How to Install and Configure WSO2 EMM Server

Today, employees increasingly use COPE (Company-Owned Personally Enabled) and BYOD (Bring Your Own Device) smart devices in their workplaces. These devices have introduced many advantages which include increased productivity and greater flexibility and efficiency. However, this has created many mobility challenges for enterprises in terms of security and the management of such devices. Organisations now have a growing need to monitor and manage corporate and personal (employee-owned) mobile devices that have access to corporate data. With the WSO2 Enterprise Mobility Manager (WSO2 EMM), organisations are able to secure, manage and monitor Android, iOS and Windows powered devices.

At Mitra Innovation we like to share our knowledge about technology and we thought it would be helpful to provide a step by step guide on the installation and configuration of the WSO2 EMM platform to assist those who are just getting started.

What is WSO2 EMM Server?

WSO2 EMM is an open source comprehensive platform that provides a complete solution that surpasses ordinary device management. It aims to equip organisations with the ability to execute/attain a connected business strategy through its ability to integrate with enterprise wide entities. These include governance, analytics and identity provisioning, helping IT administrators deal with OS fragmentation for the Android, iOS and Windows platforms, easy customisability by providing a highly extensible platform to support diverse needs of the enterprise, manage corporate sanctioned apps, rich analytics, and security and compliance monitoring through policies.


WSO2 EMM comprises two main components:

1. Mobile Device Management (MDM)
2. Mobile Application Management (MAM)


With the Mobile Device Management (MDM) module, administrators or organisations can manage and monitor devices that are registered with EMM. By design, WSO2 EMM has a plugin architecture that enables it to implement new device platforms and plug them easily. Consequently, the Android, iOS, and Windows platforms are plugged into the MDM core. Within this module, policies created by organisations/administrators are applied and managed on registered devices based on the policy enforcement criteria. Operations that take place in the EMM e.g. device lock, enterprise wipe, clear password are also managed here and the user management module helps administrators to manage EMM users. Tenant administrators can customise their general Android, iOS and Windows settings through the configuration management module, and compliance monitoring helps to ensure that devices do not violate any policies. If they do,necessary actions can be taken.

Organisations can use the Mobile Application Management (MAM) to control the corporate applications on each mobile device that is registered with EMM. The publisher console helps users within the publisher role to manage mobile applications. They can publish, unpublish, diminish or retire their mobile apps. Users in the reviewer role are able to approve or reject mobile apps submitted for approval. Within the store, users can simply locate mobile apps and install them on their devices.

In the following sections, the installation of WSO2 EMM on WIndows and as a Linux service will be described in step by step detail. Additionally, the necessary configurations within WSO2 EMM are covered.

Installing WSO2 EMM on Windows

For Windows installation, Follow the instructions below to download the binary distribution of WSO2 EMM:

The binary distribution contains the binary files for both MS Windows and Linux-based operating systems, compressed into a single ZIP file. This distribution is recommended for many users.

1. In your web browser, go to http://wso2.com/products/enterprise-mobility-manager/
2. Click the Download button in the upper right-hand corner of the page to download the latest version. To download an older version, click the Previous Releases link and then select the version that you want.
3. Enter the required details in the form, and click Download.

System Requirements

System Requirements

Device OS Prerequisites

Device OS Prerequisites

Follow the instructions below to install EMM on Windows.

Installing the Required Applications

● Be sure your system meets the prerequisites. The Java Development Kit (JDK) is essential to run the product.
● Be sure that the PATH environment variable is set to “C:\Windows\System32″, because the findstr windows exe is stored in this path.

Installing EMM

1. If you have not done so already, download the latest version of the product as described in downloading the product.
2. Extract the archive file to a dedicated directory for the product, which will hereafter be referred to as .


You must set your JAVA_HOME environment variable to point to the directory where the Java Development Kit (JDK) is installed on the computer. Typically, the JDK is installed in the C:\Program Files\Java\ directory, such as C:\Program Files\Java\jdk1.8.0_101 . If you have multiple versions installed, choose the latest one, which you can find by sorting by date.

Installing WSO2 EMM as a Linux Service

Follow the sections below to run a WSO2 product as a Linux service:
● Prerequisites
● Setting up CARBON_HOME
● Running the product as a Linux service


Install JDK 1.6.24 or later or 1.7.* and set up the JAVA_HOME environment variable.


Extract the WSO2 product to a preferred directory in your machine and set the environment variable CARBON_HOME to the extracted directory location.

