Certificates confusion in MDM

Question

I was able to develop a mdm solution.

I started facing problem when I moved my agent from Developer account's provisioning profile to Enterprise account's in-house distribution profile.

Now I am totally confused which certificate is used where?

Please guide me his is the certificate used in the below places:

Certificate in credentials section of enrollment profile (is it having BI as com.apple.mgmt._ ? or can be any like com.abc.mdm ? or it's the one received by customer)
Certificate .pem file used to wake up device?

Thanks

score 3 · Accepted Answer · edited May 23 '17 at 12:07

You need to use your iOS Enterprise developer account use the Agent account's credentials.

Follow this page http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning and then verify few things as remove the passphrase from customerPrivateKey.pem using this command

openssl rsa -in customerPrivateKey.pem -out PlainKey.pem
Verify the .pem certificate downloaded from https://identity.apple.com/pushcert/

You can install this .pem in you Mac's Keychain and then see the Get Info and the certificate should have com.apple.mgmt.External.b503419d-1e2a-a60f-7451-5b8832b5a9cb, which you can use as push topic while generating enroll mobileconfig .
Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command

cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem

Now the PlainCert.pem you can use as APNS/MDM certificate.

Please see this for Identity.p12 and respective password, which you have to use in Credential section.

I ported the softhinker java code to python. It's available here: https://github.com/grinich/mdmvendorsign — Michael Grinich, Apr 23 '13 at 22:53

score 2 · Answer 2 · edited May 23 '17 at 11:44

2

1) it HAS to be com.apple.mgmt._ however this does not come from the provisioning portal - all you can set up here is your vendor certificate. See here

2) the certificate is used to make the connection to the APNS service, but you should get this from the the Apple Push Certificates Portal

edited May 23 '17 at 11:44

Community

1
1

answered May 28 '12 at 14:01

Abstractec

656
8
15

Thanks Abstractec, I again have some doubts based on your above comment: 1. Do we need to use Push SSL Certificates with App ID as com.apple.mgmt._ OR We need to use the MDM Vendors certificates in the Credentials section 2. From Apple Push Certificate, we used which of the below for device wake up: 1. Certificates for Third-Party Servers 2. Certificates for OS X Server In Point 1, if we want to use production Push SSL Certificates, then I am not able to understand how its distinguished for Development and Production mode. Please help – Manmay May 29 '12 at 12:35
I honestly have no idea what you mean. You need to create a vendor solution. See link in (1). I have no idea what you mean by 'wake up device', but all MDM requests use the certificate received from the Apple Push Certificates Portal. – Abstractec May 29 '12 at 13:17
I generated push certificate for MDM. Its got a valid subject/topic. When viewed in keychain store it says "This certificate was signed by an unknown authority". There's also no private key associated with it. Any idea whats wrong? – Sahil Khanna Sep 05 '12 at 09:11
@Abstractec - Please help me on http://stackoverflow.com/questions/17192211/setting-wallpaper-using-mdm – Manmay Jun 19 '13 at 13:20

Certificates confusion in MDM

2 Answers2