CA Mobile Device Management. How to Create Custom-Signed CA MDM Client App

(1)

How to Create Custom-Signed CA MDM

Client App

(2)

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA.

If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

(3)

Contact CA Technologies

Contact CA Support

For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:

■ _{Online and telephone contact information for technical assistance and customer}

services

■ Information about user communities and forums

■ Product and documentation downloads

■ _{CA Support policies and guidelines}

■ Other helpful resources appropriate for your product

Providing Feedback About Product Documentation

If you have comments or questions about CA Technologies product documentation, you can send a message to [email protected].

To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at

(4)

(5)

Contents 5

Chapter 1: How to Create a Custom-Signed CA MDM Client App

7

Add CA Technologies as Team Member ... 8

Generate a CSR ... 9

Generate a CSR on a Macintosh ... 9

Generate a CSR on a Windows Server using IIS Manager ... 10

Create iOS Distribution Certificate ... 11

Create App ID ... 12

Create iOS Provisioning Profile... 12

Create Custom-Signed CA MDM Client App ... 14

Custom App Icons Information ... 15

Yearly iOS Application Re-Signing ... 16

(6)

(7)

Chapter 1: How to Create a Custom-Signed CA MDM Client App 7

Chapter 1: How to Create a Custom-Signed

CA MDM Client App

This document provides information on how to obtain the files for engaging with CA Technologies to deliver a Custom-Signed CA MDM Client App for your enterprise.

Use the following process to create a custom signed CA MDM client app:

1. Add CA Technologies as Team Member (see page 8)

2. Generate a CSR (see page 9)

3. Create iOS Distribution Certificate (see page 11)

4. Create App ID (see page 12)

5. Create iOS Provisioning Profile (see page 12)

(8)

Add CA Technologies as Team Member

8 How to Create Custom-Signed CA MDM Client App

Add CA Technologies as Team Member

Add CA Technologies as a Team Member on your enterprises Apple Developer Program. Apple requires that third party contractors are added to the enterprises developer team in order to sign custom built in house applications with your developer certificates. Apple only requires you to add a CA Technologies contractor as a Team Member, this is for tracking purposes only. The account will not be accessed by the CA Technologies employee. Below is an explanation of what the role permissions are.

Team roles

Component Description

Team agent A team agent is legally responsible for the team and acts as the primary contact with Apple. The team agent can change the access level of any other member of the team. Team admin A team admin can set the privilege levels of other participants, although a team admin

cannot demote the team agent. Team admins manage all assets used to sign your apps, either during development or when your team is ready to distribute an app. Team admins are the only people on a team that can sign apps for distribution on nondevelopment devices. Team admins also approve signing certificate requests made by team members. Team member A team member gains access to prerelease content delivered by Apple on that program’s

portal. A team member can also sign apps during development, and but only after he or she makes a request for a development signing certificate and has that request approved by a team admin.

Follow the instructions below and utilize the following information for the CA Technologies developer:

First Name: Brian

Last Name: Peck

Email Address: [email protected]

Build Your Team by Adding Team Admins and Team Members

If you are a team admin, add people to your development team through the Member Center. When you add a person to your team, you can grant them access to the developer programs that your team is enrolled in.

(9)

Generate a CSR

Follow these steps:

1. In the Member Center, click People in the bar at the top. 2. Click Invitations in the sidebar.

3. Click Invite Person and provide the first name, last name, and email address. 4. Specify the person’s access and role for each program.

5. Click Send Invitation.

Generate a CSR

You can create a certificate signing request either on a Windows server or a Macintosh server.

Generate a CSR on a Macintosh

On any Macintosh server in your enterprise, use the Keychain Access utility to create your CSR.

1. Open Applications, Utilities, and Keychain Access on your server. 2. Select Keychain, Login and Category, Certificates in the left pane.

3. Select Keychain Access, Certificate Assistant, and Request a Certificate from a Certificate Authority.

4. Enter the email address and common name.

5. Select Save to disk, and Let me specify key pair information, and click Continue. 6. For ease of access, choose your desktop as the location of the .CSR file.

