A year ago we received an MDM certificate, issued an MDM push certificate and started using it.
The MDM push certificate expires on September 15th.
We have generated a new MDM push certificate in advance.
When trying to send an MDM push using a new MDM push certificate, we get an error: TopicDisallowed.
In the new MDM push certificate, the User ID has changed (com.apple.mgmt.External....), which is used in the MDM user profile (Topic).
If we use a new User ID, then we will have to rewrite it in the MDM user profile, and all MDM users will have to reinstall the MDM profile.
Can you please tell me if it is possible to generate a new MDM push certificate with the old User ID so that all MDM users do not have to reinstall the MDM profile?
If this is not possible, then what is the command to send users with the old User ID in the profile a new profile with a new User ID?
Thank you.
Related
I came with error after creating the certificate ,
This app package’s publisher certificate could not be verified. Contact your system administrator or the app developer to obtain a new app package with verified certificates. The root certificate and all immediate certificates of the signature in the app package must be verified (0x800B010A)
I am trying to implement APNS for my App. I created APP id and was able to generate an SSL certificate for my App (the type is shown to be APNs development IOS). However, when I try to generate a provisioning profile, following the screen where I choose the AppID of my app, I do not see the SSL certificate I generate for this app. In the certificates list, I only see certificates of type 'IOS development' that were created previously.
The APNs certificate that you created is used by what the documentation refers to as the "APNs Provider" -- In the simplest case, this is your own server that is responsible for keeping track of APNs device tokens and generating APNs Push Payloads that instruct the APNs what message, sound, or badge to deliver to a specific device token. Just as the arrangement of executable code and other assets in your app is secured by a cryptographic signature (via your iPhone Development or iPhone Distribution certificate and associated provisioning profile), communications between your server and the Apple APNs gateway must also be secured to prevent a rogue 3rd party from masquerading as your server and sending spammy push messages to your users. This APNs SSL certificate is used to secure and authenticate your server's connection to the APNs, authorizing it to deliver push payloads to your app on user's devices -- Keep those certificates secure! If anyone gains access to the private key of the SSL certificate then they could send spammy pushes to your app!
Your APNs Provider will need access to the private key for this SSL certificate. Without it, Apple's APNs gateways will reject any and all attempts to connect. Your provider, does not need to have your provisioning profiles -- this APNs certificate is entirely separate than the mechanisms used to code sign an iOS app, that is, the server only needs the server certificate, while the app needs the code signing certificate + provisioning profile. These two items do not intersect and do not exchange data with each other.
It is true that your provisioning profiles (Development, Ad-Hoc Distribution, and App Store Distribution) will need to be reissued, but that is specifically to add the aps-environment entitlement to each of these profiles allowing apps signed with these profiles to connect with the APNs environments. To be absolutely clear, reissuing these profiles does not and should not add your APNs SSL certificate anywhere in the profile...your application code doesn't need to leverage this certificate in any way and would lead to a slight increase in your application's size.
You can check if your current provisioning profiles include the aps-environment entitlement by opening Terminal, copy and pasting the following, taking care to update the path to your specific .mobileprovision:
/usr/libexec/PlistBuddy -c 'Print :Entitlements' /dev/stdin <<< $(security cms -D -i /path/to/your/application.mobileprovision)
This command does two things:
Uses the security tool in OS X to extract the plist content from the .mobileprovision file identified after the -i argument and passes all of this content into...
PlistBuddy printing the entire contents of the Entitlements key to screen.
The output for a basic Development profile that has not been enabled for Push Notifications will resemble the following:
Dict {
get-task-allow = true
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
While the output for a basic Ad-Hoc or App Store Distribution that has not been enabled for Push Notifications will resemble:
Dict {
get-task-allow = false
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
Now that you have the APNs certificates issued for your app's AppId, you do need to step through and reissue your Development, Ad-Hoc, and Distribution provisioning profiles to add the aps-environment entitlement to each of your profiles.
Navigate to Certificates, Identifiers, and Profiles tool and find one of the profiles associated with this application.
Click the Edit button and walk through each step of the wizard -- you don't have to make any changes to the previously defined settings, you simply need the current profile reissued!
Click the Download button at the end of the wizard.
Drag and drop the updated profile on the Xcode icon on your Dock to install.
If you run that same set of Terminal commands again on these new files (remember to update the path to the new .mobileprovision if necessary!) you'll now see that aps-environment key appear in your App's entitlements:
Dict {
get-task-allow = true
aps-environment = development
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
There are two values for this new key:
aps-environment = development -- This will appear only on Development Provisioning Profiles and allows apps signed using iPhone Developer certificates and may only connect with the Sandbox APNs Environment
aps-environment = production -- This will appear only on Distribution Provisioning Profiles (Ad-Hoc or App Store), allowing apps signed using iPhone Distribution certificates to connect with the Production APNs Environment
Depending on which certificate you use to sign a build determines which APNs gateway your app will connect to and fetch a Push token as well as which gateway your app will receive push messages from. One of the most common errors developers make with respect to push notifications is mismatching how the app is signed with how their server is connecting to Apple's APNs gateways:
Apps signed with Development certificates can only successfully negotiate APNs and receive Push Messages when the Provider is also connecting with the Development APNs SSL certificate to the Sandbox APNs gateway and using a sandbox device token in the payloads it generates.
