apple apns certificate setup guide - citrix :: login

Rev 6.10.00

Zenprise Device Manager 6.1 APPLE APNS CERTIFICATE SETUP GUIDE

Zenprise Device Manager – Apple APNS Certificate Setup Guide [ Rev 6.10.00 ]

2

ZENPRISE DEVICE MANAGER 6.1 APPLE APNS CERTIFICATE SETUP GUIDE

© 2011 Zenprise, Inc. – All rights reserved.

This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Zenprise, Incorporated. Zenprise Incorporated assumes no responsibility or liability for any errors or inaccuracies that may appear in this book.

Except as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without prior written permission of Zenprise, Incorporated.

Any references to company names, organizations, persons, or places are for demonstrations purposes only and are not intended to refer to any actual company, organization, person or place.

REVISION NUMBER: 6.10.00


3

Contents

1 Introduction ....................................................................................................................... 4

1.1 Related Documentation ................................................................................................................................... 4 1.2 Document Conventions .................................................................................................................................... 5

2 Apple APNS for Device Manager ......................................................................................... 6

2.1 Overview .......................................................................................................................................................... 6 2.2 What is an Apple APNS Certificate? ................................................................................................................. 6 2.3 Basic APNS Certificate Steps ............................................................................................................................ 7

3 The Certificate Signing Request ........................................................................................... 8

3.1 Creating a CSR with Windows 7 & Server 2008 ................................................................................................ 8 3.2 Creating a CSR with Mac OS X ........................................................................................................................ 12

4 Apple APNS Certificate Process .......................................................................................... 15

4.1 Apple iOS Developer for Enterprise Portal ..................................................................................................... 15 4.2 Generating an App ID and APNS Certificates ................................................................................................. 15

5 Exporting Certificates ........................................................................................................ 23

5.1 Export the APNS Certificate: Windows OS ..................................................................................................... 23 5.2 Export the APNS Certificate: Mac OS X .......................................................................................................... 25

6 Appendix .......................................................................................................................... 28

6.1 Using OpenSSL ............................................................................................................................................... 28


4 Introduction

1 INTRODUCTION

This document describes setup and creation of an APNS certificate from the Apple iOS Developer for

Enterprise program for use with the Zenprise Device Manager system from Zenprise, Inc. It discusses the

basics of the Apple APNS (Push Notification System) and how it relates to the use with Device Manager.

The content herein is intended for system administrators responsible for the implementation, configuration

and upkeep of enterprise-class system for managing mobile devices and users of them. The document is

organized as follows:

Chapter 1, Introduction, provides the scope and purpose of the document.

Chapter 2, Apple APNS for Device Manager, provides a general description of the process to

enrol in the Apple iOS Developer for Enterprise program and the required steps to obtain a

valid APNS certificate.

Chapter 3, The Certificate Signing Request, steps through the instructions for creating a new

CSR file from either a Mac OS X or Windows based computer.

Chapter 4, Apple APNS Certificate Process, steps through the instructions for using the Apple

iOS Developer for Enterprise portal to generate and download a valid APNS certificate

associated with an App ID.

Chapter 5, Exporting Certificates, discusses the remaining steps to export the APNS

certificate from a Mac OS X or Windows based computer into the proper format for use with

Zenprise Device Manager server.

The Appendix discusses briefly the option to use OpenSSL as an alternative to the certificate

process described for Mac OS X and Windows based computers in this document.

1.1 RELATED DOCUMENTATION

Other documents available in regard to Zenprise Device Manager include the following:

Device Manager Quick Start Guide – summarizes the steps required to establish a basic functional

configuration of the Device Manager server, create basic device Configuration Policies, device

Deployment Packages, establish a Remote Support Client session, and work with devices.

Device Manager Installation Guide – provides the procedures to install and/or upgrade the Device

Manager server product.

Device Manager System Administration Guide – provides details about configuring the application and

essential steps required to register devices, users, policies, files, and deployment packages. Device

Manager’s integrated reporting subsystem is also discussed.

Device Manager Client Guide - describes installation and use of the device client for Windows Mobile,

Android and iOS devices.


5 Introduction

Device Manager F5 High Availability Guide – provides the procedures to setup the Device Manager

server product in high availability mode with an F5 network load balancer appliance.

Device Manager Mobile Application Gateway Setup Guide – describes the setup and use of the Mobile

Application Gateway to control ActiveSync mobile device traffic, as well as application Whitelist/Blacklist

filtering, and specific device & user filtering options available when integrated with a Microsoft ISA 2006

or TMG 2010 server firewall.

