Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Symantec Mobile Device Management 7.1 Proof of Concept - Part III: Obtaining and Installing an Apple APNS Certificate For a Mobile Management 7.1 Proof of Concept

Created: 19 Oct 2011 • Updated: 21 Oct 2011 | 1 comment
Language Translations
InsentraCameronM's picture
+4 4 Votes
Login to vote

Warning

THIS WALKTHROUGH is PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE WALKTHROUGH IS WITH YOU. SHOULD THE WALKTHROUGH PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Generating an APNS Certificate Request (Symantec Mobile Management 7.1 User Guide, 2011, p. 38)

Note: In addition to hardware requirements and software requirements, you must meet the following requirements before you can set up and install a Mobile Device Management certificate:

  • Be a member of the iOS Developer Enterprise Program. You can sign up for membership of the OS Developer Enterprise Program at the following URL: http://developer.apple.com/programs/ios/enterprise/
  • Have a Mobile Device Management agreement. You must contact Apple directly to acquire the agreement. The agreement allows your iOS Developer Enterprise Program membership to send MDM commands through the Apple Push notification service.

 

  1. Open IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS) Manager
  2. When IIS Manger opens click on servername
  3. In the center pane, double click on Server Certificates
  4. In the right hand pane click on Create Certificate Request…
  5. On the Distinguished Name Properties page fill in the following information and click Next:
    1. Common Name: servername.domain.com
    2. Organization: CompanyName
    3. Organizational Unit: DepartmentName
    4. City/locality: CityName
    5. State/province: StateName
    6. Country/region: CountryName
  6. On the Cryptographic Service Provider Properties, in the Cryptographic service provider drop-down menu, select Microsoft RSA SChannel Cryptographic Provider, and page change the Bit Length to 2048 and click Next
  7. On the File Name page specify the file name for the certificate request (ie. AppleCertRequest.txt) and click Finish

Setting Up an App ID and Download an APN Certificate (Symantec Mobile Management 7.1 User Guide, 2011, pp. 38 - 39)

  1. Open your web browser (not Internet Explorer) and browse to https://developer.apple.com/ios/manage/bundles/howto.action
  2. Enter your credentials:
    1. Apple ID: AppleID
    2. Password: password
    3. Click on Sign In
  3. On the iOS Provisioning Portal page click on App IDs.
  4. Click on the New App ID button on the top right hand side of the page.
    1. Description: Type a description
    2. Bundle Identifier (App ID Suffix): com.apple.mgmt.XXX, where XXX is a string added by you, ie your company name. Note: com.apple.mgmt is mandatory.
    3. Click Submit.
  5. Click on the Manage Tab.
  6. At the bottom right hand side of the page, under Action, click on Configure.
  7. On the Configure App ID page place a check beside Enable for Apple Push Notification Service.
  8. Beside Production Push SSL Certificate click on Configure.
  9. On the Generate a Certificate Signing Request page click Continue.
  10. On the Submit Certificate Signing Request page browse to your APNS certificate request (.ie AppleCertRequest.txt) and then click Generate.
  11. On the Generating your Apple Push Notification service SSL Certificate page, click Continue.
  12. On the Download & Install Your Apple Push Notification service SSL Certificate page, click Download.
  13. Click Done.

Completing the Certificate Request  (Symantec Mobile Management 7.1 User Guide, 2011, p. 40)

  1. On the Start menu, click Control Panel.
  2. On the All Control Panel Items page, click Administrative Tools.
  3. On the Administrative Tools page, click Internet Information Services(IIS) Manager.
  4. On the Internet Information Services (IIS) Manager page, in the left pane, click the server, and then in the center pane, double-click Server Certificates.
  5. In the right pane, click Complete Certificate Request.
  6. In the Specify Certificate Authority Response dialog box, navigate to the Apple Push Notification service SSL certificate you have created and downloaded, under Friendly name, specify a name, ie. APNS Certificate.
  7. Click OK.
  8. Open Microsoft Management Console
    1. Click Start > Run
    2. Type in mmc and click OK
  9. When the MMC opens click on File > Add/Remove Snap-in…
  10. On the left hand column choose Certificates, click on Add.
  11. When Certificates snap-in opens choose Computer account and then click on Next.
  12. When Select Computer opens accept the defaults and click on Finish.
  13. Click OK.
  14. Right click on the newly imported APNS Certificate and choose All Tasks > Manage Private Keys.
  15. When the Security page opens click on the Add… button.
  16. Type Network Service and click Check Names.
  17. When the Security page is shown again click on Network Service, uncheck Full Control and click OK.

Exporting the MDM Certificate and Installing it on Multiple MDM Servers (Symantec Mobile Management 7.1 User Guide, 2011, p. 41)

Note: This step is only necessary if you have more than one MDM server. If so, you need to perform this step and then install the certificate on each MDM server.