7. In the Key Pair Information pane, choose 2048 as the key size and “RSA” as the algorithm.

8. Save the file (.CSR) and record the location.

(10)

Generate a CSR

Export Private Key on a Macintosh

1. To export your private key and certificate, open up the Keychain Access Application and select the ‘Keys’ category.

2. Control-Click on the private key associated with your iOS Distribution Certificate and click ‘Export Items’ in the menu. The private key is identified by the iOS Developer: <First Name> <Last Name> public certificate that is paired with it. 3. Save your key in the Personal Information Exchange (.p12) file format. 4. You will be prompted to create a password which is used when you attempt to

import this key on another computer.

5. You can now transfer this .p12 file between systems.

Generate a CSR on a Windows Server using IIS Manager

To create your CSR on a Windows server in your enterprise, use the IIS Manager utility.

1. Click Start, Internet Information Services (IIS) Manager.

2. Select the server from the Connections column, and navigate to Server Certificates in the IIS section.

3. Click Create Certificate Request and provide the details.

4. Common name defines the name of the person generating the request. 5. Click Save.

6. Select Microsoft RSA Channel in the Cryptographic Service Provider. 7. Select 2048 or greater Bit length.

8. Enter the file name for the certificate request. 9. Click Finish.

The CSR request is created on Windows and is ready for signing.

Export Private Key on a Windows

1. Click on the Start Menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

(11)

Create iOS Distribution Certificate

Chapter 1: How to Create a Custom-Signed CA MDM Client App 11 3. In the Actions column on the right, click on Complete Certificate Request...

4. Click the button with the three dots and select the .cer certificate that you received from the iOS Developer Portal. If the certificate doesn’t have a .cer file extension, select to view all types.

5. Enter a friendly name you want so you can keep track of the certificate on this server. Click OK.

6. If successful, you will see the certificate in the list. If you receive an error stating that the request or private key can’t be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on.

7. Now, you need to export the certificate to the correct format. Right-click the certificate you just imported and select Export.

8. Click the button with the three dots to specify a path to save the certificate file in .pfx format. When exporting the certificate, you are required to enter a password used for exporting the certificate.

9. Now, you will have the certificate in .pfx format.

Create iOS Distribution Certificate

The distribution certificate identifies your organization in a distribution provisioning profile and allows you to submit your app to the store. Only a team agent or an admin can create a distribution certificate.

1. In the iOS Dev Center page, click Certificates, Identifiers, & Profiles in the iOS Developer Program section.

2. Navigate to iOS Apps section, Certificates.

3. Select Production. Request the iOS Distribution Certificate by clicking the ‘+’ icon. 4. In the Production section, select Inhouse and Ad Hoc.

Note: If the In-House and Ad Hoc option is greyed out, it implies that an iPhone Distribution certificate already exists under your developer program. The iOS Developer program only allows the creation of one iPhone Distribution certificate. 5. Click Continue and follow the instructions to submit a CSR (Certificate Signed

Request). Once the process is complete the portal will provide a download. Select the certificate from the list, download the certificate, and save the .cer file.

(12)

Create App ID

An App ID is a two-part string used to identify one or more apps from a single

development team. The string consists of a Team ID and a bundle ID search string, with a period (.) separating the two parts. The Team ID is supplied by Apple and is unique to a specific development team, while the bundle ID search string is supplied by the

customer to match either the bundle ID of a single app or a set of bundle IDs for a group of apps.

1. In the iOS Dev Center page, navigate to iOS Apps, Identifiers, App IDs. 2. Click the ‘+’ icon to create a 'New App ID' for the CA MDM client (for example

com.companyname.CAMDMclient). Do not use 'com.ca.mdm1' since that matches the App ID of the CA MDM client on the AppStore.

Important! Do not use the option to create a wildcard App ID. A wildcard app ID is not permitted to be used in the custom app signing portal, and will be rejected. 3. You need not enable App Services for the App ID. Leave the default selections.

