MDM vendor singing and MDM APNS certificate generation for WSO2 Iot server



When we look at how Apple has created the device management protocol for iOS devices, one thing that we notice is they have tried to make the process as secure as possible. In this article, we will look at what is the MDM APNS certificate and how we can generate and use them.
When managing iOS devices, the device management commands are typically executed by a native client available in the iOS operating system itself. When a device management server needs to send a command to this client, the command has to be sent though Apple APNS server. However, since these commands are executed by the operating system it self, using a general APNS certificate, does not make sense. Therefore Apple has made it mandatory that the device management servers use a special MDM APNS certificate when sending commands to a device. These certificates expire annually and the admins have to renew then annually.
MDM APNS certificate generation is bit of a complex process and to make things simpler, I have created a script[1] that will help you to generate certificates. More details of the internal workings on the script can be studied by reading the vendor_script.sh. Before you jump into the script to generate certificates, it is very important to make sure that the following prerequisites are meet.

Prerequisites
  1. Purchase an Apple enterprise account[2] for your organisation. This is a 299USD programs that is different from the regular Apple developer program.
  2. Next you will need to contact Apple and ask them to enable the option for you to sign certificates. This can be done by emailing devprograms@apple.com from the team agents[3] email of the enterprise account with a message as below,
     “Could you please enable MDM vendor signing capability on by enterprise account? My organisation name is and I'm the team agent of the enterprise developer account.”
    Apple will enable certificate signing capability for your account and will update you. Note that you may also  contact Apple through the contact page[4] instead of emailing, if you wish. Apple will get back to you when they have enabled MDM vendor signing capability on your account and when this is done, you can start with creating certificates.

Creating certificate
Let's look at the steps involved in creating a certificate. The steps discussed here directly correspond to the steps of the script[1]. There are main 3 areas when it comes to creating certificates,
  1. Creating the infrastructure necessary to generate certificates.(Obtaining signing authority certificate)
  2. Signing the certificate and Uploading to the MDM certificate Apple portal.
  3. Converting obtained certificates to be used in WSO2 IoT server.  

STEP 1 - Creating the infrastructure necessary to generate certificates.
In order to obtain signed MDM APNS certificates, it is necessary that we have an authority to create/sign such certificates. This authority is only provided by Apple and this is why we need an Apple enterprise account. We need a certificate called mdm.cer from Apple granting us the permission to sign/create MDM APNS certificates on behalf of them. To get such a certificate it is necessary to send a CSR(certificate signing request) to Apple and this is very similar to how an SSL certificate is obtained from a certificate authority. To start off, clone[1] or download[5] the script and through the command prompt move to the folder vendor_sign_mdm_apns which you just downloaded/cloned. Then run the script as below,
sh vendor_script.sh
Note that the script has been tested on macOS and it should work on Linux based operating systems as well. Read the instructions in the script and complete the first step. Note that after completing one step, the script automatically jump to the next step and if you decide to redo a step, it can be done by passing the step number as an argument to the script. For example,
To start step 1 - sh vendor_script.sh 1
To start step 2 - sh vendor_script.sh 2
To start step 3 - sh vendor_script.sh 3
After running the first step, locate the vendor.csr file in the vendor_sign_mdm_apns folder. Next we need to upload the vendor.csr to Apple and obtain a certificate which grants us permission to sign certificates. Go to your Apple enterprise account certificate management section[6]
In the portal click on the plus sign on the top right corner as shown in the image above.



Select the "MDM CSR" option and click continue,



Click on continue again since we already have a csr.


Click on choose file and upload the vendor.csr file and click continue.
Click on download which will download the mdm.cer file. Copy the mdm.cer file to vendor_sign_mdm_apns/inputs folder. Now the script will jump to step 2.

STEP 2 - Signing the certificate and Uploading to the MDM certificate Apple portal
Now that we have the signing authority to create MDM APNS certificates, we do have the authority to sign certificates. We can create a new CSR, let's call it customer.csr and get this CSR signed from our mdm.cer certificate we created earlier. Note that when creating the CSR and the private key, you will be prompted to enter a password and please make a note of this password as this will be needed in the future. Complete the step 2 by following the onscreen instruction in the script and this will create file called plist_encode in the vendor_sign_mdm_apns folder. Note that the script will now jump to step 3 and wait until we upload the plist file to Apple and get the MDM_APNS certificate.


