Post-installation checklist

After you’ve completed the installation here’s a list of things to verify to make sure your installation is working as expected.

Sign in

System Administrator

The system administrator can be used to create additional organizations.

You can sign in to BlueRange as system administrator using the credentials configured in the application.yml or environment variables.

application.yml
relution:
  system:
    admin:
      password: ''
      email: ''
Environment
SYSTEM_ADMIN_PASSWORD=""
SYSTEM_ADMIN_EMAIL=""

For security reasons it is required to change the password after first login.

Organization Administrator

You can sign in to BlueRange as an organization administrator. If you’re using LDAP make sure you can sign in with at least one LDAP user account.

Check Result

Sign in with a local account is possible

Sign in with an LDAP account is possible

For security reasons we strongly recommend to change the password after first login.

Certificates

Make sure you can connect to BlueRange using its external hostname. Mobile devices can be more strict when it comes to SSL certificate validation. Even if your desktop browser shows a valid HTTPS connection devices may reject the connection if some things are not configured correctly. We highly recommend the use of SSL Labs to verify that everything is set up correctly.

Check Result

You can open https://${hostname} in a browser

Browsers show a secure connection (Chrome, Edge, Firefox, Safari)

SSL Labs reports no errors or warnings

Common issues:

  • Incomplete certificate chain (missing intermediate certificates). Chrome, Firefox, etc. may ignore this but mobile devices may refuse to sign in

  • The reverse proxy uses Server Name Indication (SNI). This is not supported by some older Android versions. As a workaround, make sure the MDM server’s certificate is the first one that is returned.

Mobile devices refuse the certificate

Possible cause

  • The certificate chain may be incomplete. An incomplete chain is ignored by most desktop browsers but can lead to errors on mobile devices.

Corrective actions

  • Use https://www.ssllabs.com/ to verify whether your SSL certificate is set up correctly. It takes about 5 minutes for the test to complete. Fix any issues that are reported.

Mobile devices receive a different certificate

Possible cause

  • The server may be using Server Name Indication (SNI), which is not supported by all mobile devices.

Corrective actions

  • Reconfigure the webserver so that the first certificate that is returned is the one required by the mobile devices. The devices are unable to request a specific certificate and will always use the first one that is sent by the server.

Database backups

Make sure you have a working database backup. This is essential in case of a hardware failure or when an update goes wrong.

Check Result

BlueRange’s database is included in automated backups

You can restore the database (to another machine)

Knox Mobile Enrollment

Make sure you do not change your SSL certificate after you’ve created a profile on Samsung’s portal. The profile sent to the mobile device includes the certificate that Samsung found at the time the profile was created. The mobile device will refuse connection if the server returns a different certificate other than the expected one.

After you’ve changed your certificate (i.e. expiration) make sure to recreate the profile(s) before you attempt to enroll new devices.

Missing enrollment code during enrollment

Possible cause

  • The KME profile was created with an older certificate; The SSL certificate of the server was renewed after the KME profile was created.

Corrective actions

  • Create a new KME profile on Samsung’s KNOX portal and assign it to all devices. Delete the old profile.

Latest BlueRange Client Apps

We always recommend to use the BlueRange apps for iOS and Android from the public app stores which can be found here:

If you want to use the enterprise version of our Android app directly in BlueRange, you can find it at Android.

Support

For support purposes you may want to allow remote access to your BlueRange server. Consider enabling or installing remote access software like Remote Desktop, SSH or TeamViewer. For the best possible security we recommend the use of SSH with key-based authentication. Consider using a separate user account for support personnel (i.e. for security audit purposes). Support typically requires read and write access to BlueRange’s installation directory and the ability to restart the BlueRange service.