Does anybody know how to set the "Identity" of the Mobile Device Management (MDM) payload of a Configuration Profile from iPhone Configuration Utility (iPCU)?
I get many certificates from Apple.com(aps_ssl_production and ios_distribution ),but I don't known how to install the MDM Payload.
You can add in a p12 file/certificate as a 'Credential' in iPCU and pick this from the list in the MDM view. You do not have to use SCEP to do this.
use SCEP Settings to provide instructions for the device to obtain the certificate using SCEP as mentioned in FA_iPhone_Configuration_Utility_Introduction
So first do configure SCEP using IPCU and then configure Mobile Device Management and then create the config profile and try to install that config in iOS device.
While configuring make sure there should no invalid entry for any field and no red icon for any field.
Edit:
For few no of devices no need to use SCEP. You can go through this link for more detail.
Related
I am trying to secure a iOS app by checking the installed SSL certificate exists or not. First I created a self-signed certificate with OpenSSL, and then install it to my iPhone. Right now I need to programmatically check this certificate is installed or not. If it exists, the app can run without limit, if not, use won't be able to use the app. So how to programmatically check this device is installed or not in my app code?
Why do we need to install SSL certificate on our iOS devices?
Users can install digital identities (certificates plus their
associated private keys) onto their iOS devices by downloading them
from within Safari, by opening them as email attachments, and by
installing them with configuration profiles. Or, identities can be
pushed from a Mobile Device Management (MDM) server. However,
identities installed in any of these ways are added to the Apple
keychain access group.
Refer below links for more info.
https://forums.developer.apple.com/thread/52345
https://developer.apple.com/library/archive/qa/qa1745/_index.html
I am creating iOS mobile config profile and i am pushing the mobile config profile via MDM. In my case i am not using SCEP server for profile management. Simply i create mobile config profile using "iPhone configuration utility" and use the same for mobile settings.
I have created self signed code signing certificate. Using my self signed code sign certificate i signed mobile config profiles as mentioned here. But for this i have to include my root certificate along with profile.
I want to obtain code signing certificate from a trusted vendor. What kind of code signing certificate i want to purchase. If i purchase Apple code signing certificate, will this help to sign mobile config profiles. Refer
Several notes:
In my case i am not using SCEP server for profile management.
SCEP server isn't used for profile management. It's used for identity management. You use either SCEP server or PKCS12 at whenever your need authenticate a device (as example for WiFi, VPN auth or for MDM bootstraping explained here - http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html)
I want to obtain code signing certificate from a trusted vendor. What
kind of code signing certificate i want to purchase. If i purchase
Apple code signing certificate, will this help to sign mobile config
profiles.
As I remember you need any SSL certificate. Quite often you both protect communication with your MDM server using it and sign all profiles using it. So, there are no additional requirements for it (on top of usual requirements for SSL certificate).
Surely, you need to check whether certificate of authority which issues this certificate is preinstalled on iOS devices.
Take a look here: http://support.apple.com/kb/ht5012
Now I'm trying to make an MDM server which manages iOS devices using APNS push notifications.
So far I went over number of Apple official documents about configuration profile, mdm protocol, APNS push and etc.
But some of the steps necessary for the MDM full flow, I can't figure out clearly.
APNS certificate which MDM server has to use for push notification
Who(Vendor? or customer?) creates CSR and who(Vendor? or customer?) generates APNS certificate by uploading the CSR in Apple Push Portal?
(What the Apple document says and what Google says are not matching each other..)
Identity certificate which has to be contained in Configuration Profile
How to create the identity certificate and in where?
How to include it in the Configuration Profile using iPCU?
Searching on web I could see pretty lots of information about these but not all of them says consistent answer, so I got to feel more dizzy. :-(
Any piece of help/information will be appreciated.
Thanks.. :-)
I have some basic points in order to generate a MDM certificate.
MDM certificate is use to manage the enrolled device.
