Part 1 – Obtaining a push certificate
Update 2-16-2016: Unfortunately “part 2” never materialized. We eventually switched to Meraki for our MDM needs (internal software worked fine, but I no longer had time to do programming at the job and we had to get an out of the box solution). However I have uploaded all the code to github. If somebody wants to fork it and put in some decent documentation on it I would be happy to switch out my github link for your repository. Just let me know. https://github.com/cabal95/managedmacadmin
There is a lot of piecemeal information out on the Internet on how to run your own MDM server for iOS and Mac devices. Most of the information is accurate and helpful but none of it is all-inclusive. While I may not manage to give all-inclusive information and will certainly not get perfect step-by-step steps, I hope that it will be accurate enough to help get you going. I will be assuming that you have knowledge of command line, git, development tools, openssl and a few other things.
This is going to be a multi-part series of (slowly posted) articles. In part one I am going to cover the steps I undertook to get the MDM push certificate required to run the MDM server. At the end of this article you should be able to put your push certificate into a test server and successfully push “wake up” notifications to your devices and watch them query the MDM server.
Another point to make is that I do not intend to breach any NDA with these articles. If I accidentally post anything I shouldn’t have then I will be pulling the content immediately upon request by Apple. I do hope to publish the source code for the MDM server on github once enough is working to do something with it. Because MDM has been available for a few years and I still have not seen any open-source MDM server projects, I will probably contact Apple in the near future to verify I will not be breaking NDA by posting the code we will be running.
Finally, like many of my other projects, this may never actually go anywhere. Some of the other work I have done recently with munki, sal, django and other projects have shown me that it really shouldn’t take very long to develop a simple MDM server. My goal with this server is basically a MunkiWebAdmin type reporting for iOS devices and (and Mac) and, hopefully, basic managed preferences like MCX. At worse, the church is out $299 for one years worth of Enterprise program and I have spent a number of hours at home learning new technologies.
- Create a iOS Developer Enterprise account
- Cost is $299/year.
- You need to create a new Apple ID for this, you cannot use the same one you use with your existing iOS, Mac or Safari developer logins.
- Your organization needs a D-U-N-S number.
- This took about 2 days to finish and a few phone calls, one to me and one to my boss (to verify that I indeed worked for the church). In my call they asked what we planned to do with the Enterprise account. I was up front in my plans to run an in-house MDM server for asset tracking and that we didn’t want to use a third party or Profile Manager. The representative I talked to was perfectly satisfied with that answer.
- Contact Apple Developer Support and request your account be flagged for MDM Vendor use.
- After your Enterprise account is active and you can login to the developer portal you need to contact support and request that you become an MDM Vendor. You can call them but I used the contact form. I simply told them in as few words as possible that we wanted to run our own minimal MDM server for improved asset tracking. Within a few hours they responded and we were all set.
- Create a MDM Vendor CSR
- Fire up Keychain Access and Request a Certificate From a Certificate Authority.
- User Email Address: Enter same e-mail address used for Apple ID.
- Common Name: <company name> MDM (e.g. Acme Inc. MDM)
- Request is Saved to Disk.
- Upload the CSR to Apple via the iOS Certificate Manager
- Add a new certificate and select MDM CSR under the Production category.
- Click through the one or two screens and then attach the CSR to the form.
- When it finishes you should have a success message.
- Download the Apple signed certificate and load into Keychain Access
- Inside Keychain Access under your Certificates you should have a new item called MDM Vendor: Acme Inc.
- If you expand the certificate you should see your Acme Inc. MDM private key.
- Now we need to create our push certificate CSR
- We now need a CSR for the actual push certificate.
- Fire up Keychain Access again and run Request a Certificate From a Certificate Authority.
- User Email Address: Enter the contact e-mail, this may be your own e-mail rather than the ADC Apple ID.
- Common Name: <company name> Push (e.g. Acme Inc. Push)
- Request is Saved to Disk (call it push.csr for our purposes).
- Export your Acme Inc. MDM private key and MDM Vendor certificate.
- Export the private key as a .p12 file, this will include both certificate and key. Call it private.p12.
- Extract private key: openssl pkcs12 -in private.p12 -nocerts -out key.pem
- Extract certificate: openssl pkcs12 -in private.p12 -clcerts -nokeys -out cert.pem
- Convert certificate to DES form: openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DES
- Strip password from private key: openssl rsa -in key.pem -out private.key
- These will be used in the next step to generate the special CSR for Apple to sign.
- Grab the mdmvendorsign tools from github
- Run the following command from inside the cloned directory.
- python mdm_vendor_sign.py –key private.key –csr push.csr –mdm mdm.cer –out applepush.csr
- If all works, you should see no errors and a message telling you to go upload the file.
- If something went wrong, do some research my friend!
- Generate Push certificate from Apple
- Follow instructions, upload file to https://identity.apple.com/pushcert
- Download resulting push certificate, again assuming all went well.
- Import Certificate into Keychain Access (it will be called something like APSP:xxxxxx)
- Prepare certificate for pushing
- Double click certificate to get the push topic to be used, it will be the Subject User ID, something like com.apple.mgmt.External.<guid>.
- Export certificate as a p12 file, let’s call it mdm.p12
- Next we need to convert it into a format that can be used with APNSWrapper.
- openssl pkcs12 -in mdm.12 -out pushcert.pem -nodes
- You can now use pushcert.pem with APNSWrapper, or any other method you wish to push notifications with, with your MDM server.
- Testing your certificate requires that you run some kind of MDM test server. The link above is one such test server. This is not the one I used as I had already written my own, though it was far less featured. Mine was a few lines of django code which let me see the data sent by the client when it registered. I could then take the two device identifiers and use them to manually (via APNSWrapper) push a “wakeup” command to the device and watch it query the server.
- The link above also has some information on this process as well.
- IMPORTANT: Clean up after yourself! This process leaves your certificates and, more importantly, private keys all over your hard drive. Make sure you don’t leave anything laying around that somebody could use to pretend to be you. The final article should include a more stream-lined process that also cleans up along the way. Right now that is extra credit for you.