Device Manager Remote Support User’s Guide – discusses using Device Manager’s remote control

features to work with devices on behalf of users in the field.

1.2 DOCUMENT CONVENTIONS

The following conventions are used throughout the document:

Notes and Warning

Notes and other information topics are emphasized as follows:

Note: you can also use CTRL-Q to quit.

Warning convey limits, negative impacts or other important information as follows:

Note: Do not close the window before the process ends.

Application Elements

Window names, field labels, and other elements – are italicized.

Code Samples

Scripts, program source code, configuration files and the like are handled in this fashion:

AddObjectProperty – attributeMap {element: value, element, value}

User Entry

Things you type, select or click – including user names, passwords, responses, buttons and commands –

are shown in bold.


6 Apple APNS for Device Manager

2 APPLE APNS FOR DEVICE MANAGER

2.1 OVERVIEW

Before you can setup Zenprise Device Manager and manage iOS devices you will need an Apple Push

Notification Service (APNS) certificate. This document explains the details need to acquire an APNS

certificate from your Apple Developer portal and instructions for uploading your APNS certificate to the

Zenprise Device Manager management console.

2.2 WHAT IS AN APPLE APNS CERTIFICATE?

The Apple Push Notification Service (APNS for short) is a mobile notification service created by Apple, Inc.

APNS uses push technology through an accredited and encrypted IP connection to forward notifications

over persistent connections from application servers like Zenprise Device Manager to iOS devices like the

iPhone, iPad, and iPod Touch. Many iOS applications present dynamic content delivered over the Internet.

Push notifications (also known as remote notifications) are a way to let users know that new or updated

content they're interested in is available even if the target application is not running. APNS notifications can

include applications data updates, triggered alert sounds or custom text alerts to the iOS device.

An APNS certificate is a provisioned security certificate provided through the Apple Developer portal as part

of the available benefits with the Apple iOS Developer Enterprise Program available on the Apple web site

at: (http://developer.apple.com/programs/ios/enterprise). The certificate is requested by an authorized

participant of the enrolled developer program and is available for download on the developer customer

portal site once approved by the Apple Developer Program.

Each organization needs to request and generate one APNS certificate for each individual application that

requires use of the APN service. Zenprise Device Manager requires one unique certificate to be assigned to

the application and host server prior to installation, and during installation the certificate will be imported

to complete the configuration and connection to the APN services at Apple. Zenprise cannot provide or

issue an APNS certificate to your organization. Only Apple, Inc. can provision APNS certificates to enrolled

Apple iOS Developer Enterprise Program participants.

http://developer.apple.com/programs/ios/enterprise


7 Apple APNS for Device Manager

2.3 BASIC APNS CERTIFICATE STEPS

There are a few steps to complete in order to obtain your APNS certificate from Apple, Inc. using a

computer running Apple Mac OS X and Microsoft® Windows operating systems. Requesting and generating

an APNS certificate needs to be executed from only one computer. The process is similar for each computer

platform with the exception of the tools and exact steps for each OS to originate and complete the

certificate request and certificate export. The essential steps for obtaining your APNS certificate are as

follows:

1. Create a Certificate Signing Request (CSR) from a computer that can be used for duration of

the APNS certificate generation process.

2. Upload the CSR to your Apple Development portal (Apple will sign your certificate in 3-5

business days).

3. Download the signed certificate from your Apple Development portal and complete the

initial CSR request.

4. Export the APNS certificate from your computer into the supported PKCS#12 (.p12) format

and upload to Zenprise Device Manager during installation.

Before you begin please ensure you have the following prerequisites completed:

Enroll in the Apple iOS Developer Enterprise Program located at: (http://developer.apple.com/programs/ios/enterprise). There is an annual enrollment fee per organization and the enrollment also requires specific registration information like your organization’s DUNS (Dun & Bradstreet) number and the ability to provide legal contract authority to bind your organization to the iOS Developer Program Enterprise License Agreement.

Allow 3-5 business days to activate your new developer program membership, and the same lead-time for

issuing your APNS certificate once the CSR is received by Apple, Inc.

Assign the Apple Developer account role that will be issuing the certificate approvals the rights as Agent.

The Agent role is the only role that can create and approve the APNS enrolled App ID and issues the APNS

certificate. Note that there can only be one Agent role account per enrolled developer program.

Mac OS X 10.5 or greater workstation* or Windows Vista SP1, Windows 7, and Windows Server 2008 with local Administrator permissions to create the CSR and issue an exported PKCS#12 (.p12 or .pfx) format certificate for use with Zenprise Device Manager.

To develop with iOS SDK you must have an Intel-based Mac running Mac OS X 10.5 Snow Leopard or later.

