Understanding OpenManage Mobile (OMM) and Quick Sync Security (PowerEdge 14th Gen servers and MX Chassis) Abstract This technical white paper helps you understand mobile management security features and optimize your environment for maximum security on Dell EMC PowerEdge servers. September 2018 Dell EMC Choose an item.
Revisions Revisions Date Description March 2016 Initial release June 2017 Revised for Quick Sync 2, OMM 2.0 Aug 2018 Added security for MX Chassis Acknowledgements This paper was produced by the following members of the Dell EMC storage engineering team: Authors: Manoj Malhotra — Product Consultant Saurabh Kishore — Software Principal Engineer The information in this publication is provided “as is.” Dell Inc.
Acknowledgements Table of contents Revisions................................................................................................................................................................................ 2 Acknowledgements ................................................................................................................................................................ 2 Executive summary...........................................................................................
Executive summary Executive summary Dell OpenManage Mobile (OMM) enables monitoring, provisioning, and troubleshooting of Dell PowerEdge servers as well as MX7000 chassis and associated sleds. In 2014, Dell EMC pioneered wireless at-the-server management with the NFC-based Quick Sync bezel. With the introduction of 14th generation servers, the Quick Sync 2 module enables higher bandwidth Bluetooth Low Energy (BLE), and Wi-Fi connections. OpenManage Mobile also supports remote management.
Technical support and resources 1 OpenManage Mobile at-the-server and at-the-chassis security OpenManage Mobile (OMM) can: • • • Communicate directly with an iDRAC while at-the-server by using the Quick Sync 2 module and Quick Sync bezel technology. Also, communicate with MX7000 chassis using Quick Sync 2 module. Read server or MX chassis health, inventory, and configuration information including the Lifecycle Controller logs.
Technical support and resources By default, Quick Sync 2 module users are authenticated to iDRAC by using the iDRAC credentials (same goes for MX chassis). The 14th generation PowerEdge servers generally ship with a randomized secure default password. If a legacy default password (root/calvin) is specifically requested, Quick Sync 2 requires that the unique iDRAC MAC address be supplied. Therefore, each out-of-the-box Quick Sync 2 connection is authenticated with system specific information.
Technical support and resources 1.3 Best practices for at-the-server security To help maximize security, Dell EMC recommends the following: • • • 7 Protect your servers and chassis by limiting physical access to authorized personnel only. Always change the default credentials when provisioning a new server. If personal devices are not permitted in the data center, consider using a dedicated mobile device which is always physically kept in the data center.
Technical support and resources 2 OpenManage Mobile remote connection security OpenManage Mobile retrieves data remotely from the Dell OpenManage Enterprise or OpenManage Essentials one-to-many systems management console, and iDRAC server management controllers. The information retrieved includes device inventory, health status information, alerts, log entries, and configuration information. OMM can configure servers by using an iDRAC connection.
Technical support and resources 2.2 Alert Push notification security Alerts sent by using push notifications pass through several systems before reaching a mobile device. However, each step is secured as shown in Figure 1. Google Cloud Messaging OpenManage Essentials Server OpenManage Mobile OpenMange Mobile Cloud Services Apple Push Notification Service OpenManage Mobile (iOS) Alert Push Notification Security 1.
Technical support and resources 2.3 Remote console security OMM can start third party remote console (VNC) applications based on the RFB protocol. OMM Android integrates with bVNC, while OMM iOS integrates with RealVNC and Remoter Pro. When connecting to the 14th generation PowerEdge servers, these connections can be channeled over SSH by using standard iDRAC credentials. On iOS, this requires the paid Remoter Pro app.
Technical support and resources 3 OpenManage Mobile on-device security OMM stores a variety of information on the mobile device, such as credentials, host address information, and settings. When used with iDRAC Quick Sync, server health, inventory, and configuration information are also cached. To protect this information, data is encrypted with a device-specific key, such as an optional password.
Technical support and resources A Technical support and resources Dell.com/support is focused on meeting customer needs with proven services and support. A.1 Related resources Dell OpenManage Mobile v3.0 User's Guide (Android and iOS): https://www.dell.com/support/home/us/en/04/product-support/product/openmanage-mobile-v3.