We have an App that is normally used with login + password.
But when we want to deploy this app to a customer who has airwatch (which we can handle things through their API), what would be the way to push individual creditals to the Mobile Devices through the Airwatch integration?
Or can I push the App to the iOS Devices with pre-configured individual credentials through Airwatch?
The Apple EMM Features seem to cover this topic, but they don't have examples how to do this without the help of an MDM.
You can achieve this by using App Config. Simply put the following lines of code in your iOS application and push the app through MDM defining the same key and value in the app config section of the app publishing:
code:
obj-c
NSString *value = [[[NSUserDefaults standardUserDefaults] dictionaryForKey:#"com.apple.configuration.managed"] objectForKey:#"key"];
swift:
let value = UserDefaults.standard.dictionary(forKey: "com.apple.configuration.managed")?["key"]
Here is what I have done to make it work with AirWatch. This concept uses "App Configuration" mechanism provided by Apple's MDM Protocol
Login to Airwatch Console
Click "Apps & Books" section
Click "List View" under the "Application" Tab
Here we have to add the application, which needs custom info(in your case it is credentials). It allows you for both AppStore apps as well as Internal(Enterprise profile signed) app.
Click on the application which we just added
Look for option "Assign", this is like a app-delivery-configuration profile.
If you dont have one already, create one with what ever config details you need
In our context we need to Enable "Application Configuration" Tab, which will enable us to enter key-value pairs. Here we can enter any custom key-value pair parameters.
Then click add, then Save and Publish.
Now the app should receive these custom key-values pairs in com.apple.configuration.managed in NSUserDefaults dictionary.
AppConfig is definitely the way to go if you want to push individual configuration parameters (like username / password) to an app distributed and managed by AirWatch.
You can also consider certificate-based authentication (CBA) in which case the App would present a client authentication certificate to your backend web service instead of username / password. Pushing a certificate down to an App via EMM requires the integration of your vendor's (AirWatch) SDK. There is something called Application Profile you might want to research about if you decide to go down that route.
Let me know if you want to know more about CBA in mobile Apps and how to manage the certificates.
Mr Gosh, See the ACE program. You may find guidance there. All apps loaded in Airwatch for distribution can send configuration data. To what extent I'm unsure. http://appconfigforenterprise.org/
The program is multi vendor, and meant to be a clearing house for standardizing app config with MDMs. I hope this helps.
Related
I have a custom app on the app store. I will assign it to a clients apple business manager account. Does that client have the ability to be able to send configuration changes (for instance if they want to change a url that the app is connecting to) through their existing mdm to my custom app? Would there be any other setup I would have to do in my custom app besides reading the IOS userdefaults that the mdm server sets? Thanks in advance.
If the client's MDM supports AppConfig then it can supply an XML file that contains specific settings. The contents of this XML file are merged with UserDefaults for your app on the device and your app can access them at runtime.
You need to create the logic in your app so that it uses these values when present and standard values if they are not.
I’m creating an App ID for a Notification Service Extension
Do I need to add any capabilities to it?
Its only purpose is to download the image for the notification. I don’t think I need to.
Currently I'm able to build into my device without enabling any capabilities in Xcode. Although when I look into the provisioning profile that Xcode built itself, I see Keychain Sharing enabled.
I also saw this tutorial and the tutorial goes with enabling 'App Groups'.
While this other tutorial goes with enabling App Groups along with Push notification. I don't think I need App groups because I don't need to pass any values, just updating the notification is all I need.
I didn't find anything in the docs that mentions what's the correct approach. A friend told me he got his to to work without enabling anything, so I'm very confused.
Basically, you don't need any capability for notification service extension.
Several of my applications work without any capability.
One of them use app group. I need to enable it to share the log files of main application, then load it from notification service and push it to server side when receive a silent push.
Few of them need keychain sharing, so that I can get the key to secure communicate with server side from notification service.
I have a requirement to remove all API keys and app secrets from the source code of the app we are building. Ideally the keys and app secrets should be sent to the app out of band as a configuration file, through an MDM solution.
Is this possible, and if so how? If not, what is the recommended approach to store this kind of information, such that it cannot be viewed in the source or extracted from the binary?
EDIT: Update
It is possible to send NSUserDefaults to the app via the MDM solution using Managed App Configuration. However, NSUserDefaults is not secure, easily viewed and modified by a casual user.
My plan is to encrypt the NSUserDefaults to prevent this using the common crypto library included in iOS. Is this the best approach to this problem? Should I also be sending a certificate as part of the MDM config?
Any thoughts, comments, and recommendations appreciated before I go too far down this route.