Running the Product as a Linux Service

1. To run the product as a service, create a startup script and add it to the boot sequence. The basic structure of the startup script has three parts (i.e., start, stop and restart) as follows:

cmd 1

Below is a sample startup script. can vary depending on the WSO2 product’s directory.

cmd 2

In the above script, the server is started as a user by the name user1 rather than the root user. For example, su -c “${startcmd}” user1

2. Add the script to /etc/init.d/ directory.

If you want to keep the scripts in a location other than the /etc/init.d/ folder, you can add a symbolic link to the script in /etc/init.d/ and keep the actual script in a separate location. Say your script name is prodserver and it is in /opt/WSO2/ folder, then the commands for adding a link to /etc/init.d/is as follows:

● Make executable: sudo chmod a+x /opt/WSO2/prodserver
● Add a link to /etc/init.d/: sudo ln -snf /opt/WSO2/prodserver /etc/init.d/prodserver

3. Install the startup script to respective runlevels using the command update-rc.d. For example, give the following command for the sample script shown in step1:

sudo update-rc.d prodserver defaults
The defaults option in the above command makes the service to start in runlevels 2,3,4 and 5 and to stop in runlevels 0,1 and 6.

A runlevel is a mode of operation in Linux (or any Unix-style operating system). There are several runlevels in a Linux server and each of these runlevels is represented by a single digit integer. Each runlevel designates a different system configuration and allows access to a different combination of processes.
4. You can now start, stop and restart the server using service {start|stop|restart} command. You will be prompted for the password of the user (or root) used to start the service.

Server Configurations

General Server Configurations

Follow the instructions below to configure general server configurations:

1. Configure the monitoring frequency by configuring the MonitorFrequency parameter in the cdm-config.xml file, which is in the /repository/conf directory. Specify this value in milliseconds. The EMM server uses this parameter to determine how often the devices enrolled with EMM need to be monitored. By default, this value has been configured to 60000ms (1min).



2. Configure the following fields that are under the tag in the /repository/conf/api-manager.xml file

This step is only applicable in the production environment.

  • Configure the<serverURL> field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.

● Configure the field by replacing ${carbon.local.ip} with the hostname or public IP of the production environment.


3. Enable HTTPS communication.


a. To enable HTTPS redirection for a specific web application, uncomment the following code in the respective web application’s web.xml.
Example: Enable HTTPS redirection for the mdm-android-agent web app by navigating to the /repository/deployment/server/webapps/mdm-android-agent/WEB-INF/web.xml file.

cmd 6

b. To enable HTTPS redirection for the entire servlet container, configure the web.xml file, which is in the /repository/conf/tomcat folder, by including the following:


WSO2 EMM Email Configurations

Configure the email settings to send out the registration confirmation emails to new users and invite existing users to register their device with WSO2 EMM.

1. Create an email account to send out emails to users that register with EMM (e.g., no-reply@foo.com).

If you are using a Google mail account, you need to note that Google has restricted third party apps or less secure apps from sending emails. Therefore, you need to configure your account to enable this setting as WSO2 EMM acts as a third party application when sending emails to confirm user registrations or inviting existing users to register devices with WSO2 EMM.

2. Open the /repository/conf/axis2/axis2.xml file, uncomment the mailto transportSender section, and configure the EMM email account.

For mail.smtp.from, mail.smtp.user, and mail.smtp.password, use the email address, username, and password (respectively) from the mail account you set up.

cmd 9

3. Configure the email sender thread pool.

Navigate to the email-sender-config.xml file, which is in the /repository/conf/etc directory, and configure the following fields under .

● MinThreads: Defines the minimum number of threads that needs to be available in the underlying thread pool when the email sender functionality is initialized.
● MaxThreads: Defines the maximum number of threads that should serve email sending at any given time.
● KeepAliveDuration: Defines the duration a connection should be kept alive. If the thread pool has initialized more connections than what was defined in MinThreads, and they have been idle for more than the KeepAliveDuration, those idle connections will be terminated
● ThreadQueueCapacity: Defines the maximum concurrent email sending tasks that can be queued up.

cmd 10

4. Customise the email templates that are in the /repository/resources/email-templates directory.

The email templating functionality of WSO2 EMM is implemented on top of Apache Velocity, which is a free and open-source template engine.

a. Open the email template that you wish to edit based on the requirement, such as the user-invitation.vm or user-registration.vm file
b. Edit the andto suite your requirement.
c. Restart WSO2 EMM

If you need to access HTTP or HTTPS base URLs of the server within your custom template configs, use the $base-url-http and $base-url-https variables, respectively.

WSO2 EMM Jaggery Apps Configurations to Enroll and Manage Devices

If you need to access HTTP or HTTPS base URLs of the server within In WSO2 EMM, only Android and iOS platforms use the agent to enroll devices with the EMM. The Windows platform uses the native workplace application to enroll devices with WSO2 EMM. Therefore, the following configurations steps are required only if you are registering or enrolling Android or iOS devices.

