I was trying to develop a MDM solution for iOS and I would like to test MDM with both methods of distributing device identity via PKCS12 and SCEP. Currently I am doing it using PKCS12, so here is what I am doing:
Send a Profile Service profile to the device asking its device id, IMEI, Version etc.
Device responds with the requested attribute - signed using the Apple Provided Certificate.
I now issue a PKCS12 certificate to the device using the credentials payload.
Device responds again with its attributes - this time signed using the above certificate.
I deliver an MDM payload setting the IdentityCertificateUUID to the payload UUID of the certificate issued in step 3.
I get profile could not be installed. Upon examining the logs, I found out the error The identity certificate for mdm profile com.mdm.xyz could not be found.
If at Step 5, I issue the MDM profile with a new certificaate included in the payload everything works. I am not sure if this is the right way to issue another certificate. I was thinking to utilize the same certificate issued at Step 3.
I think I am doing something wrong here and this may not be the correct way. Any help would be much appreciated. Thanks.
You can pass in step 5 the same certificate that you use in step 3. In such case MDM profile is installed successfully.
Related
I am creating an MDM Server and have successfully completed all the steps and was able to install the profile on the device.
In the .mobileconfig file which is installed on the device, we pass the SSL certificate, APNS certificate and profile information.
1) What if the SSL Certificate on the server is changed? (I guess this is not practiced by many or not practiced at all but still want to know what happens when this case occurs)
2) What happens after the APNS certificate is expired after one year?
How do I update the profiles on devices in which the profiles were already installed. Should the profiles be manually deleted and reinstalled or is there any other way?
Regarding the SSL certificate:
The mdm profile using the SSL certificate is not affected and can be continued to use. The only thing that will happen is on the device when you view the profile it will show that specific signing certificate to be expired.
Solution: You need to sign the mdm profile again with the new certificate.
Refer solution to this question.
You have option to renew the APNS certificate before it expires. Apple sends you email (to the apple-id that generated the APNS certificate) before the certificate expires. If you renew the certificate before expiration, you don't have to re-enroll the devices.
In case the certificate is already expired, you need to create a new one using the same old apple-id and will have to re-enroll all the devices to receive the MDM push.
We are using scep for distributing device identity certificate.
And we are now planning to use SHA-2 family signing to replace SHA-1 which we are currently using for the certificate.
Now the question is that there are already many devices installed the SHA-1 certificate.
I would like to know that how will the existing certificate be effected?
Will users need to re-enroll their device again?
Or can we issue a update command(or something like that) and automatically replace the existing identity certificate?
Any help is appreciated.
Thanks in advance.
You'll have to re-enroll all the devices that are using the old certificate.
Recently, I renewed signing certificate for MDM enrollment profile for which I had to re-enroll the devices so that they use the profile with new signing certificate.
I am trying to create APNS certificate to setup basic MDM server. I am following this link http://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf
I have OS X server 10.8, an an Apple developer account.
I have enabled APN using server application in mac osx server. When I edit or try creating new certificate its takes me to https://identity.apple.com/pweb/?r=1 here it requires CSR signed from third party vendor. Which I dont have.
So how to create APNS certificate from mac osx server 10.8 without having Enterprise account?
Not sure what you are trying to do here, are you trying to become a vendor or are a customer of a vendor?
If you are a customer, you don't need anything other than an apple account, you could ask for instructions from your vendor, more specifically, a Signed Certificate Signing Request(scsr) from your vendor. Then upload this file to the URL that you provide to get a APNS push certificate.
But if you are trying to become a vendor or want to create your own MDM server, you will need to have an enterprise account, and make sure the account has mdm option when first applied for this account.
More information can be found in Apple's doc of Mobile Device Management Protocol
http://adcdownload.apple.com//Documents/mobile_device_management_protocol/mobiledevicemanagement_121211.pdf
I am creating iOS mobile config profile and i am pushing the mobile config profile via MDM. In my case i am not using SCEP server for profile management. Simply i create mobile config profile using "iPhone configuration utility" and use the same for mobile settings.
I have created self signed code signing certificate. Using my self signed code sign certificate i signed mobile config profiles as mentioned here. But for this i have to include my root certificate along with profile.
I want to obtain code signing certificate from a trusted vendor. What kind of code signing certificate i want to purchase. If i purchase Apple code signing certificate, will this help to sign mobile config profiles. Refer
Several notes:
In my case i am not using SCEP server for profile management.
SCEP server isn't used for profile management. It's used for identity management. You use either SCEP server or PKCS12 at whenever your need authenticate a device (as example for WiFi, VPN auth or for MDM bootstraping explained here - http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html)
I want to obtain code signing certificate from a trusted vendor. What
kind of code signing certificate i want to purchase. If i purchase
Apple code signing certificate, will this help to sign mobile config
profiles.
As I remember you need any SSL certificate. Quite often you both protect communication with your MDM server using it and sign all profiles using it. So, there are no additional requirements for it (on top of usual requirements for SSL certificate).
Surely, you need to check whether certificate of authority which issues this certificate is preinstalled on iOS devices.
Take a look here: http://support.apple.com/kb/ht5012
Now I'm trying to make an MDM server which manages iOS devices using APNS push notifications.
So far I went over number of Apple official documents about configuration profile, mdm protocol, APNS push and etc.
But some of the steps necessary for the MDM full flow, I can't figure out clearly.
APNS certificate which MDM server has to use for push notification
Who(Vendor? or customer?) creates CSR and who(Vendor? or customer?) generates APNS certificate by uploading the CSR in Apple Push Portal?
(What the Apple document says and what Google says are not matching each other..)
Identity certificate which has to be contained in Configuration Profile
How to create the identity certificate and in where?
How to include it in the Configuration Profile using iPCU?
Searching on web I could see pretty lots of information about these but not all of them says consistent answer, so I got to feel more dizzy. :-(
Any piece of help/information will be appreciated.
Thanks.. :-)
I have some basic points in order to generate a MDM certificate.
MDM certificate is use to manage the enrolled device.
The policies will work over the air(APNS).
The Server-Clint communication will happened through APNS.
I am going to answer your questions below.
Q: APNS certificate which MDM server has to use for push notification:
A: In order to manage the iOS device you need to install the profile in server.
First of all you need to create the CSR in your server using IIS manager.
After generate the CSR file you need to sign by any third party vendor,then you will get the .SCSR file. Hear the vendor will sign your CSR using a private key.
Once have the .SCSR you need to upload the file to apple push cert site.
After upload the SCSR file you will get the .PEM file.
Once have the .PEM file need to complete the request using IIS manager.
Your certificate will visible in the certificate list.Right click on the certificate and export with password.
Hear the customer means whoever creating the CSR.Vendor means the certificate whoever signing.
Feel free to ask the questions if you are not clear.
I have prepared some basic steps for you to configure Push notification as follows :
Go to Developer.apple.com
Check with Member centre
Navigate to iOS provisioning portal
check if app id exists
Create new app id
select created app (configure)
Enable push notification and in app
CSR from apple MAC user with keychain app(give account creds)
Enter CSR and generate
Download production certificate
Give this to MAC user again to generate p12 file
Provisioning go to distribution
Create New Distribution profile
Profile name is “APP name (space) Dist”
Hope this will help you.. Please feel free to ask if anything is not clear to you.
You can't much info regarding this. But I will tell you, use iPCU for creating config profiles. Use a server for sending these config profiles as a response.
Use a separate server for CA and issuing the authority.
You(Vendor/Customer) have to create a APNS certificate and you have to use it in the server, for sending push notification.
Let me know whether you have found a breakthrough or still you struck somewhere