However, enable Push Notifications if you wish to take advantage of the ability to send push messages to the custom CA MDM Client app. This feature is available in CA MDM 2014 Q1 and later.

4. Select Explicit App ID and enter the Bundle ID for your CA MDM app using your company name and “CA MDMclient” (for example

com.<companyname>.CAMDMclient).

5. Confirm the App ID settings by selecting Submit. 6. Select Done once registration of the App ID is complete.

Create iOS Provisioning Profile

The provisioning profile enables your app to run by identifying you (through your development certificate) and your device (by listing its unique device identifier).

1. In the iOS Dev Center page, navigate to iOS Apps, Provisioning Profile, Distribution. 2. Click the ‘+’ icon to create a new Distribution Provisioning Profile.

3. Select Distribution, In House.

4. Select the App ID created in previous procedure (see page 12).

(13)

Create iOS Provisioning Profile

Chapter 1: How to Create a Custom-Signed CA MDM Client App 13 6. Enter a profile name and click Generate.

(14)

Create Custom-Signed CA MDM Client App

Verify that the following items are available for upload to create your custom-signed CA MDM Client App.

■ Custom Icons (if required). Review custom app icons information (see page 15).

■ _{Application display name}

■ Exported enterprise distribution certificate (.p12/.pfx file)

■ _{Password for your exported enterprise distribution certificate/private key} ■ _{Distribution provisioning profile file (.mobileprovision file)}

(15)

Create Custom-Signed CA MDM Client App

1. Login to the CA Support Portal http://support.ca.com/. 2. Click Open a Case.

3. Enter the Product, Case, and Contact Information.

4. Verify that the Case Title is 'Custom-Signed CA MDM Client App'.

5. Verify that you provide the CA MDM App Display Name. This title is displayed below the app icon on the iOS device.

6. Specify the CA MDM App Version. (CA MDM 2013 Q4, CA MDM 2014 Q1 or higher) 7. Submit the Case.

8. Navigate to File Attachments and attach the following files: a. Custom Icons (if required)

b. Exported .p12/.pfx certificate

c. Password for your exported enterprise distribution certificate d. Distribution provisioning profile file (.mobileprovision)

9. You will be notified once the Custom-Signed CA MDM Client App has been created by CA Technologies. This process usually takes 48 hours.

10. Navigate to the Support Case, Files From CA. 11. Download the Custom-Signed CA MDM Client App.

After you obtain the Custom-Signed CA MDM Client App, you can distribute to test the CA MDM Client App.

Note: Your Distribution Certificate, Password, and Provisioning Profile are deleted after the Custom-Signed CA MDM Client App is built.

Custom App Icons Information

If you intend to replace the CA MDM App icon with your custom App icons, then review the following guidelines:

■ Review the iOS Human Interface Guidelines before creating your App icon.

■ _{Upload only PNG, JPG, or GIF files.}

■ Provide the App icon in 120 x 120 pixels and 60 x 60 pixels for iPhone and iPod touch. The icon size is resized if not provided in the specified pixel.

■ _{Provide the App icon in 152 x 152 pixels and 76 x 76 pixels for iPad. The icon size is}

resized if not provided in the specified pixel.

■ Provide the App icon in 1024 x 1024 pixels and 512 x 512 pixels for the App Store.

(16)

Yearly iOS Application Re-Signing

Apple will force the provisioning profile to expire one year from the time of creation. To ensure uninterrupted use of the enterprise application, upon expiration or soon before, you will be required to perform the following steps:

1. Log into the iOS Developer Provisioning Portal and re-create the provisioning profile.

2. Log into the CA MDM support website and open a new Support Case. Follow the How to Create Custom-Signed CA MDM Client App (see page 7) procedure to create a custom-signed CA MDM client app with the updated provisioning profile.

3. Depending on your version of CA MDM, perform one of the following steps: a. Re-run the EUSSP setup for all End-User Self Service portals that use the

custom CA MDM app and specify the new custom application during the installation setup.

b. Upload the new custom application on the CA MDM Admin Console under Server, Configuration, iOS CA MDM Application to use the new custom application for future enrollments.