I know it's been a while, but I recently looked into this (not for an MDM application). I don't have any experience with MDM and that may have another solution. The route I chose to go was using CloudKit. It's a 1st party solution, always available whether the user is logged in to iCloud or not and you communicate securely with Apple's servers and only your App can access these keys.
Also depending how you set it up you can easily rotate out keys.
See more info here
I am trying to implement SSL mutual authentication in an iOS app.
In most of the examples that I have seen, the client certificate is bundled with the application package. But in my case, I need to load the client certificate remotely (i.e, from a link or via email).
If I try to load a certificate from an external source (i.e, mail app), it navigates to settings app and install it to the apple's keychain. So this certificate is not accessible with my app.
So anyone please suggest an idea for this ?
I built a system like this in our internal iPad app.
Forget the System preferences, profiles, etc. All certificates installed in this way are inaccessible to third party apps but only to the system apps, probably because are installed into the Apple keychain.
I have explored these three methods to load the certificate and used the last one:
Bundle into the app, as you have already seen is impractical
Send a file from another app (e.g. email)
Use a link to download (what I did)
FOREWORD
I think you have built your simil-PKI, with a CA, an automatic/manual way to issue/revoke certificates, etc.
So the problem is the delivery to devices.
For all the solutions I suggest to save the private key and cert in PKCS #12 format with a strong password.
Use an MDM to manage the devices and if your app is internal and will be used with company's devices supervise them for added options
(e.g. Meraki, is free but do not handle the ManagedAppConfiguration)
SOLUTIONS
Solution 1)
Impractical because is very hard (to impossible) to generate different versions of the app with specific certificates. Not to mention that will be nearly impossible to handle the distribution of a specific version on every single device of the users.
Solution 2)
Save the .p12 file
change the file extension to a custom one
register that extension to open with your app, so in the "Open in..." will be listed your app
"Open in" for specific document type
The safest way should be that the user can select the password to encrypt the .p12 file so when the p12 will be opened the user must enter his password but this lead to other work to make it work.
A less safe but working method is to use a single strong password embedded in the app and use that for all .p12 files
Solution 3)
Similar to 2) but you download the file directly from a specific URI of your web application, this allow some automatic configuration because the app can identify himself.
Basically these are the steps:
the app connects to a specific URL of our application via HTTPS.
checks that the server certificate is correct (trusted origin).
send something to authenticate.
In our case I use the device name that I set up during device preparation and I can change it remotely using MDM.
download the configuration bundle with the certificate in it
I use a JSON payload to send the PKCS #12 file base64 encoded and other data to config the app.
If your MDM supports ManagedAppConfiguration you can change a bit these operations to build a more flexible behavior:
With ManagedAppConfiguration you can send a specific string inside every app NSUserDefaults remotely, so you can use a different or temporary URLs/tokens to download the config bundle and ditch completely the use of devices name for authentication.
WWDC 2014 #704 - Building Apps for Enterprise and Education ~13:00
Apple Developer - ManagedConfig Sample App
ADDED PARANOIA
log everything! Everything that this part of the app does (failed/wrong requests, not existent device names requests, etc)
the configuration URL is activated/deactivated only when we need to configure new devices.
You can done this a lot of ways, my webapp checks for the presence of a specific file so I can do something like touch APP_CERTIFICATES_CONFIG_ENABLED to activate the auto-configuration service and disable everything deleting the file.
Just to be sure that no certificate will go around without my supervision.
I am developing an application which is going to be branded to for different clients. For some clients I will release the application myself using my developer account # apple, but some clients want to release the application using their own developer account.
Off course they can create an account for me which I can build the application with, or I could give them the source code of my application and let them do it them selfs.
BUT, what if I want to do neither of those solutions? Is there some way that I could build the application on my computer for the client with maybe the Bundle identifier that doesn't exist yet? (e.g. com.somecompany.appName)?
I am skeptic to "give" away my source code to the client.
How can I share my app with the client without sharing the source code?
If the client has an Intel Mac and an iOS developer account, then one common way to do this is to put your app's code mostly inside a static shared library, with a few pages of wrapper code to start it. Then give the client an Xcode project containing the library object code (of your "secret" ingredients) plus the public wrapper source code. The client can launch Xcode, select their Distribution provision, hit build, then submit the results.
This technique optionally also allows the client to modify icons, appIDs, etc., but still not see the source to your shared library.
Why don't you use the login provided by your client to do it yourself without giving away your source code. Or just request a distr cert en sent a zip back to your client.
It helps to have all your information ready. Appstore Submitting Template I use. http://loughnanedevelopment.blogspot.com/2010/08/app-store-submitting-template.html