Windows Vista SP1, Windows 7 or Windows Server 2008 is required when using the IIS Certificate Wizard

in the steps we provide. Use the same computer for the entire certificate generation process.

Safari 4, Firefox 3.2 or greater, and Internet Explorer 7 or greater is supported and recommended for best results.

Designate a fully qualified DNS (FQDN) name for your Zenprise Device Manager server that will be resolvable both from the public Internet and your organizations internal network. (It is recommended to use a DNS aliased CNAME or dedicated A-Record pointer to your server instead of the computer host name.

http://developer.apple.com/programs/ios/enterprise


8 The Certificate Signing Request

3 THE CERTIFICATE SIGNING REQUEST

The first component needed to start with the APNS certificate enrollment, after your Apple iOS Developer

for Enterprise Portal is working, is the creation of a Certificate Signing Request, or CSR. A CSR is a file

generated from a computer’s local certificate or security keystore application that contains necessary

properties for a Certificate Authority (CA) to understand what kind of certificate is being requested and

what ownership and purpose the requested certificate is to be applied and registered with the CA. With

respect to the Apple APNS certificate enrollment, the CSR created in this process will be used for the

provisioning of a Production Push SSL Certificate for APNS that can be used with your Zenprise Device

Manager server. This documented procedure will focus on the use of the Production Push SSL Certificate

for the purposes of this document and installation with the Zenprise Device Manager server.

A CSR can be created from any computer with a local certificate service or certificate keystore application.

This document will cover the methods of generating a CSR from Apple Mac OS X with the Keychain Access

utility, and Microsoft Windows Vista SP1, Windows 7 and the Windows Server 2008 operating systems

using the Feature Add-in for Internet Information Services (IIS) Web Management Tools.

IMPORTANT: The process for creating the CSR file and later converting the downloaded APNS certificate

for use with Zenprise Device Manager server requires the use of the same computer with the same private

key to complete the process. Using two different computers cannot process the CSR and exported APNS

certificate steps unless the same local CA private key is used, and is not recommended.

3.1 CREATING A CSR WITH WINDOWS 7 & SERVER 2008

1. Turn on the Windows Feature for Internet Information Services (IIS) to enable only the Web

Management Tools. This can be found by navigating to the Programs and Features control

panel.



2. Start the IIS Manager utility from the local computer Administrative Tools menu, commonly

located within the Windows Start menu. Double-click the Server Certificates icon for IIS. The

utility needs to be started by a user logged in with Administrator rights, or started using Run

as Administrator.

3. The Server Certificates features will be available. Choose the option to Create Certificate

Request… from the right-hand Actions navigation panel.

4. The Request Certificate wizard will open and present the Distinguished Name Properties

fields that must be completed for the CSR. Enter in the following for your CSR. Click Next

once completed.

Common Name: this is a simple name to identify your certificate request, sometimes often

used is the name of the hosted DNS name for the server or service.

Organization: This will typically be the name of the company or management organization.



Organizational Unit: This will typically be the name of a department or sub-group.

City/Locality: The local city where the certificate is being requested/issued.

State/Province: The regional abbreviation for the site location.

Country/Region: The presiding nation for the issued certificate.

5. Next you must specify the correct Cryptographic Service Provider Properties. For the Apple

APNS certificate process the Microsoft RSA SChannel Cryptographic Provider type and 2048-

bit length certificate properties must be selected.



6. A file name must next be specified for your CSR. Identify a location to save your new CSR file

and give it a name you will easily recognize then click Finish.

7. The generated and saved CSR file is now ready for upload when stepping through the next

part of the Apple APNS certificate request process in Section 4.



3.2 CREATING A CSR WITH MAC OS X

1. On a Macintosh computer running Mac OS X start the Keychain Access application located

under the Utility folder inside the Applications folder.

2. Open the Keychain Access menu and choose Preferences. Change the options for OCSP and

CRL on the Certificates tab to Off. Close the Preferences window.

3. Open the Keychain Access menu and choose Request a Certificate From a Certificate

Authority… from the Certificate Assistant extended menu.

4. The Certificate Assistant will now walk ask you to enter information to start your CSR. Enter

your desired Email Address, Common Name, choose the Saved to disk option and check the

box to Let me specify key pair information. The email address and common name can be

that of the individual or a role account responsible for the management of certificates. Click

Continue to proceed.



5. Enter a name for your certificate signing request (CSR) file and save it to a location that you

can easily retrieve the certificate request file. Click Save.

6. The next screen specifies the key pair information. Choose the Key Size of 2048 bits and the

RSA algorithm. Click Continue.