Follow the steps given below:

1. Open the config.json file that is in the /repository/deployment/server/jaggeryapps/ emm-web-agent/config directory

2. Configure the host attribute that is under generalConfig by providing the entire server address.

You are required to configure this file as it is used to handle device enrollments.

To download the EMM Android agent in a testing environment configure the host attribute using an HTTP URL, because the Android browser does not trust hosts with self-signed certificates.

To download the EMM Android agent in a production environment configure the host attribute using an HTTPS URL as the production server has a Certificate Authority (CA) installed with a valid SSL certificate.

cmd 11

3. Open the config.json file that is in the /repository/deployment/server/jaggeryapps/emm/config

4. Configure the host attribute that is undergeneralConfig by providing the entire server address

You are required to configure this file as it is used to manage the devices.

In a clustered environment, configure the host attribute by providing the entire server address (by changing only the protocol to HTTPS and the port to the HTTPS port) that was given for the host attribute in the emm-web-agent’s config.json file. This is required because the EMM configurations refer to the emm-web-agent app as it is used to handle device enrollments


WSO2 App Manager Configurations to Manage Applications in WSO2 EMM

Follow the steps given below to configure WSO2 App Manager for the EMM:

1. Open the carbon.xml file that is in the /repository/conf directory
2. Uncomment the HostName attribute and provide the server IP.


An example after the configuration:

cmd 12

3. Uncomment the MgtHostName attribute and provide the server IP.



An example after the configuration:


4. Comment the uncommented ServerURL and uncomment the ServerURL attribute that was commented by default.
Configure the uncommented ServerURL as follows:

a. Provide localhost as the value for {carbon.local.ip}
b. Provide the https port as the value for {carbon.management.port} By default, the port is 9443.
c. Remove ${carbon.context}.

By default:





An example after the configuration:

cmd 14

5. Restart the WSO2 EMM server

6. Login to the WSO2 App Manager publisher to publish application or WSO2 App Manager store to install apps on mobile devices.

● Access the WSO2 App Manager publisher:



● Access WSO2 App Manager store:



SSO Configurations

Follow the steps given below to configure single sign-on (SSO) for EMM:

1. Enable SSO in the following configuration files, under the ssoConfiguration section

config.json file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory

store.json file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory

publisher.json file, which is in the/repository/deployment/server/jaggeryapps/publisher/config directory

cmd 15

2. Configure the Identity Provider (IdP) in the following configuration files, under the ssoConfiguration section

For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP):

config.json file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config directory

store.json file, which is in the <EMM_HOME>/repository/deployment/server/jaggeryapps/store/config directory

publisher.json file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config directory

cmd 16

By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the host/ip to the Server IP. If you wish to use your own IdP, modify the host/ip to your own IdP’s host in the following files:

3. Update the SSO related IDP configurations in the sso-idp-config.xml file, which is in the <EMM_HOME>//repository/conf/identity directory, by updating all the entries that state localhost to your IDP’s IP address or domain.

cmd 17
cmd 19

4. If you are running WSO2 EMM on a cluster setup or a virtual machine, you must configure the following fields under<SSOConfiguration> in the app-manager.xmlfile that is in the <EMM_HOME>/repository/conf directory


By default, <EMM_HOST>  is localhost. However, if you are using a public IP, the respective IP address or domain needs to be specified.

By default, <EMM_HTTPS_PORT>  has been set to 9443. However, if the port offset has been incremented by n, the default port value needs to be incremented by n.

cmd 20

5. Enable authentication session persistence by uncommenting the following configuration in the <EMM_HOME>/repository/conf/identity/identity.xml file, under the Server and JDBCPersistenceManager elements.

cmd 21

Starting the Server

When starting WSO2 EMM, it is mandatory to have an active internet connection; otherwise, the devices will not be able to connect to EMM.

Follow the instructions below to start your WSO2 product based on the Operating System you use:

On Windows/Linux/Mac OS

To start the server, you run<EMM_HOME> /bin/wso2server.bat (on Windows) or <EMM_HOME>/bin/wso2server.sh (on Linux/Mac OS) from the command prompt as described below. Alternatively, you can install and run the server as a Windows or Linux service (see the related topics section at the end of this page).

1. Open a command prompt by following the instructions below:
● On Windows: Click Start -> Run, type cmd at the prompt, and then press Enter.
● On Linux/Mac OS: Establish an SSH connection to the server, log on to the text Linux console, or open a terminal window.

