Basic MDM Server setup - ios

I am trying to create APNS certificate to setup basic MDM server. I am following this link http://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf
I have OS X server 10.8, an an Apple developer account.
I have enabled APN using server application in mac osx server. When I edit or try creating new certificate its takes me to https://identity.apple.com/pweb/?r=1 here it requires CSR signed from third party vendor. Which I dont have.
So how to create APNS certificate from mac osx server 10.8 without having Enterprise account?

Not sure what you are trying to do here, are you trying to become a vendor or are a customer of a vendor?
If you are a customer, you don't need anything other than an apple account, you could ask for instructions from your vendor, more specifically, a Signed Certificate Signing Request(scsr) from your vendor. Then upload this file to the URL that you provide to get a APNS push certificate.
But if you are trying to become a vendor or want to create your own MDM server, you will need to have an enterprise account, and make sure the account has mdm option when first applied for this account.
More information can be found in Apple's doc of Mobile Device Management Protocol
http://adcdownload.apple.com//Documents/mobile_device_management_protocol/mobiledevicemanagement_121211.pdf

Related

How can i obtain code signing certificate for iOS mobile config profiles

I am creating iOS mobile config profile and i am pushing the mobile config profile via MDM. In my case i am not using SCEP server for profile management. Simply i create mobile config profile using "iPhone configuration utility" and use the same for mobile settings.
I have created self signed code signing certificate. Using my self signed code sign certificate i signed mobile config profiles as mentioned here. But for this i have to include my root certificate along with profile.
I want to obtain code signing certificate from a trusted vendor. What kind of code signing certificate i want to purchase. If i purchase Apple code signing certificate, will this help to sign mobile config profiles. Refer
Several notes:
In my case i am not using SCEP server for profile management.
SCEP server isn't used for profile management. It's used for identity management. You use either SCEP server or PKCS12 at whenever your need authenticate a device (as example for WiFi, VPN auth or for MDM bootstraping explained here - http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html)
I want to obtain code signing certificate from a trusted vendor. What
kind of code signing certificate i want to purchase. If i purchase
Apple code signing certificate, will this help to sign mobile config
profiles.
As I remember you need any SSL certificate. Quite often you both protect communication with your MDM server using it and sign all profiles using it. So, there are no additional requirements for it (on top of usual requirements for SSL certificate).
Surely, you need to check whether certificate of authority which issues this certificate is preinstalled on iOS devices.
Take a look here: http://support.apple.com/kb/ht5012

Certificate stuff in iOS MDM operation

Now I'm trying to make an MDM server which manages iOS devices using APNS push notifications.
So far I went over number of Apple official documents about configuration profile, mdm protocol, APNS push and etc.
But some of the steps necessary for the MDM full flow, I can't figure out clearly.
APNS certificate which MDM server has to use for push notification
Who(Vendor? or customer?) creates CSR and who(Vendor? or customer?) generates APNS certificate by uploading the CSR in Apple Push Portal?
(What the Apple document says and what Google says are not matching each other..)
Identity certificate which has to be contained in Configuration Profile
How to create the identity certificate and in where?
How to include it in the Configuration Profile using iPCU?
Searching on web I could see pretty lots of information about these but not all of them says consistent answer, so I got to feel more dizzy. :-(
Any piece of help/information will be appreciated.
Thanks.. :-)
I have some basic points in order to generate a MDM certificate.
MDM certificate is use to manage the enrolled device.
The policies will work over the air(APNS).
The Server-Clint communication will happened through APNS.
I am going to answer your questions below.
Q: APNS certificate which MDM server has to use for push notification:
A: In order to manage the iOS device you need to install the profile in server.
First of all you need to create the CSR in your server using IIS manager.
After generate the CSR file you need to sign by any third party vendor,then you will get the .SCSR file. Hear the vendor will sign your CSR using a private key.
Once have the .SCSR you need to upload the file to apple push cert site.
After upload the SCSR file you will get the .PEM file.
Once have the .PEM file need to complete the request using IIS manager.
Your certificate will visible in the certificate list.Right click on the certificate and export with password.
Hear the customer means whoever creating the CSR.Vendor means the certificate whoever signing.
Feel free to ask the questions if you are not clear.
I have prepared some basic steps for you to configure Push notification as follows :
Go to Developer.apple.com
Check with Member centre
Navigate to iOS provisioning portal
check if app id exists
Create new app id
select created app (configure)
Enable push notification and in app
CSR from apple MAC user with keychain app(give account creds)
Enter CSR and generate
Download production certificate
Give this to MAC user again to generate p12 file
Provisioning go to distribution
Create New Distribution profile
Profile name is “APP name (space) Dist”
Hope this will help you.. Please feel free to ask if anything is not clear to you.
You can't much info regarding this. But I will tell you, use iPCU for creating config profiles. Use a server for sending these config profiles as a response.
Use a separate server for CA and issuing the authority.
You(Vendor/Customer) have to create a APNS certificate and you have to use it in the server, for sending push notification.
Let me know whether you have found a breakthrough or still you struck somewhere