7. The generated and saved CSR file is now ready for upload when stepping through the next

part of the Apple APNS certificate request process in Section 4. Click Done when the

assistant completes the CSR process.


15 Apple APNS Certificate Process

4 APPLE APNS CERTIFICATE PROCESS

4.1 APPLE IOS DEVELOPER FOR ENTERPRISE PORTAL

The next major steps all deal with activity within the Apple Developer Portal. To begin the process of

acquiring your APNS certificate from Apple you must first complete the enrolment for the Apple iOS

Developer for Enterprise program membership. The developer web site has links and videos to guide you

through instructions for how to complete the online application. Once completed you can log in with your

Agent (primary first account and account owner role) account user name and password to gain access to

the iOS provisioning portal.

4.2 GENERATING AN APP ID AND APNS CERTIFICATES

Once in the iOS Provisioning Portal you can begin the steps to navigate and create your App ID that will be

assigned to your company for the Zenprise Device Manager server application. You can have multiple App

ID’s, however you only need one App ID to be created and identified uniquely for use with Zenprise Device

Manager.

It should be noted that the APNS certificate required for an enterprise mobile device manager solution like

Zenprise Device Manager must be provisioned from an enrolled and approved iOS Developer for Enterprise

account. The Individual and Company class iOS Developer programs are not acceptable, nor is using any

non-production or developer classified certificates. Only iOS Developer for Enterprise class certificates will

be accepted for use with Zenprise Device Manager server.



1. Log into the Apple Developer Member Center with the Apple ID assigned to the primary or

‘Agent’ role. When logged in choose the iOS Provisioning Portal link.

2. On the main Provisioning Portal page choose the App IDs option in the left-hand navigation.



3. Next, click the button to create a New App ID.

4. Complete the Description, Bundle See ID and Bundle Identifier fields in the Create App ID

area of the Manage tab for the App ID and then click the Submit button.

a. Use a simple name or short description that will help you later recognized your App

ID configured for Zenprise Device Manager. This helps when your organization

might have the need for multiple App IDs deployed for other purposes.

b. Leave the selection for the Bundle Seed ID as “Generate New”

c. Create your Bundle Identifier (App ID Suffix) using the format

“com.apple.mgmt.MyCompany.ZDMname”. Replace the portion “MyCompany”

with your company name or domain name without spaces. The ending suffix

“ZDMname” should be a short suffix word without spaced to identify your

production Device Manager Server to the App ID.



5. A new Configure App ID page is presented after submitting. Click the checkbox to Enable for

Apple Push Notification service. Click the Configure button for the Production Push SSL

Certificate to create your new Apple Push Notification Service certificate. You will need to

have your generated CSR (certificate signing request) file available for uploading in the next

steps.

IMPORTANT: Use only the designated Production Push SSL Certificate associated for an approved App ID

with an enterprise device management solution like Zenprise Device Manager.

NOTE: The Development Push SSL Certificate for APNS should only be used for testing and development

purposes and never installed in a production environment. Irreversible issues such as device disassociation,

device service interruption and manual re-enrollment of the iOS device to Zenprise Device Manager server

will occur if later switching to a Production Push SSL Certificate.

NOTE: Development Push SSL Certificates for APNS are limited to the number of devices that can be

enrolled for testing, the age of the valid certificate is limited to 3 months, and Apple routes all APNS traffic

for development devices through a separate gateway. The Development Push SSL Certificate for APNS

should only be used for testing and development purposes and not used with a Production environment.



6. The Apple Push Notification service SSL Certificate Assistant is started when you clicked

Configure in Step 4. Click Continue again to proceed to the step to import your certificate

signing request (CSR) file.

7. Click the Choose File button and locate your CSR file previously saved on your computer.



8. Click the Generate button once your CSR file is selected and added.

9. The Apple APNS service SSL Certificate is now generated. Click Continue.

10. The Provisioning Portal should now reveal your App ID and the two Development and

Production Apple Push Notification services available for configuration. Click the Configure

link next to the App ID to continue.



11. The Configure App ID window contains the two available Push SSL Certificates available for

configuration. Locate the Production Push SSL Certificate and click Configure to follow the

steps to setup the certificate.

When you complete the setup for the Production certificates you will see the status change

to Enabled, and an expiration date and Download button associated with the provisioned

APNS certificate. Finish configuring both APNS certificate services and then click Done.



12. The completed certificates for Production is now ready for download. You only need to use

the Production Push SSL Certificate with Zenprise Device Manager server.

13. After downloading your Production Push SSL Certificate for APNS click the Done button.

14. The newly enabled App ID with associated APNS certificate should now appear in your iOS

Provisioning Portal. You can return to this location to re-download your certificates.

