Hosted Certificate Authorities / PKI

Aaron Freimark's picture
No votes yet

Hi folks.

To unlock some of the most interesting iOS features for enterprise, you need to use a Certificate Authority (CA) to create, manage, and distribute identity certificates to your devices. (Actually, the deployment is typically done through [[MDM]). With this infrastructure in place, you can teach your servers to recognize valid certificates, allowing secure VPN, email, WIFi and intranet access without password authentication. However, many businesses do not have this infrastructure, known as PKI, in place.

I'm curious about experiences with hosted PKI. It would have to be simple to use -- that's the point.

Any of you have experience you'd like to share? Any successful hosted PKI/MDM integrations?

Head-to-head: AirWatch vs. Maas360

Tippet5x's picture
No votes yet


I was looking for some real world feedback, that could help with a decision.
Price between the two are close. Airwatch does offer multi language interface and the option to route 443 to their environment and the back. No software installed in my environment.

I don't think maas360 has that option but I heard their up port is better

Thank you

APNS Certificates Without a Developer Membership?

Your rating: None (2 votes)

Hi All,

To play with Mobile Device Management, you need an Apple Push Notification Service certificate. And to get one of those, you've always needed a paid membership in the iOS Developer Program. Until now, it seems.

Check this out:

If this is true, it would be great news!

(It seems you can also manage the APNS certs that you got when using Apple Profile Manager).


Apple's iOS 5 Changes to .mobileconfig Enhance Security and Add Features (updated)

Your rating: None (4 votes)

(Update: AirWatch sent a useful summary of the changes. I've added them below.)

With the release of iOS 5, Apple has added some new features to its .mobileconfig specification. This is the fundamental specification for how Mobile Device Management services interface with the iPhone and iPad. This is the reason why so many MDM providers offer similar features. MDM providers are limited to providing new features until Apple updates this spec. So when Apple adds keys here, expect MDM providers to follow -- and the best to follow quickly.


The most significant changes are with email payloads. A set of new keys allow for enhanced security.

PreventMove, if set to true, forces this email account into a fence. That is, messages received by this account cannot be moved into another account. This also prevents forwarding or replying from a different account than the original account.

PreventAppSheet, if set to true, prevents this account from being used in third-party applications.

SMIMEEnabled, and its companions SMIMESigningCertificateUUID and SMIMEEncryptionCertificateUUID, allow for signed and encrypted mail. SCEP-based credentials managed by the MDM system may be used here.


There are a number of new keys for allows control over iCloud.

allowCloudBackup permits or disables iCloud device backup.

allowCloudDocumentSync will disable document syncing, while allowCloudKeyValueSync will disable key-value syncing, for apps that use that iCloud technology (not every app is document-based). Finally, allowPhotoStream can be used to disable iCloud storage of device photos.


forceITunesStorePasswordEntry prevents iTunes from saving your backup password. So you'll need to add it every time.

allowUntrustedTLSPrompt enhances SSL security by rejecting invalid certificates. The default behavior is to prompt the user, who may not think before tapping.

Here's a biggie: You can now disable voice and/or data roaming.


Wi-Fi payloads gain an AutoJoin keyword. It also more specifically describes known Wi-Fi networks by allowing specification of the EncryptionType and ProxyType.


Battery Life can now be queried.

Carrots and Sticks

Your rating: None (2 votes)

"Carrots and Sticks" is a methodology of balancing the "stick" of security-enhancing restrictions with the "carrot" of user access to otherwise restricted data.

By design, users may opt-out of Mobile Device Management at any time. Settings > General > Profiles > Global MDM Profile > Remove. Individual configuration profiles may be password protected, but the root MDM certificate is always removable without anything more than the device passcode. And once that is removed, all child profiles are also removed. There is no programmatic way to prevent this.

One solution is to make MDM more attractive for the users. These are the "carrots." Here are some ways to do that.

