Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: KocharTech
KocharTech Author
User level: Level 1
11 points

Problem with MDM Setup

I'm trying to setup an MDM server. Here's what I've done till now.

  1. Configured a Windows 2008 server with an SSL certificate from a CA. ie. The server can be accessed ashttps://abc.com
  2. Hosted a .Net webservice that listens to PUT.
  3. Generated an MDM certificate from the iOS Developer portal.
  4. Generated a Push certificate from Apple. The topic is something like com.apple.mgmt.External.035e7xxxxx
  5. Added the server certificate to the Credentials payload of iPCU. This was done by
    • Exporting the server side SSL as a .pfx file
    • Adding this file to the Windows Certificate store
    • Selecting this certificate in the credentials payload.


I've hosted this profile on the server. When I download it on the device, I'm presented with Profile Installation on the device. When I install this profile, I end up with an error saying "The profile MDM could not be installed". On looking at the device logs, I found


<Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
    Desc   : A transaction with the server at “https://abc.com” has failed with the status “400”



I suspect something wrong is selecting the certificate in the Credentials payload (Step 5).

Also when the Profile Installation screen is presented, I get "Not Verified" just below the the profile name.


Need help with the configuration.

Posted on Sep 2, 2012 11:41 PM

Reply
12 replies
User profile for user: KocharTech
KocharTech Author
User level: Level 1
11 points

Sep 3, 2012 10:35 AM in response to iStayWinning

If you look at the details I've provided, I already have a PUT enabled webservice thats working fine (tested it with some applications).

The error I get while installing the MDM profile on the device is "

Cannot Authenticate. Error: NSError:....." and "HTTP status “400"



I suspect I'm messing up something in the Credentials payload of the iPCU.

Reply
User profile for user: KocharTech
KocharTech Author
User level: Level 1
11 points

Sep 3, 2012 11:36 PM in response to iStayWinning

I started the process all over again. Here's a detailed description


  1. Generate a CSR from Keychain. After this I can see a Public Private key pair.
  2. Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain.
  3. Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12
  4. Generate pList for Push certificate. Source: Softhinker
    • openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
    • openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
    • openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
    • openssl genrsa -des3 -out customerPrivateKey.pem 2048
    • openssl req -new -key customerPrivateKey.pem -out customer.csr
    • openssl req -inform pem -outform der -in customer.csr -out customer.der
    • Run the Java code to generate plist_encoded
    • Use this file to generate Push certificate. Note: this certificate says :This certificate was signed by an unknown authority
  5. Install all certificates generated in Windows Server. Added all certificates in the Credentials payload.





I get the same error. Can you tell me which certificate I need to select in the Identity section of the MDM payload? Also check the steps to see if I've done something wrong.


Note: I'm not using SCEP.

Reply
User profile for user: KocharTech
KocharTech Author
User level: Level 1
11 points

Sep 4, 2012 10:07 AM in response to iStayWinning

I understand your point. Can you help me understand how to issue an authentication certificate for the device by the root chain of the web server? I'm using Windows server 2008 (IIS 7)


Also, I noticed that the Push certificate generated says "This certificate was signed by an unknown authority"*. There's also no private key associated with it.

Reply
User profile for user: jafuller
jafuller
User level: Level 1
2 points

Oct 1, 2012 1:44 PM in response to KocharTech

Use your 3rd Party SSL certificate to sign the configuration profiles. As long as the chain can be validated by the device that is enrolling (typically over the internet so you must have a trusted SSL issued by a known party), then the profiles that are downloaded would be trusted.


Self signed machine SSL doesn't work so well. If you have an internal CA, the devices connecting to the machine will need that chain.

Reply
User profile for user: Thoths
Thoths
User level: Level 1
0 points

Mar 7, 2013 7:26 AM in response to KocharTech

@KocharTech,


I am trying to install mdm server in windows 2008 server. I am stuck at creating the push certification from the apple cert site.


We are vendor as well as the customer. we have the enterprise license as well. The following are the steps I tried.


  • Generate a CSR from Keychain. I have used a Mac to create this. Is it required that I wil have to do this from windows server?
  • Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain.
  • Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12
  • Generate pList for Push certificate. Source: Softhinker
  • After I upload the plist_encoded file to the apple site, I get a file with the following error mentioned.

{"ErrorCode":-80018,"ErrorMessage":"Certificate Signature Verification failed","ErrorDescription":"Certificate Signature Verification failed because the <a href=\"http://www.apple.com/business/mdm\" target=\"_blank\">signature<\/a> is invalid."}


Any idea whats going on? There arent much help for this error. I double checked my encoding and plist xml format and everything seems to be okay.

Reply
User profile for user: amangautam
amangautam
User level: Level 1
0 points

Oct 2, 2013 10:54 PM in response to KocharTech

Hi,

I am getting error

Certificate Signature Verification failed because the signature is invalid.

on https://identity.apple.com/pushcert/


The following are the steps I tried.


  • Generate a CSR from Keychain. I have used a Mac to create this. Is it required that I wil have to do this from windows server?
  • Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain.
  • Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12
  • Generate pList for Push certificate. Source: Softhinker


If I try to upload this file on https://identity.apple.com/pushcert/ it gives me above error.

Any help will be appreciated ....

Reply

Problem with MDM Setup

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up