Zenprise Device Manager 6.1

(1)

(2)

ZENPRISE DEVICE MANAGER 6.1 APPLE APNS CERTIFICATE SETUP GUIDE

This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Zenprise, Incorporated. Zenprise Incorporated assumes no responsibility or liability for any errors or inaccuracies that may appear in this book.

(3)

3

1 INTRODUCTION

This document describes setup and creation of an APNS certificate from the Apple iOS Developer for Enterprise program for use with the Zenprise Device Manager system from Zenprise, Inc. It discusses the basics of the Apple APNS (Push Notification System) and how it relates to the use with Device Manager.

The content herein is intended for system administrators responsible for the implementation, configuration and upkeep of enterprise-class system for managing mobile devices and users of them. The document is organized as follows:

 Chapter 1, Introduction, provides the scope and purpose of the document.

 Chapter 2, Apple APNS for Device Manager, provides a general description of the process to enrol in the Apple iOS Developer for Enterprise program and the required steps to obtain a valid APNS certificate.

 Chapter 3, The Certificate Signing Request, steps through the instructions for creating a new CSR file from either a Mac OS X or Windows based computer.

 Chapter 4, Apple APNS Certificate Process, steps through the instructions for using the Apple iOS Developer for Enterprise portal to generate and download a valid APNS certificate associated with an App ID.

 Chapter 5, Exporting Certificates, discusses the remaining steps to export the APNS

certificate from a Mac OS X or Windows based computer into the proper format for use with Zenprise Device Manager server.

 The Appendix discusses briefly the option to use OpenSSL as an alternative to the certificate process described for Mac OS X and Windows based computers in this document.

1.1 RELATED DOCUMENTATION

Other documents available in regard to Zenprise Device Manager include the following:

Device Manager Quick Start Guide – summarizes the steps required to establish a basic functional

configuration of the Device Manager server, create basic device Configuration Policies, device Deployment Packages, establish a Remote Support Client session, and work with devices.

Device Manager Installation Guide – provides the procedures to install and/or upgrade the Device

Manager server product.

Device Manager System Administration Guide – provides details about configuring the application and

(5)

5 Introduction

Device Manager F5 High Availability Guide – provides the procedures to setup the Device Manager

server product in high availability mode with an F5 network load balancer appliance.

Device Manager Mobile Application Gateway Setup Guide – describes the setup and use of the Mobile

Application Gateway to control ActiveSync mobile device traffic, as well as application Whitelist/Blacklist filtering, and specific device & user filtering options available when integrated with a Microsoft ISA 2006 or TMG 2010 server firewall.

Device Manager Remote Support User’s Guide – discusses using Device Manager’s remote control

features to work with devices on behalf of users in the field.

1.2 DOCUMENT CONVENTIONS

The following conventions are used throughout the document:

Notes and Warning

Notes and other information topics are emphasized as follows:

Note: you can also use CTRL-Q to quit.

Warning convey limits, negative impacts or other important information as follows:

Note: Do not close the window before the process ends.

Application Elements

Window names, field labels, and other elements – are italicized.

Code Samples

Scripts, program source code, configuration files and the like are handled in this fashion:

AddObjectProperty – attributeMap {element: value, element, value}

User Entry

(6)

2 APPLE APNS FOR DEVICE MANAGER

2.1 OVERVIEW

Before you can setup Zenprise Device Manager and manage iOS devices you will need an Apple Push Notification Service (APNS) certificate. This document explains the details need to acquire an APNS certificate from your Apple Developer portal and instructions for uploading your APNS certificate to the Zenprise Device Manager management console.

2.2 WHAT IS AN APPLE APNS CERTIFICATE?

The Apple Push Notification Service (APNS for short) is a mobile notification service created by Apple, Inc. APNS uses push technology through an accredited and encrypted IP connection to forward notifications over persistent connections from application servers like Zenprise Device Manager to iOS devices like the iPhone, iPad, and iPod Touch. Many iOS applications present dynamic content delivered over the Internet. Push notifications (also known as remote notifications) are a way to let users know that new or updated content they're interested in is available even if the target application is not running. APNS notifications can include applications data updates, triggered alert sounds or custom text alerts to the iOS device.