  1. Select the Server Certificate with the friendly name that you specified in step 6 of the previous section.
  2. In the right pane, click Export.
  3. In the Export Certificate dialog box, specify a filename and location for where to export the MDM Certificate, ie MDM Certificate.pfx. Then specify a password to secure the MDM Certificate.
  4. Click OK.
  5. Open Microsoft Management Console
    1. Click Start > Run
    2. Type in mmc and click OK
  6. When the MMC opens click on File > Add/Remove Snap-in…
  7. On the left hand column choose Certificates, click on Add.
  8. When Certificates snap-in opens choose Computer account and then click on Next.
  9. When Select Computer opens accept the defaults and click on Finish.
  10. Click OK.
  11. Browse to Console Root > Certificates > Personal > Certificates.
  12. In the middle pane, right click on the white space and choose All Tasks > Import…
  13. On the Welcome to the Certificate Import Wizard page click on Next.
  14. On the File to Import page click Browse and browse to the location of the MDM Certificate.

Note: When you get to the folder that contains the MDM Certificate you will have to choose Personal Information Exchange (*.pfx, *.p12) for the file type to see the certificate.

  1. Click on the APNS file and click Open.
  2. On the File to Import page click on Next.
  3. On the Password page type the password used to export the certificate and then click Next.
  4. On the Certificate Store page accept the defaults and click Next.
  5. On the Completing the Certificate Import Wizard page click Finish.
  6. When the Certificate Import Wizard success notification pops up click on OK.
  7. Right click on the newly imported MDM Certificate and choose All Tasks > Manage Private Keys.
  8. When the Security page opens click on the Add… button.
  9. Type Network Service and click Check Names.
  10. When the Security page is shown again click on Network Service, uncheck Full Control and click OK.

 

Part I: Installing and Configuring Windows Server 2008 R2 Enterprise For a Mobile Management 7.1 Proof of Concept

Part II: Installing Mobile Management 7.1 For a Mobile Management 7.1 Proof of Concept

Part III: Obtaining and Installing an Apple APNS Certificate For a Mobile Management 7.1 Proof of Concept

Part IV: Installing and Configuring SCEP For a Mobile Management 7.1 Proof of Concept

Part V: Configuring Mobile Management 7.1 For a Mobile Management 7.1 Proof of Concept

Comments 1 CommentJump to latest comment

InsentraCameronM's picture

There is a new APNS process for obtaining an APNS certificate.

To request Symantec certificate signing:
Generate a certificate signing request (CSR)  on your MMS server or a Windows 2003/2008 server.

1. To generate a certificate request

1 Select Start > Control Panel > Administrative Tools.

2 Select Internet Information Services (IIS) Manager.

3 Select the server, and then double-click Server Certificates.

4 On the Actions menu, click Create Certificate Request.

Enter the following information:

Common Name – Use the FQDN of your MMS server

Organization - The name of your organization.

Organizational unit - The name of the group or department within your organization

City/locality - The city or locality where your organization is located.

State/province - The state or province where your organization is located.

Country/region - The country or region where your organization is located.

5  Click Next.

6 In the CryptographicServiceProviderProperties window, select Microsoft

RSA SChannel Cryptographic Provider for the Cryptographic service

provider. Select 2048 for the Bit length.

7 Click Next. In the File Name window, type a file path and name or click the

ellipsis button to browse.

8 Click Finish to generate and save the certificate request. It will be saved as a.txt file.

Send the certificate request to your partner and they will obtain an APNS certificate for you.

Once you have the signed CSR from Symantec, use Safari or Chrome, (Firefox may also work) as your web-browser, do not use Internet Explorer.

  1. Visit https://identity.apple.com/pushcert/ and sign in with a verified Apple ID.
  2. Click "Create a Certificate” and agree to the Terms of Use.
  3. Navigate to your signed CSR and click Upload. After a moment, your certificate will be available for download.
  4. Download the certificate which will be a .pem file.
  5. Copy this .pem file to the server where the CSR was created.
  6. In IIS Manager, select the server and double-click on Server Certificates, under Actions (on the right) choose Complete Certificate.
  7. When prompted, enter the path to the new .pem file. NOTE: You might need to select *.* to see your .pem file in your chosen path.
  8. Enter a friendly name for the certificate and press OK.
  9. The new certificate will now be available with a private key.
  10. Select the certificate and under Actions, choose Export.
  11. Enter a path/file name to store the MDM certificate (key-pair) with a password.
  12. The exported file will have a file-type of .pfx. PLEASE SAVE it in a safe place. It will need to be installed on every MMS server.
  13. If you are already on the MMS server, you can run mmc at the console to verify that the MDM certificate is also found under Certificates(Local Computer) under Personal in the key-store.
  14. If not, copy the .pfx file to each MMS server.
  15. On each MMS Server, install the certificate:
  16. Run mmc from the start->Run menu.
  17. select Add/Remove snap-ins from the menu. Select Certificates for Computer Account , select Local Computer and press OK.
  18. Double-click on  Certificates (Local Computer), select Personal.
  19. Right click and select Import. Follow instructions to choose the .pfx file and install it.

Cameron Mottus

0
Login to vote