Client Manager and Apple Certificates
In order for customers to be able to manage Apple devices with Client Manager (CM) using Apple’s MDM (Mobile Device Management) protocol, each customer must generate and install an Apple APNS (Apple Push Notification Service) Push Certificate (a.k.a. MDM certificate). This certificate is used to authenticate both the customer, and Scalable as a vendor, to Apple, so that Scalable’s products can manage the customer’s devices. As such, the process of generating the certificate involves both the customer and Scalable, in order to get Apple to generate a proper certificate.
This process is more or less the same, regardless of the MDM vendor, though Scalable has made it as simple as possible.
Scalable customer instances with CM used to be deployed with a “common” MDM certificate, however now the customer must use their own certificate to enroll their devices. Most customers who are familiar with managing Apple devices should expect to have to obtain an MDM certificate.
The MDM certificate expires yearly, on the anniversary of when it was issued by Apple. CM can be configured to warn customers that they need to renew their certificates. The renewal process is very similar to the initial certificate issuance process, and is similarly easy.
This document assumes a basic level of familiarity with Public Key Infrastructure (PKI) terms, such as CSR, private key, certificate, etc.
As of 8/31/2015, common certificates are NOT supplied by Scalable Software, however any customer instances that were deployed with CM before 8/31/2015 will still keep their certificates that were provided by Scalable.
Certificate Configuration Overview
The process of generating and installing a new MDM certificate involves three simple steps, using the Client Manager (CM) UI, and Apple’s Push Certificates Portal. In summary, the three steps are:
- The customer uses the CM Request Generation UI to create or upload a Certificate Signing Request (CSR) and to generate the APNS certificate request.
- The customer uploads the generated APNS certificate request to the Apple Push Certificates Portal (https://identity.apple.com/pushcert) and requests a certificate.
- The customer uses the CM Certificate Activation UI to upload the generated MDM certificate and activate it for their instance.
Step 1: Generate the Certificate Request
First, the customer must login to CM, and navigate to the Request Generation UI: Setup / App Administration / Client Manager / iOS Config / APNS Push Certificate / Request Generation:
On this first page, the customer either enters identifying information about their company for the certificate request, and CM will generate a CSR, or they can elect to generate and upload their own CSR. Either way, they will need the private key associated with the CSR when activating the certificate, so if they generate a CSR here (Generate CSR button), they must then download the generated private key before proceeding to the next step. The downloaded private key will be named something like “CustomerCSR.key”.
Once they click “Next…” they will see the screen below:
On this page, the customer can review the CSR information, and once they’re happy with it, click on “Generate and Download…” to have the request generated and automatically downloaded to their machine. The downloaded request will be named something like “APNSPushCert.csr”. Please note that this file is not a typical CSR, and is in a format unique to Apple (base-64 encoded Plist).
Step 2: Upload the Certificate Request and Generate the Certificate
Next, the certificate request downloaded in Step 1 (e.g. APNSPushCert.csr) is uploaded to the Apple Push Certificates Portal, at https://identity.apple.com/pushcert. The customer must login with their Apple ID, and will see a page similar to that below:
On this page, the customer will click on “Create a Certificate”, and the following page will appear:
On this page, the customer will click “Choose File”, and upload the request that was downloaded in step 1. After upload, the customer will see the screen below:
From here they can download the Apple-generated certificate via the Download button. The downloaded certificate will be named something like “MDM_ Scalable Software, Inc._Certificate.pem”.
The customer will also receive e-mail from Apple indicating that a certificate was created.
Step 3: Upload and Activate the Certificate
Finally, the customer must navigate to the Certificate Activation UI: Setup / App Administration / Client Manager / iOS Config / APNS Push Certificate / Certificate Activation:
On this page, the current certificate information is displayed, initially. The customer will upload the certificate generated in step 2 (e.g. “MDM_ Scalable Software, Inc._Certificate.pem”) via “Upload Certificate…”, and also the private key used when generating the original request in step 1 via “Upload Private Key…”. Once these two items have been uploaded, the customer will see the page below:
Note the “Certificate source” field. This tells the customer a few things: first, the certificate they’re viewing is the one that was uploaded, vs “Active Certificate” above; second, this certificate is a replacement certificate. When it comes time to renew this certificate, they need to make sure that this field shows “Renewal” and not “Replacement”, otherwise they won’t be able to manage devices enrolled under the previous certificate. In this example, we’re replacing an existing certificate, not renewing it.
The customer should now enter and confirm a suitable password to protect the installed certificate, click to receive certificate expiration notifications, and click “Next…”:
The customer should review the certification information, and click on “Activate…” to save and activate the new certificate. After confirmation, the new certificate will be immediately activated, and devices can be enrolled and managed under it.
Renewing an Existing Certificate
Beginning 30 days prior to the expiration of the current certificate, the customer will receive a daily e-mail reminding them that their certificate is about to expire, and giving them brief instructions on how to renew it, including a link to the UI in their AV instance.
The renewal process is essentially identical to the process above, however in step 2 (Upload the Certificate Request and Generate the Certificate), rather than creating a new certificate, the customer will click on the “Renew” button for their existing certificate. Again, they’ll upload the request generated in step 1; download the new certificate, and upload/activate the renewal certificate in step 3. In this case, however, the “Certificate Source” field in the Certificate Activation UI will show as a renewal, not a replacement. The Subject field “UID” in the certificate is the critical thing – it must be the same between the original certificate and the renewal for a renewal to occur, and will only be the same if the renewal process is followed (using the “Renew” button on the original certificate).
If the customer allows their certificate to expire, they will not be able to enroll new devices or to manage existing devices until they renew the certificate.