An APNS certificate is a provisioned security certificate provided through the Apple Developer portal as part of the available benefits with the Apple iOS Developer Enterprise Program available on the Apple web site at: (http://developer.apple.com/programs/ios/enterprise). The certificate is requested by an authorized participant of the enrolled developer program and is available for download on the developer customer portal site once approved by the Apple Developer Program.

(7)

7 Apple APNS for Device Manager

2.3 BASIC APNS CERTIFICATE STEPS

There are a few steps to complete in order to obtain your APNS certificate from Apple, Inc. using a

computer running Apple Mac OS X and Microsoft® Windows operating systems. Requesting and generating an APNS certificate needs to be executed from only one computer. The process is similar for each computer platform with the exception of the tools and exact steps for each OS to originate and complete the

certificate request and certificate export. The essential steps for obtaining your APNS certificate are as follows:

1. Create a Certificate Signing Request (CSR) from a computer that can be used for duration of the APNS certificate generation process.

2. Upload the CSR to your Apple Development portal (Apple will sign your certificate in 3-5 business days).

3. Download the signed certificate from your Apple Development portal and complete the initial CSR request.

4. Export the APNS certificate from your computer into the supported PKCS#12 (.p12) format and upload to Zenprise Device Manager during installation.

Before you begin please ensure you have the following prerequisites completed:

 Enroll in the Apple iOS Developer Enterprise Program located at:

(http://developer.apple.com/programs/ios/enterprise). There is an annual enrollment fee per organization and the enrollment also requires specific registration information like your

organization’s DUNS (Dun & Bradstreet) number and the ability to provide legal contract authority to bind your organization to the iOS Developer Program Enterprise License Agreement.

Allow 3-5 business days to activate your new developer program membership, and the same lead-time for issuing your APNS certificate once the CSR is received by Apple, Inc.

 Assign the Apple Developer account role that will be issuing the certificate approvals the rights as

Agent.

The Agent role is the only role that can create and approve the APNS enrolled App ID and issues the APNS certificate. Note that there can only be one Agent role account per enrolled developer program.

 Mac OS X 10.5 or greater workstation* or Windows Vista SP1, Windows 7, and Windows Server 2008 with local Administrator permissions to create the CSR and issue an exported PKCS#12 (.p12 or .pfx) format certificate for use with Zenprise Device Manager.

To develop with iOS SDK you must have an Intel-based Mac running Mac OS X 10.5 Snow Leopard or later. Windows Vista SP1, Windows 7 or Windows Server 2008 is required when using the IIS Certificate Wizard in the steps we provide. Use the same computer for the entire certificate generation process.

 Safari 4, Firefox 3.2 or greater, and Internet Explorer 7 or greater is supported and recommended for best results.

 Designate a fully qualified DNS (FQDN) name for your Zenprise Device Manager server that will be resolvable both from the public Internet and your organizations internal network. (It is

(8)

3 THE CERTIFICATE SIGNING REQUEST

The first component needed to start with the APNS certificate enrollment, after your Apple iOS Developer for Enterprise Portal is working, is the creation of a Certificate Signing Request, or CSR. A CSR is a file generated from a computer’s local certificate or security keystore application that contains necessary properties for a Certificate Authority (CA) to understand what kind of certificate is being requested and what ownership and purpose the requested certificate is to be applied and registered with the CA. With respect to the Apple APNS certificate enrollment, the CSR created in this process will be used for the provisioning of a Production Push SSL Certificate for APNS that can be used with your Zenprise Device Manager server. This documented procedure will focus on the use of the Production Push SSL Certificate for the purposes of this document and installation with the Zenprise Device Manager server.

A CSR can be created from any computer with a local certificate service or certificate keystore application. This document will cover the methods of generating a CSR from Apple Mac OS X with the Keychain Access utility, and Microsoft Windows Vista SP1, Windows 7 and the Windows Server 2008 operating systems using the Feature Add-in for Internet Information Services (IIS) Web Management Tools.

