toddatkuapay
Level 1 (0 points)

Q: Code Signing Certificate Renewal for Profile Manager

Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year.  In one month our Code Signing Certificate will expire on ALL of those devices.  I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.

 

How do I update all of the devices in the field with the new certificate?  It is not possible for every one of those devices to be re-enrolled.  These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager.  Apple - this wasn't well thought out...

OS X Mountain Lion (10.8.2)

Posted on Sep 20, 2013 9:41 AM

Close
toddatkuapay

Q: Code Signing Certificate Renewal for Profile Manager

  • All replies
  • Helpful answers

  • by MrHoffman,

    MrHoffman MrHoffman Sep 20, 2013 11:46 AM in response to toddatkuapay
    Level 6 (15,637 points)
    Mac OS X
    Sep 20, 2013 11:46 AM in response to toddatkuapay

    After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.

     

    Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 

     

    Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)

     

    If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.

     

    {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

  • by toddatkuapay,

    toddatkuapay toddatkuapay Sep 20, 2013 11:49 AM in response to MrHoffman
    Level 1 (0 points)
    Sep 20, 2013 11:49 AM in response to MrHoffman

    Yes I know that that's the prescribed solution... But for 700+ devices in the field it's ridiculous...  I also know that this is a user forum.  I am trying to gauge other users experiences...  Thanks for your reply.

  • by toddatkuapay,

    toddatkuapay toddatkuapay Sep 24, 2013 1:59 PM in response to toddatkuapay
    Level 1 (0 points)
    Sep 24, 2013 1:59 PM in response to toddatkuapay

    I'm guessing Apple's MDM service isn't used that much in a corporate envinronment?

  • by Patrick Fist,

    Patrick Fist Patrick Fist Nov 19, 2013 2:48 PM in response to toddatkuapay
    Level 1 (50 points)
    Nov 19, 2013 2:48 PM in response to toddatkuapay

    Hello Everybody,

     

    the code signing certificate is valid for one year if you use the default code signing certificate issued by the local OD.

    To sign/encrypt your profiles is import until you have secret information in your profiles like a shared-secret in a VPN configuration profile. When the profile is valid signed at the time of loading into a client this is enaugh.

    The configurations wont be lost or dropped by the client.

    Apple expect that you put your clients into client groups and that you change profile settings from time to time. In this case it would be enaugh to renew the certifcate 2 month before expiring and change any Profile information on Group basis ... and the clients will be deployed with a new fresh signed profile.

     

    If one year is not enaugh for your needs, feel free to issue a longer valid vertificate from a 3rd party vendor.

     

     

    I hope my story helped you, understanding the crazy ideas of a apple developer (sure it was a intern when developing the profile service )