2. Navigate to the <EMM_HOME>/bin/ directory using the Command Prompt.

3. Execute one of the following commands:

● To start the server in a typical environment:
● On Windows: wso2server.bat --run
● On Linux/Mac OS: sh wso2server.sh
● To start the server in the background mode of Linux: sh wso2server.sh start
To stop the server running in this mode, you will enter: sh wso2server.sh stop
● To provide access to the production environment without allowing any user group (including admin) to log into the Management Console:
On Windows: wso2server.bat --run -DworkerNode
On Linux/Mac OS: sh wso2server.sh -DworkerNode
● To check for additional options you can use with the startup commands, type -help after the command, such as:
sh wso2server.sh -help (see the related topics section at the end of this page).

4. The operation log appears in the command window. When the product server has successfully started, the log displays the message “WSO2 Carbon started in ‘n’ seconds”.

Accessing the EMM Console

Once the server has started, you can access the EMM Consoles. You can also use the EMM Console on this computer or from any other computer connected to the Internet or LAN.

When these pages appear, the web browser will typically display an “insecure connection” message, which requires your confirmation before you can continue.

The EMM consoles are based on the HTTPS protocol, which is a combination of HTTP and SSL protocols. This protocol is generally used to encrypt the traffic from the client to server for security reasons. The certificate it works with is used for encryption only, and does not prove the server identity, so when you try to access these consoles, a warning of untrusted connection is usually displayed. To continue working with this certificate, some steps should be taken to “accept” the certificate before access to the site is permitted. If you are using the Mozilla Firefox browser, this usually occurs only on the first access to the server, after which the certificate is stored in the browser database and marked as trusted. However, with other browsers, the insecure connection warning might be displayed every time you access the server.

This scenario is suitable for testing purposes, or for running the program on the company’s internal networks. If you want to make these consoles available to external users, your organisation should obtain a certificate signed by a well-known certificate authority, which verifies that the server actually has the name it is accessed by and that this server belongs to the given organisation.

Signing into the EMM

1. Start the server and access the EMM Console.

By default, <EMM_HOST>  is localhost. However, if you are using a public IP, the respective IP address or domain needs to be specified.

By default, <EMMS_PORT> has been set to 9443 for HTTPS. However, if the port offset has been incremented by n, the default port value needs to be incremented by n.


1. Enter the username. The super tenant administrator has to use admin as his/her username. While, the end-user has to use the username that was mentioned in the registration invitation email.

2. Enter the password. The super tenant administrator has to use admin as the password. While, the end-user has to use the default password that was mentioned in the registration invitation email.

3. Click LOG IN. The respective EMM Console will change, based on the permissions assigned to the user.
Example: The EMM console for an administrator.


Signing Out of the EMM

Click the user icon, and click LOG OUT.


Stopping the Server

To stop the server, press Ctrl+C in the command window.


With WSO2 EMM, device management is no longer a challenging task. When the installation and configuration steps are followed thoroughly, administrators can monitor, manage, audit, and secure corporate data on devices. WSO2 EMM is a single enterprise grade platform that attends to all mobile computing needs whether it is device configuration management, policy enforcement, app-management, device data security or compliance monitoring. With a generic device management framework that can be extended to support multiple device platforms as its backbone, WSO2 EMM’s rich architecture offers better scalability and supports horizontal and vertical scaling of associated components. We recommend the use of WSO2 EMM to all enterprises that want to be empowered in the development, integration, optimisation and protection of the applications and APIs that drive their businesses.

WSO2 IoT Server: A New Version of WSO2 EMM

WSO2 Enterprise Mobility Manager (WSO2 EMM) was created to offer a complete and secure enterprise mobility management solution. As of January 2017, significant updates to the server have made it possible for enterprises to not only carry out mobile device and app management, but to also gain access to IoT solutions. The WSO2 IoT Server builds upon and replaces WSO2 EMM by combining proven technology from WSO2 middleware already used in production IoT and mobile deployments with a new, highly extensible device management functionality. This is an important upgrade because of the increasing rate at which these technologies work together.

WSO2 IoT Server is a complete solution that helps device manufacturers and enterprises to connect and manage their devices, build apps, manage events, secure devices and data, and visualise sensor data in a scalable manner. Furthermore, it offers a complete and secure enterprise mobility management (EMM/MDM) solution that aims to address mobile computing challenges faced by enterprises today. It also widens the span of devices that can be managed out-of-the-box and extends the capability of writing one’s own device plugins. Its support for iOS, Android, and Windows devices helps organisations deal with both corporate owned, personally enabled (COPE) and employee-owned devices with the bring your own device (BYOD) concept.

Prabod Prasanga

About the Author

Prabod Prasanga is an Associate Software Engineer at Mitra Innovation, a technology company that specialises in product and company incubation, systems integration, and digital innovation and transformation. Find out how Prabod and the rest of the Mitra team can help with your WSO2 installation and configuration needs.