Apps signed with Distribution certificates can only successfully negotiate APNs and receive Push Messages when the Provider is also connecting with the Production APNs SSL certificate to the Production APNs gateway and using a production device token in the payloads it generates.
Give it a shot and let us know how things go!
I was able to develop a mdm solution.
I started facing problem when I moved my agent from Developer account's provisioning profile to Enterprise account's in-house distribution profile.
Now I am totally confused which certificate is used where?
Please guide me his is the certificate used in the below places:
Certificate in credentials section of enrollment profile (is it having BI as com.apple.mgmt._ ? or can be any like com.abc.mdm ? or it's the one received by customer)
Certificate .pem file used to wake up device?
Thanks
You need to use your iOS Enterprise developer account use the Agent account's credentials.
Follow this page http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning and then verify few things as remove the passphrase from customerPrivateKey.pem using this command
openssl rsa -in customerPrivateKey.pem -out PlainKey.pem
Verify the .pem certificate downloaded from https://identity.apple.com/pushcert/
You can install this .pem in you Mac's Keychain and then see the Get Info and the certificate should have com.apple.mgmt.External.b503419d-1e2a-a60f-7451-5b8832b5a9cb, which you can use as push topic while generating enroll mobileconfig .
Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command
cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem
Now the PlainCert.pem you can use as APNS/MDM certificate.
Please see this for Identity.p12 and respective password, which you have to use in Credential section.
1) it HAS to be com.apple.mgmt._ however this does not come from the provisioning portal - all you can set up here is your vendor certificate. See here
2) the certificate is used to make the connection to the APNS service, but you should get this from the the Apple Push Certificates Portal
I am trying to create certificates that will allow me to send push notifications on my device and I am total lost. I have used certificates for BETA and distribution but adding push notification is pain.
When I do create certificates for BETA testing, I do the following steps.
From keychain, Request a certificate from a certificate authority.
In Apple Provisioning Portal under Certificates, create a certificate uploading file keychain file.
Assume APP ID is created perfectly and devices are ready.
In Apple Provisioning Portal under Provisioning, I create a new profile and download mobile provisioning file to add to the XCode organizer.
That above steps works and I can BETA test. Now in order to enable push notification, I have setup server which is tested with push notification and is 100% working. When I configure for push notification, I need to upload keychain file. Is that the same file I uploaded under Certificates? There is a file in return which I double click and it gets added to the keychain, am I doing it right?
If I understand your question correctly, the answer is no, it should not be the same file. I'll explain the entire process in detail and hopefully that will clarify the situation (and what you need to do next).
When you enable push notifications, you need to do four things:
Create a private/public key pair.
Create a certificate signing request (CSR), signed with your private key.
Submit the CSR to Apple and download a signed certificate.
Create a file containing your certificate and private key, for validating each APN request.
Some points:
I recommend you use different keys for development (sandbox) and production APN. You can re-use the keys if you are sending notifications to different apps, but it is safer if you don't re-use keys between development and production.
The file you "submit" to the provisioning portal is the certificate request. You will have one CSR file for each certificate. You will create a two CSR for each app (bundleID); one for development, one for production. The CSR created with your development key should be submitted for development and the CSR created with your production key should be submitted for production.
Note: Keep the CSR files. You don't have to have them, but it will save you some time when you need to re-send the certificate requests.
After submitting your CSRs, you will be able to download the actual certificates. They aren't ready immediately, so give Apple a minute or so and then refresh your browser. The difference between the CSR and a certificate is important: the certificate is signed by Apple; it validates your ability to send push notifications. Download the certificates and load them into your keychain (double clicking is fine).
Note: the certificate is useless without your private key; so you will need to safely export your private key if you switch computers.
Any computer sending an APN request will need both the private key and the certificate. You can export them as a single .p12 file using Keychain Access. (I name mine MyAppCertKey.p12 to indicate that the file contains both the certificate and the key.)
Last, I wrote up a detailed explanation on testing / verifying communication with Apple's servers (from the terminal). It's a little complicated since you need to have some root certificates set up for openssl to validate against; however, it will tell you if you are communicating correctly with the servers, without requiring any work on the receiving app itself.
Couldn't able to connect to APNS Sandbox server
Hope that helps.
I am an administrator in Apple Developer and my profile is deleted. Now when we create a new provisioning profile it gives the error
valid signing identity matching this profile could not be found in your keychain.
The certificate request in the keychain is resisted with my profile.
I have also developed a new certificate request with a new Apple Developer profile but this also gives the same problem. How can it be solved?
You need to have the little key under your certificate in keychain Access. If you do not you need to revoke your certificates in your developer account and start over
http://developer.apple.com/library/ios/#qa/qa2008/qa1618.html