Plist_encode file  need to be submitted to Apple push certificate portal[7] and click on create certificate and follow the steps and upload the plist_encoded. Note that the MDM APNS certificates expire after one year and you must renew them prior to expiring them by rerunning all the steps in this script. However, when renewing, instead of click on create a certificate, find the expiring certificate and click  renew and upload the plist_encoded. It is a must to renew certificates before expiry as certificate expiration can cause you to re enroll all the devices. After following the steps in the push certificates portal, you will be able to download the MDM_Certificate.pem file.

STEP 3 - Converting obtained certificates to be used in WSO2 IoT server
Based on your organisation name, downloaded filename from push certificate portal will vary and please rename it to MDM_Certificate.pem and copy it to inputs folder. Performing the above file copy will continue the step 3 and you will receive the MDM_APNSCert.pfx inside the output folder which needs to be uploaded to WSO2 IoT server[8] and you will also need the MDM certificate topic ID which is printed on screen and the password provided in step 2 when filling out the “iOS IoTS and APNS Configurations” section of the documentation[8].
This complete the process of creating MDM APNS certificates and this can be used together with the WSO2 IoT server's documentation to configure the server for iOS device management.

Comments

  1. UnknownMay 31, 2018 at 6:26 AM

    hi admin.Amazing post.All the details are explained in clear manner.Thank you so much for sharing. Inventory Audit
    CA Firms | Visibility Audit

    ReplyDelete
  2. isabellaAugust 6, 2018 at 6:15 AM

    This comment has been removed by the author.

    ReplyDelete
  3. Sherin infantaJanuary 12, 2019 at 2:24 AM

    Informative post.Thanks for sharing useful one.Keep it up.If you want any Auditing related details & doubts more AR Customer Helpdesk
    Duplicate Payment
    Continuous Monitoring

    ReplyDelete
  4. AhmadFebruary 9, 2019 at 10:51 AM

    Thanks for the clear instruction.

    Question, if I create MDM Vendor certificate and signed APNS for a customer and later I removed the MDM Vendor certificate, will this effect the APNS certificate that was previously generated?

    Thanks

    ReplyDelete
    Replies
    1. InoshFebruary 14, 2019 at 7:11 PM

      This should not create any issues. As far as I know, once the plist is uploaded to Apple portal, Apple will sign everything with their certificates and there will be no association after that point to the vendor certificate.

      Delete
    2. InoshFebruary 14, 2019 at 8:11 PM

      Also, you have the option to create multiple vendor certificates without deleting

      Delete
  5. Micheal AlexanderJanuary 8, 2021 at 12:07 AM

    Wow what a great blog, i really enjoyed reading this, good luck in your work. Apple Developer Program

    ReplyDelete

Post a Comment

Popular posts from this blog

Android device owner concepts

Image
With Android 5.0, Google has introduced Device owner and device profile concepts to make android enterprise ready. Device owner app is an application with special privileges to perform task such as monitor and manage settings and other privileged tasks. This means in a literal sense,the devices ownership is given to the organization managing it making the device owner concept ideal for COPE scenario. Once the device ownership is assigned to an app, in order to remove it, the device needs to be factory reseted, for example in a situation where the device needs to be given to a different user.  When the device ownership is given to a specific app, the app gets access to a set of Android APIs that are only available to device owner app. These APIs are not available to regular Android apps. At a given time there can only be one device owner app in a device, which prevents another device owner app overriding the policies enforced by the first device owner app.  The service app prov
Read more

[APIM] Send emails to users upon self-sign up aproval

When using the self sign up of WSO2 API manager, the user needs to wait for the admin to approve their signup request. However when the admin approves/rejects the request, users may like to receive an email with the status of the approval. This can be achieved by the extension points provided by APIM. In this article we will consider how this can be achieved, First step is to set up the user sign up work flow as described in the documentation[1]. After following the documentation, you should be able to self sign up and attach a workflow to the to the self sign up process. After self signup, you can login to the admin portal of APIM and approve or reject a request to sign up. This portal can be address through https://HOSTNAME :PORT /admin for example https://10.100.9.174:9443/admin Next we need to extend from UserSignUpWSWorkflowExecutor of APIM and write your own logic to send out an email. In this case, we have overriden the complete method of UserSignUpWSWorkflowExecutor. In the
Read more