The policies will work over the air(APNS).
The Server-Clint communication will happened through APNS.
I am going to answer your questions below.
Q: APNS certificate which MDM server has to use for push notification:
A: In order to manage the iOS device you need to install the profile in server.
First of all you need to create the CSR in your server using IIS manager.
After generate the CSR file you need to sign by any third party vendor,then you will get the .SCSR file. Hear the vendor will sign your CSR using a private key.
Once have the .SCSR you need to upload the file to apple push cert site.
After upload the SCSR file you will get the .PEM file.
Once have the .PEM file need to complete the request using IIS manager.
Your certificate will visible in the certificate list.Right click on the certificate and export with password.
Hear the customer means whoever creating the CSR.Vendor means the certificate whoever signing.
Feel free to ask the questions if you are not clear.
I have prepared some basic steps for you to configure Push notification as follows :
Go to Developer.apple.com
Check with Member centre
Navigate to iOS provisioning portal
check if app id exists
Create new app id
select created app (configure)
Enable push notification and in app
CSR from apple MAC user with keychain app(give account creds)
Enter CSR and generate
Download production certificate
Give this to MAC user again to generate p12 file
Provisioning go to distribution
Create New Distribution profile
Profile name is “APP name (space) Dist”
Hope this will help you.. Please feel free to ask if anything is not clear to you.
You can't much info regarding this. But I will tell you, use iPCU for creating config profiles. Use a server for sending these config profiles as a response.
Use a separate server for CA and issuing the authority.
You(Vendor/Customer) have to create a APNS certificate and you have to use it in the server, for sending push notification.
Let me know whether you have found a breakthrough or still you struck somewhere
I was trying to develop a MDM solution for iOS and I would like to test MDM with both methods of distributing device identity via PKCS12 and SCEP. Currently I am doing it using PKCS12, so here is what I am doing:
Send a Profile Service profile to the device asking its device id, IMEI, Version etc.
Device responds with the requested attribute - signed using the Apple Provided Certificate.
I now issue a PKCS12 certificate to the device using the credentials payload.
Device responds again with its attributes - this time signed using the above certificate.
I deliver an MDM payload setting the IdentityCertificateUUID to the payload UUID of the certificate issued in step 3.
I get profile could not be installed. Upon examining the logs, I found out the error The identity certificate for mdm profile com.mdm.xyz could not be found.
If at Step 5, I issue the MDM profile with a new certificaate included in the payload everything works. I am not sure if this is the right way to issue another certificate. I was thinking to utilize the same certificate issued at Step 3.
I think I am doing something wrong here and this may not be the correct way. Any help would be much appreciated. Thanks.
You can pass in step 5 the same certificate that you use in step 3. In such case MDM profile is installed successfully.
I am trying to develop an enterprise application which needs to list all the installed applications in iphone and to delete some selected applications in device from my application.I found that this is possible only by using MDM server.I searched a lot for an exact document regarding this.It would be great if anyine clarify my following doubts :
1 .Steps and Configurations to follow an MDM server and make the server communicate with device
2 .Steps to do on the client side
Thanks in advance.
To configure your MDM server you need to follow the below steps
1.You need to enroll in iOS Developer Enterprise Pragramm.
2.Try to get a signed Certificate Signing Request (CSR) from your MDM vendor .
3.Once you have a signed CSR from your vendor, visit identity.apple.com/pushcert and sign in with a verified Apple ID.
4.Click "Create a Certificate” and agree to the Terms of Use.
5.Select your signed CSR and click upload. After a moment, your certificate will be available for download.
6.This certificate can now be uploaded to your MDM server for use with the Apple Push Notification service.
7.In your MDM Server you need to implement your Profile Manager ,implement your Push server add the SCEP stack.
In MDM capabilities there is remote wipe feature,so you can wipe out the device data remotely.
You can list out all the MDM capabilities in this PDF and refer this.