Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

iOS Profile Security: How to Sign and Encrypt iOS configuration profiles

Created: 12 Jul 2012 | 2 comments
Language Translations
Mina Gerges's picture
+12 12 Votes
Login to vote

Creating 1 certificate for signing, 1 certificate for Encryption using Microsoft CA :

NB. Assuming that the environment has a Microsoft CA server .

  • Please Note the files names & extensions while performing the below steps, mixing the files up might cause the implementation to fail.

Introduction

Signing Certificates ensure the integrity of configuration profiles by preventing tampering. They are created from a Root Certificate through a certificate authority.

Two Signing Certificates must be generated, one for iOS devices and one for any machine running Athena Services.

  • Signing Certificate with Private and Public Keys- placed on any machine running Athena Services, allowing machines to sign configuration profiles before they are sent to iOS devices.
  • Signing Certificate with Public Key- placed on all iOS devices, allowing devices to recognize and accept configuration profiles signed using the Signing Certificate with Private and Public Keys.
     

Encryption Certificates ensure that information inside of configuration profiles cannot be read by a third-party, and must be used in conjunction with Signing Certificates. Encryption Certificates are created from a Root Certificate through a certificate authority. Two Encryption Certificates must be generated, one for iOS devices and one for any machine running Athena Services.

  • Encryption Certificate with Private and Public Keys- placed on all iOS devices, allowing devices to decrypt and install configuration profiles encrypted using the Encryption Certificate with Public Key.
  • Encryption Certificate with Public Key- placed on any machine running Athena Services, allowing machines to encrypt configuration profiles before they are sent to iOS devices.

 

Creating Certificates.

Create Signing certificate

  • From IIS console, click on the server name, on the right pane, double-click "Server Certificate"
  • On the most right pane, click "Create Domain Certificate"
  • Enter the common name like "Signing crt" and fill the rest of required fields
  • Click Next, then select the CA and enter a friendly name for the certificate then finish

Create Encryption certificate

  • From IIS, click on the server name, on the right pane, double-click "Server Certificate"
  • On the most right pane, click "Create Domain Certificate"
  • Enter the common name like "Encryption crt" and fill the rest of required fields
  • Click Next, then select the CA and enter a friendly name for the certificate then finish

 

Extracting Certificates:

Extracting CA certificate

  • Open MMC certificates console 
    Run > type “mmc”, OK
    File-> Add/Remove Snap-in…
    Double click “certificates”, choose “computer account”, Next>
    Select “Local computer”, Finish, OK
  • Under "Personal", "Certificates" Double click on one of  the created certificates, go to “Certificate Path” tab, double-click the CA certificate, open “Details tab” .
  • Click “Copy to File”, “Certificate Export Wizard” will open, click NEXT
  • Choose “DER encoded binary x.509”, NEXT
  •  Browse to the location where you want to save your certificates, give a name to the file (CA.crt), SAVE, NEXT then FINISH.

Extracting Signing certificate to be placed on iOS devices

  • Open MMC certificates console
  • Under "Personal", "Certificates" Double click on the created certificate for signing, open “Details tab” .
  • Click “Copy to File”, “Certificate Export Wizard” will open, click NEXT
  • When prompted to “Export Private Key” choose (No, do not export the private key)
  • Choose “DER encoded binary x.509”, NEXT
  • Browse to the location where you want to save your certificates, give a name to the file (Sign.crt), SAVE, NEXT then FINISH.

Extracting Signing certificate to be placed on MDM servers

  • Open MMC certificates console
  • Under "Personal", "Certificates" Double click on the created certificate for signing, open “Details tab” .
  • Click “Copy to File”, “Certificate Export Wizard” will open, click NEXT
  • When prompted to “Export Private Key” choose (Yes, export the private key), NEXT
  • In the “File Format” accept default (all option not ticked), NEXT
  • Enter a strong password to protect your key, NEXT
  • Browse to the location where you want to save your certificates, give a name to the file (Sign.pfx), SAVE, NEXT then FINISH.

Extracting Encryption certificate to be placed on iOS devices

  • Open MMC certificates console
  • Under "Personal", "Certificates" Double click on the created certificate for encryption, open “Details tab” .
  • Perform rest of steps as “Extracting Signing certificate to be placed on MDM servers ”, give a name to the file (encrypt.pfx)

Extracting Encryption certificate to be placed on MDM server

  • Open MMC certificates console
  • Under "Personal", "Certificates" Double click on the created certificate for encryption, open “Details tab” .
  • Perform rest of steps as “Extracting Signing certificate to be placed on iOS devices”, give a name to the file (encrypt.crt)

Importing Signing and encryption certificates on all MDM servers

  • Open MMC certificates console
  • Under "Personal", "Certificates" ,  right click > All tasks > Import
  • Browse to import the following 2 Certificates (encrypt.crt & Sign.pfx) NB. You need to enter the password set previously for “sign.pfx”

Configuring Mobile Management Solution

  • Open MMC certificates console
  • Under "Personal", "Certificates" Double click the created signing certificate, go to details tab, scroll down to the thumbprint, copy the Thumbprint.
  • Under "Personal", "Certificates" Double click the created encryption certificate, go to details tab, scroll down to the thumbprint, copy the Thumbprint.

Adding the certificated to payloads.

  • Open Symantec console  Home-> Mobile management-> Device Management-> Configuration Editor, click on "Credentials", on the right pane click the STAR,  select Certificate, and choose the certificates exported earlier  (CA.crt). Type a description. then save.
  • Perform the same for (encrypt.pfx & sign.crt) NB. For (encrypt.pfx) use the same password set during the export.

 

Mobile management user guide 7.2  P.54

1. In the Symantec Management Console, click Home > Mobile Management.

2. In the left pane, expand Settings and click Mobile Management Server settings.

3. In the Mobile Management Server Settings pane, click Profile Security.

4. Enter one or more of any of the following settings:

   ■ Profile Signing CertThumbprint - The thumbprint of the certificate that is used for signing the Mobile Management server personal store.

      Configuring Mobile Management

      Configuring profile security settings

   ■ Profile Encryption Cert Thumbprint - The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store.

   ■ Device Decryption Cert Config - The credential payload that contains a certificate that is placed on devices for decryption.

   ■ Device Signing Validation Cert Config - The credential payload that contains a certificate that is placed on devices to validate signing.

   ■ Device Signing/Encryption Root Cert Config - The credential payload that contains a root certificate that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.

5. Click Save changes.

Now Signing and Encryption is configured, next step is:

  • Open the “Mobile Configuration Policies”, from Symantec console, Manage > Policies > Mobile Configuration Policies.
  • Tick (Sign configuration profile to device ) and (Encrypt configuration profile to device )

A following article will explain how to perform the same using “OpenSSL” in case of absence of Microsoft CA server.

Comments 2 CommentsJump to latest comment

carman1203's picture

the ssl device plus index pdcd never allowed it how can it work without window 8

 

0
Login to vote
GTDendo's picture

Hi

 

Is this also possible to do with Managed PKI?

Is there any documentation how to do this?

 

Kr

Endre

0
Login to vote