iOS development certificate and provisioning profile, possible without internet on the Mac?

I have enrolled in the iOS developer's program. I've developed an app which I would like to test on an iPad device. For security reasons, I cannot have a direct internet connection on the Mac I am developing in.
I understand I can generate the certificate signing request and transfer it to another computer (this computer can have an internet connection), then upload it to the apple website. This is where the tricky part comes: the developer certificate will be pending, until I download the WWDR intermediate certificate and install it on the Mac without internet. Then after I refresh the page nothing happens, of course, because the Mac in which I registered the WWDR has no way of communicating with apple.
Is there another way of obtaining this certificate, or is there a method I could use, other than connecting the Mac to the internet?
To overcome this problem, you need to share certificates for multiple device. You can easily export certificates from /Applications/Utilities/Keychain Access in .p12 format & install that to other computer & after that you can sync all provisional, Adhoc & App Store profiles.
You can follow this tutorial and these link for step by step process.

AppleWWDRCA certificate needed *at all* for OpenSSL signing?

Does the AppleWWDRCA.cer have any bearing on developing certificates using OpenSSL? If so, what? If not, what is it's use?
Edit:
I am using Windows. I do not need an answer concerning Mac development.
So far, using OpenSSL, I have created development apps (signed, and with certificates), ad hoc apps for multiple developers (signed, and with certificates), and they all have worked just fine. This is (probably) only a question about whether it is needed to put an app in Apple's App Store.
No, the WWDR Certificate is only used to authorize your app for selling/integrating on the Apple App Store.
Public OpenSSL certificates are (generally) given to your application from an outside Certificate Authority and used by your users to authenticate (prove that your application is indeed what it claims to be) your application and encrypt the data they send in a SSL connection. These can be generated entirely independently of your WWDR certificate.

MDM server setup

I am trying to develop an enterprise application which needs to list all the installed applications in iphone and to delete some selected applications in device from my application.I found that this is possible only by using MDM server.I searched a lot for an exact document regarding this.It would be great if anyine clarify my following doubts :
1 .Steps and Configurations to follow an MDM server and make the server communicate with device
2 .Steps to do on the client side
Thanks in advance.
To configure your MDM server you need to follow the below steps
1.You need to enroll in iOS Developer Enterprise Pragramm.
2.Try to get a signed Certificate Signing Request (CSR) from your MDM vendor .
3.Once you have a signed CSR from your vendor, visit identity.apple.com/pushcert and sign in with a verified Apple ID.
4.Click "Create a Certificate” and agree to the Terms of Use.
5.Select your signed CSR and click upload. After a moment, your certificate will be available for download.
6.This certificate can now be uploaded to your MDM server for use with the Apple Push Notification service.
7.In your MDM Server you need to implement your Profile Manager ,implement your Push server add the SCEP stack.
In MDM capabilities there is remote wipe feature,so you can wipe out the device data remotely.
You can list out all the MDM capabilities in this PDF and refer this.

Resources