12 Replies Latest reply: Oct 2, 2013 10:54 PM by amangautam
KocharTech Level 1 Level 1 (10 points)

I'm trying to setup an MDM server. Here's what I've done till now.

  1. Configured a Windows 2008 server with an SSL certificate from a CA. ie. The server can be accessed ashttps://abc.com
  2. Hosted a .Net webservice that listens to PUT.
  3. Generated an MDM certificate from the iOS Developer portal.
  4. Generated a Push certificate from Apple. The topic is something like com.apple.mgmt.External.035e7xxxxx
  5. Added the server certificate to the Credentials payload of iPCU. This was done by
    • Exporting the server side SSL as a .pfx file
    • Adding this file to the Windows Certificate store
    • Selecting this certificate in the credentials payload.

 

I've hosted this profile on the server. When I download it on the device, I'm presented with Profile Installation on the device. When I install this profile, I end up with an error saying "The profile MDM could not be installed". On looking at the device logs, I found

 

<Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
    Desc   : A transaction with the server at “https://abc.com” has failed with the status “400”

 

 

I suspect something wrong is selecting the certificate in the Credentials payload (Step 5).

Also when the Profile Installation screen is presented, I get "Not Verified" just below the the profile name.

 

Need help with the configuration.

  • 1. Re: Problem with MDM Setup
    iStayWinning Level 1 Level 1 (10 points)

    You need to configure your web server to accept HTTP PUT and respond with a HTTP 200 OK header.

  • 2. Re: Problem with MDM Setup
    KocharTech Level 1 Level 1 (10 points)

    If you look at the details I've provided, I already have a PUT enabled webservice thats working fine (tested it with some applications).

    The error I get while installing the MDM profile on the device is "Cannot Authenticate. Error: NSError:....." and "HTTP status “400"

     

     

    I suspect I'm messing up something in the Credentials payload of the iPCU.

  • 3. Re: Problem with MDM Setup
    iStayWinning Level 1 Level 1 (10 points)

    Make sure you push the entire certificate chain to the device (root, intermediate, etc) and also push a cert signed by the chain to use for authentication.

  • 4. Re: Problem with MDM Setup
    KocharTech Level 1 Level 1 (10 points)

    I started the process all over again. Here's a detailed description

     

    1. Generate a CSR from Keychain. After this I can see a Public Private key pair.
    2. Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain.
    3. Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12
    4. Generate pList for Push certificate. Source: Softhinker
      • openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
      • openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
      • openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
      •   
      • openssl genrsa -des3 -out customerPrivateKey.pem 2048 
      • openssl req -new -key customerPrivateKey.pem -out customer.csr  
      • openssl req -inform pem -outform der -in customer.csr -out customer.der  
      •   
      • Run the Java code to generate plist_encoded
      • Use this file to generate Push certificate. Note: this certificate says :This certificate was signed by an unknown authority
    5. Install all certificates generated in Windows Server. Added all certificates in the Credentials payload.

     

     

     

     

    I get the same error. Can you tell me which certificate I need to select in the Identity section of the MDM payload? Also check the steps to see if I've done something wrong.

     

    Note: I'm not using SCEP.

  • 5. Re: Problem with MDM Setup
    iStayWinning Level 1 Level 1 (10 points)

    You have the MDM certificate, which is used to communicate with APNS.

     

    The identity certificate needs to be an authentication certificate for the device itself, issued by the root chain of the webserver.

  • 6. Re: Problem with MDM Setup
    KocharTech Level 1 Level 1 (10 points)

    I understand your point. Can you help me understand how to issue an authentication certificate for the device by the root chain of the web server? I'm using Windows server 2008 (IIS 7)

     

    Also, I noticed that the Push certificate generated says "This certificate was signed by an unknown authority"*. There's also no private key associated with it.

  • 7. Re: Problem with MDM Setup
    jafuller Level 1 Level 1 (0 points)

    Use your 3rd Party SSL certificate to sign the configuration profiles.  As long as the chain can be validated by the device that is enrolling (typically over the internet so you must have a trusted SSL issued by a known party), then the profiles that are downloaded would be trusted.

     

    Self signed machine SSL doesn't work so well.  If you have an internal CA, the devices connecting to the machine will need that chain.

  • 8. Re: Problem with MDM Setup
    KocharTech Level 1 Level 1 (10 points)

    For the "unknown authority" issue I installed Apple's Application Integration certificate. I'm now able to execute the MDM commands.

  • 9. Re: Problem with MDM Setup
    Thoths Level 1 Level 1 (0 points)

    @KocharTech,

     

    I am trying to install mdm server in windows 2008 server.  I am stuck at creating the push certification from the apple cert site.

     

    We are vendor as well as the customer. we have the enterprise license as well.  The following are the steps I tried.

     

    • Generate a CSR from Keychain. I have used a Mac to create this. Is it required that I wil have to do this from windows server? 
    • Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain. 
    • Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12 
    • Generate pList for Push certificate. Source: Softhinker
    • After I upload the plist_encoded file to the apple site, I get a file with the following error mentioned.

    {"ErrorCode":-80018,"ErrorMessage":"Certificate Signature Verification failed","ErrorDescription":"Certificate Signature Verification failed because the <a href=\"http://www.apple.com/business/mdm\" target=\"_blank\">signature<\/a> is invalid."}

     

    Any idea whats going on? There arent much help for this error. I double checked my encoding and plist xml format and everything seems to be okay.

  • 10. Re: Problem with MDM Setup
    Thoths Level 1 Level 1 (0 points)

    The certificate signature issue is fixed. Using the wrong mdm certificate was the cause.

  • 11. Re: Problem with MDM Setup
    eyal83 Level 1 Level 1 (0 points)

    Hi,

    Using KocharTech certificate my push cert is now valid but it doesn't have a private key.

     

    Suggestions?

  • 12. Re: Problem with MDM Setup
    amangautam Level 1 Level 1 (0 points)

    Hi,

    I am getting error

    Certificate Signature Verification failed because the signature  is invalid.

    on https://identity.apple.com/pushcert/

     

    The following are the steps I tried.

     

    • Generate a CSR from Keychain. I have used a Mac to create this. Is it required that I wil have to do this from windows server?
    • Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain.
    • Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12
    • Generate pList for Push certificate. Source: Softhinker

     

    If I try to upload this file on https://identity.apple.com/pushcert/ it gives me above error.

    Any help will be appreciated ....