IMPORTANT: The process for creating the CSR file and later converting the downloaded APNS certificate

for use with Zenprise Device Manager server requires the use of the same computer with the same private key to complete the process. Using two different computers cannot process the CSR and exported APNS certificate steps unless the same local CA private key is used, and is not recommended.

3.1 CREATING A CSR WITH WINDOWS 7 & SERVER 2008

(9)

9 The Certificate Signing Request

2. Start the IIS Manager utility from the local computer Administrative Tools menu, commonly located within the Windows Start menu. Double-click the Server Certificates icon for IIS. The utility needs to be started by a user logged in with Administrator rights, or started using Run as Administrator.

3. The Server Certificates features will be available. Choose the option to Create Certificate

Request… from the right-hand Actions navigation panel.

4. The Request Certificate wizard will open and present the Distinguished Name Properties fields that must be completed for the CSR. Enter in the following for your CSR. Click Next once completed.

Common Name: this is a simple name to identify your certificate request, sometimes often

used is the name of the hosted DNS name for the server or service.

(10)

Organizational Unit: This will typically be the name of a department or sub-group. City/Locality: The local city where the certificate is being requested/issued. State/Province: The regional abbreviation for the site location.

Country/Region: The presiding nation for the issued certificate.

(11)

6. A file name must next be specified for your CSR. Identify a location to save your new CSR file and give it a name you will easily recognize then click Finish.

(12)

3.2 CREATING A CSR WITH MAC OS X

1. On a Macintosh computer running Mac OS X start the Keychain Access application located under the Utility folder inside the Applications folder.

2. Open the Keychain Access menu and choose Preferences. Change the options for OCSP and CRL on the Certificates tab to Off. Close the Preferences window.

3. Open the Keychain Access menu and choose Request a Certificate From a Certificate

Authority… from the Certificate Assistant extended menu.

(13)

5. Enter a name for your certificate signing request (CSR) file and save it to a location that you can easily retrieve the certificate request file. Click Save.

6. The next screen specifies the key pair information. Choose the Key Size of 2048 bits and the

(14)

(15)

15 Apple APNS Certificate Process

4 APPLE APNS CERTIFICATE PROCESS

4.1 APPLE IOS DEVELOPER FOR ENTERPRISE PORTAL

The next major steps all deal with activity within the Apple Developer Portal. To begin the process of acquiring your APNS certificate from Apple you must first complete the enrolment for the Apple iOS Developer for Enterprise program membership. The developer web site has links and videos to guide you through instructions for how to complete the online application. Once completed you can log in with your Agent (primary first account and account owner role) account user name and password to gain access to the iOS provisioning portal.

4.2 GENERATING AN APP ID AND APNS CERTIFICATES

Once in the iOS Provisioning Portal you can begin the steps to navigate and create your App ID that will be assigned to your company for the Zenprise Device Manager server application. You can have multiple App ID’s, however you only need one App ID to be created and identified uniquely for use with Zenprise Device Manager.

(16)

1. Log into the Apple Developer Member Center with the Apple ID assigned to the primary or ‘Agent’ role. When logged in choose the iOS Provisioning Portal link.

(17)

3. Next, click the button to create a New App ID.

4. Complete the Description, Bundle See ID and Bundle Identifier fields in the Create App ID area of the Manage tab for the App ID and then click the Submit button.

a. Use a simple name or short description that will help you later recognized your App ID configured for Zenprise Device Manager. This helps when your organization might have the need for multiple App IDs deployed for other purposes. b. Leave the selection for the Bundle Seed ID as “Generate New”

c. Create your Bundle Identifier (App ID Suffix) using the format

(18)

5. A new Configure App ID page is presented after submitting. Click the checkbox to Enable for

Apple Push Notification service. Click the Configure button for the Production Push SSL

Certificate to create your new Apple Push Notification Service certificate. You will need to have your generated CSR (certificate signing request) file available for uploading in the next steps.

IMPORTANT: Use only the designated Production Push SSL Certificate associated for an approved App ID

with an enterprise device management solution like Zenprise Device Manager.

NOTE: The Development Push SSL Certificate for APNS should only be used for testing and development

purposes and never installed in a production environment. Irreversible issues such as device disassociation, device service interruption and manual re-enrollment of the iOS device to Zenprise Device Manager server will occur if later switching to a Production Push SSL Certificate.