Continue to Section 5.


23 Exporting Certificates

5 EXPORTING CERTIFICATES

The final step in preparation to enable your Zenprise Device Manager server to use the APNS certificate to

enroll, manage and communicate with iOS devices is to export the downloaded Production certificate into

PKCS#12 format. This format is the only compatible certificate type that can be imported and used by an

MDM solution like Zenprise Device Manager. As stated in Section 2, the use of the same computer that

created the Certificate Signing Request (CSR) should be the same computer used during the certificate

conversion process. Only the issued Production Certificate is needed for Zenprise Device Manager server.

These steps will guide through exporting the Production certificate, although the same steps would be used

for development certificates.

5.1 EXPORT THE APNS CERTIFICATE: WINDOWS OS

1. Open the Internet Information Services (IIS) Manager administration tool and select the

Complete Certificate Request option from the Actions pane.

2. Click the ellipses button and locate the saved Production identity certificates previously

downloaded from the iOS Provisioning Portal. The default name for the production

certificate is aps_production_identity.cer. Enter in a friendly name that can easily identify

the certificate in your Server Certificates management console. Click OK to continue.



3. Select the imported certificate and choose the Export… option via the right-click menu or

from the option in the right-hand Actions pane.

4. Enter the path to export the .pfx (PKCS#12 format) certificate file along with a certificate

password. Using a unique, strong password is recommended. This password will need to be

retained for later use. Click OK to finish. The saved certificate is now ready for use with

Zenprise Device Manager server. Be sure to keep the certificate and password safe for later

use and reference.



5.2 EXPORT THE APNS CERTIFICATE: MAC OS X

1. Locate the Production identity certificate downloaded from the iOS Provisioning Portal.

Double-click each certificate file to import them into the Keychain. If prompted to add

certificates to a specific keychain simply keep the default ‘login’ keychain selected and click

OK.

2. The newly added certificate will appear in your list of certificates. Select the Production Push

Services certificate and control-click or choose Export Items… from the File menu to begin

the step to export the certificate into a PKCS#12, or Personal Information Format (.p12)

certificate.

3. Name the certificate file being exported as something unique for use with Zenprise Device

Manger server. Choose a folder location for the saved certificate, choose the Personal



Information Exchange (.p12) file format and click Save.

4. Enter a password for exporting the certificate. Using a unique, strong password is

recommended. This password will need to be retained for later use.

5. The Keychain Access application will prompt for the password to the “login” or selected

keychain. Enter the password and click OK.



6. The saved certificate is now ready for use with Zenprise Device Manager server. Be sure to

keep the certificate and password safe for later use and reference.

Note: If you don’t plan to keep and preserve the computer and user account originally used to generate

the CSR and complete the certificate export process it is recommended that you save and/or export the

Personal and Public Keys originally associated from the local system. Otherwise access to the APNS

certificates for reuse will be voided and the entire CSR and APNS process will have to be repeated.


28 Appendix

6 APPENDIX

6.1 USING OPENSSL

The use of a command line utility for certificate signing requests and certificate importing and exporting is

completely supported, however there are many available command line tools that use different syntax that

will vary the steps to complete the process. Provided here are simple guideline examples for how to

complete the steps previously covered in Section 3, “Creating a CSR” and Section 5, “Exporting Certificates”.

The following examples use OpenSSL as the open source command line utility. OpenSSL, the downloadable

binaries for the desired operating system, and detailed instruction guides can be found at:

http://www.openssl.org.

6.1.1 CREATING A CSR WITH OPENSSL

Here is the simple command string with generic variables needed to create a new CSR for use in Section 4,

“Apple APNS Certificate Process”.

rem #!/bin/sh

openssl genrsa -out apns-cert.key 2048

openssl req -new -key apns-cert.key -out apns-cert.csr -subj

"/[email protected],CN=ZDM.MyCompany.COM,O=My

Company,OU=Department,L=Anytown,S=State,C=US"

6.1.2 EXPORTING THE CERTIFICATE

Here is the simple command string with generic variables needed to export the downloaded Apple APNS

Production certificate from a .cer file format into a .pem file format, and finally into a .p12 file format.

rem #!/bin/sh

rem # Convert .cer to .pem

openssl x509 -inform der -in aps_production_identity.cer -out apns-cert-

production.pem

rem # Convert .pem to .p12

openssl pkcs12 -export -out apns-cert-production.p12 -inkey apns-cert.key -

in apns-cert-production.pem -passout pass:Passw0rd!

http://www.openssl.org/

apple apns certificate setup guide - citrix :: login

Documents