Software

Navigate to the domain settings menu option

Set: Require users permission for remote control Yes/No

Now any time you start a remote control session, users will be prompt to confirm a remote session

A comprehensive step-by-step guide is available to download in the Drivers & Downloads tab.

A comprehensive step-by-step guide is available to download in the Drivers & Downloads tab.

This document describes the security aspects of Viso MDM system and reflects the different architecture, security and connectivity aspects.

Architecture Overview The Viso MDM System includes the following server software components:

A Linux (Ubuntu Server) Operating system 16.04 Long Term Support MongoDB database Tomcat7 Java Servlet Container RabbitMQ Message Broker Nginx reverse proxy Ubuntu server has a Certification as a guest on AWS, Microsoft Azure, IBM and HP Cloud, automatic security updates are provided by Canonical Software.

The installation and maintenance of the software components is done using ubuntu package management system, software security updates for the OS including the software components listed above is provided by Canonical Software and applied automatically.

In an on-premise configuration, the communication between MongoDB RabbitMQ Tomcat and NGINX is done internally inside the machine.

Each software component is running in a separate OS level user, with its own filesystem permissions.

Mobile devices connectivity The Mobile device MDM agent is communicating with the following components:

Server over HTTPS/ Websocket +SSL RabbitMQ over TCP/SSL (optional) Google GMS/GCM (TCP+SSL/HTTPS) on Android platforms. Apple APNS on iOS platforms

Web browser connectivity Viso MDM is using both HTTP and WebSocket Web protocols for communicating with the server, The web architecture is based on REST API’s and browser rendering, no UI rendering is done in the backend. The web server is placed behind Nginx Reverse proxy, SSL encryption is done by Nginx.

Attack Surface Analysis The Web application architecture is based on a MVC software infrastructure provided by Spring, a VMware company. Spring MVC provides methods for securing, user interface (UI) forms and fields in the backend, a single configuration setting of HTTP headers and cookies.

And a fine grained security Role based access control for the exposed WEB API’s and REST endpoints, an attacker targeting those API will have to overcome Nginx HTTP validation, Spring Security HTTP authorization, and Viso RBAC implementation.

Users and login Viso MDM User management include a user management implementation,

The users are forced to choose a password according to a configurable password strength policy, MFA methods are optional. A grace period of failed login attempts is possible.

Database and file storage Viso MDM uses mongoDB document oriented database to save information about devices, users and configuration. In an On-Premise configuration the database is only accessible for application running on the same machine with the database.

Software installation is using file storage on the server.

By default, the storage is not accessible externally and files can only be downloaded from the web API. An

Push notifications, Email or other kinds of messages The Viso MDM can use different types of push notification solutions. By default it will try to use the platform native push notification solution (GCM/FCM / APNS for Android/iOS)

The push notification is used as a method of alerting the device and no sensitive data is transferred on it by default. Those system are using HTTP or TCP+SSL for communication, and a 256bit user identifier.

Streaming and remote display The Remote Resktop feature uses WebRTC implementation, The underlying transport protocols is SecureRTP and DTLS , The implementation are built into modern web browsers and encrypt data using SSL over UDP.

The streaming servers may use additional software components in case of special network conditions

With new installations of the Clevertouch, we have been finding the "Unknown DeviceID" (sometimes "12345678") issue appear a lot when setting the MDM up. This will usually present itself at the end of setup, where it cannot find the authentication token, and below this it will mentioned the DeviceID is Unknown.

This usually occurs as the wireless USB is not connected to the screen, in which the wireless MAC address is created and then it can generate a DeviceID from that. It will not generate a DeviceID from the ethernet Mac Address, unless the option for this is turned on - this is shown on this FAQ here.

So, to resolve this, you will need to either complete an OTA update with the wireless USB connected, which the instructions for can be shown below.

  1. Go to the "Settings" app
  2. Find the "System" tab
  3. Then press the "Check Updates" button.

If this does not work, you can then clear the app data from the device after connecting your wireless USB using the following instructions:

  1. Go to the Setting app
  2. Then press "Apps"
  3. Now scroll until you see the MDM Application and press this
  4. Select storage and then press clear data.

The reason this occurs is that the wireless unit is used for the MDM to generate a DeviceID from the Wireless MAC address. If the Wireless unit is not installed before booting the screen for the first time, the MDM loads without a DeviceID generated. Following the instructions above allows for the MDM to clear it's previous data, to then re-initialise with the wireless USB installed for a DeviceID to be generated.

We do recommend that you install the wireless units of the screens before initial boot of the Clevertouch screen, in order for the MAC address to generate, to then give the MDM a DeviceID.

  1. Open the MDM application on the Clevertouch screen
  2. Press the top right three dots to open up the menu
  3. Select the "Settings" option
  4. Scroll down to the option which says "Use Ethernet for mac address" and enable this

Drivers & Downloads


  1. Network requirements document, useful for IT administrators

    Clevertouch%20Network%20Requirements%20April%202023.pdf

  2. Apply commands and operations on devices

    Apply-commands.pdf

  3. Install package directly from Google Play Store

    Play-Store-Install.pdf