NOTE: Development Push SSL Certificates for APNS are limited to the number of devices that can be

(19)

6. The Apple Push Notification service SSL Certificate Assistant is started when you clicked Configure in Step 4. Click Continue again to proceed to the step to import your certificate signing request (CSR) file.

(20)

8. Click the Generate button once your CSR file is selected and added.

9. The Apple APNS service SSL Certificate is now generated. Click Continue.

(21)

11. The Configure App ID window contains the two available Push SSL Certificates available for configuration. Locate the Production Push SSL Certificate and click Configure to follow the steps to setup the certificate.

(22)

12. The completed certificates for Production is now ready for download. You only need to use the Production Push SSL Certificate with Zenprise Device Manager server.

13. After downloading your Production Push SSL Certificate for APNS click the Done button. 14. The newly enabled App ID with associated APNS certificate should now appear in your iOS

(23)

23 Exporting Certificates

5 EXPORTING CERTIFICATES

The final step in preparation to enable your Zenprise Device Manager server to use the APNS certificate to enroll, manage and communicate with iOS devices is to export the downloaded Production certificate into PKCS#12 format. This format is the only compatible certificate type that can be imported and used by an MDM solution like Zenprise Device Manager. As stated in Section 2, the use of the same computer that created the Certificate Signing Request (CSR) should be the same computer used during the certificate conversion process. Only the issued Production Certificate is needed for Zenprise Device Manager server. These steps will guide through exporting the Production certificate, although the same steps would be used for development certificates.

5.1 EXPORT THE APNS CERTIFICATE: WINDOWS OS

1. Open the Internet Information Services (IIS) Manager administration tool and select the

Complete Certificate Request option from the Actions pane.

2. Click the ellipses button and locate the saved Production identity certificates previously downloaded from the iOS Provisioning Portal. The default name for the production

(24)

3. Select the imported certificate and choose the Export… option via the right-click menu or from the option in the right-hand Actions pane.

(25)

5.2 EXPORT THE APNS CERTIFICATE: MAC OS X

1. Locate the Production identity certificate downloaded from the iOS Provisioning Portal. Double-click each certificate file to import them into the Keychain. If prompted to add certificates to a specific keychain simply keep the default ‘login’ keychain selected and click

OK.

2. The newly added certificate will appear in your list of certificates. Select the Production Push Services certificate and control-click or choose Export Items… from the File menu to begin the step to export the certificate into a PKCS#12, or Personal Information Format (.p12) certificate.

(26)

Information Exchange (.p12) file format and click Save.

4. Enter a password for exporting the certificate. Using a unique, strong password is recommended. This password will need to be retained for later use.

(27)

6. The saved certificate is now ready for use with Zenprise Device Manager server. Be sure to keep the certificate and password safe for later use and reference.

Note: If you don’t plan to keep and preserve the computer and user account originally used to generate

(28)

6 APPENDIX

6.1 USING OPENSSL

The use of a command line utility for certificate signing requests and certificate importing and exporting is completely supported, however there are many available command line tools that use different syntax that will vary the steps to complete the process. Provided here are simple guideline examples for how to

complete the steps previously covered in Section 3, “Creating a CSR” and Section 5, “Exporting Certificates”.

The following examples use OpenSSL as the open source command line utility. OpenSSL, the downloadable binaries for the desired operating system, and detailed instruction guides can be found at:

http://www.openssl.org.

6.1.1 CREATING A CSR WITH OPENSSL

Here is the simple command string with generic variables needed to create a new CSR for use in Section 4, “Apple APNS Certificate Process”.

rem #!/bin/sh

openssl genrsa -out apns-cert.key 2048

openssl req -new -key apns-cert.key -out apns-cert.csr -subj

"/[email protected],CN=ZDM.MyCompany.COM,O=My Company,OU=Department,L=Anytown,S=State,C=US"

6.1.2 EXPORTING THE CERTIFICATE

Here is the simple command string with generic variables needed to export the downloaded Apple APNS Production certificate from a .cer file format into a .pem file format, and finally into a .p12 file format.