  • Deploy managed apps (new to iOS 5) using MDM. Managed apps are sent over the air as art of the MDM package. If MDM is removed, these apps can be set to disappear as well.
  • Develop in-house apps using Apple's iOS Developer Program, and distribute the deployment certificate only by MDM.
  • Use a Public Key Infrastructure to grant access to VPN, Exchange, Wi-Fi, etc. Deploy user credentials through MDM only.
  • Slightly different than using PKI to grant access to corporate resources, more MDMs are offering DMZ based components to their solution which are in-line proxies prior to their Exchange, Domino, Office365, Google Apps services. These proxies/filters check with the MDM to ensure compliancy prior to allowing the device through. By using this, users are blocked & required to enroll in MDM to get to the corporate email resources.

Got more carrots, Doc? Edit this wiki page and add them here.

Demonstrating Over-the-Air App Deployment in iOS 5

Your rating: None (2 votes)

Perhaps the biggest enterprise feature yet uncovered in iOS 5 is Over-the-Air app deployment. It's not quite "push"; but I'll call it "push-like".

Here's how it working, using JAMF's Casper Suite. JAMF updated their software today to support the latest iOS 5 technologies.

First, log into the MDM console.

Under Management, click "Mobile Device App Catalog".

Click "Add App".

iPhone Configuration Utility Updated to 3.4

Your rating: None (2 votes)

Briefly: Apple's updated their iPhone Configuration Utility to include the .mobileconfig features of iOS 5.

The update is currently available via Software Update. We'll post a download link when available.

iOS 5 is Out

Your rating: None (2 votes)

Apple has released iOS 5, the latest version of the operating system for its iPads, iPhones and iPod touches. The release is available for all current and many earlier models. See our table of iOS Devices for the list of upgradable models. The update is available via iTunes, but hopefully this is the last time we'll need a PC for updating.

iOS 5 brings a laundry list of features, including:

  • A new Notification Center for text messages, email, and other alerts
  • iMessage (think Apple's answer to BBM)
  • New MDM features (story to follow)

Over the next few days, we'll be exploring how this update affects Enterprise users. (Yes it does, and in some big ways.)

Please post your experiences in the comments below.

iPhone 4S Nifty Features for Business Users

Your rating: None (2 votes)

Today's Apple product intro is now available online. In case you haven't heard, they announced the iPhone 4S, available on October 14. There are some nifty features in the iPhone 4S for business users. I'll have more tomorrow, but my short list is:

  1. Siri for a 24-hour personal assistant that won't break up your marriage
  2. Long battery life
  3. Quicker download speeds without the 4G downsides
  4. AirPlay -- fantastic for wireless presentations
  5. GSM+CDMA go-anywhere world phone
  6. Quicker dual-core A5 processor for background VPN and innovative apps

What did you think?

Completely Revised Comparison of Mobile Device Management Providers

Your rating: None (2 votes)

We're happy to announce the re-release our popular Comparison of MDM Providers'. While the original comparison was built by an HTML table, the new page sits atop a wiki-enabled database. This allows MDM providers and users to modify and improve the data on each provider.

We've also added several MDM solutions: Apple, MaaS360, and SOTI.


If you're favorite MDM provide is missing from this list, we encourage you to add them yourself using a simple form. We hope you find this change useful.

Your Business Your Apps – Video and Q&A

Aaron Freimark's picture
No votes yet

Thank you to everyone who attended our hugely successful panel discussion "Your Business, Your App," organized by Tekserve, New York's largest independent Apple consultancy and retailer. We had time for only a few questions from the audience. To address this, we've created this forum thread so we can continue the discussion online. Our panelists will try to respond to any question posted here.

In addition, we are pleased to bring you a video of the entire event. We hope you can add your questions and comments below.

EiOS will be on the panel "Your Business, Your App" this Friday, in NYC

Your rating: None (2 votes)

This Friday, September 30, I have the honor of being a part of a distinguished panel discussion titled "Your Business, Your App." Members of the Enterprise iOS community are invited to register for this special event.

The luncheon and panel will be at Ogilvy, 636 11th Avenue, between 46th And 47th Streets, in New York City. The panel includes:

  • Joe Zeff of Joe Zeff Design, creative studio that helps companies merge content, technology and business opportunities through iPad apps. Their specialty is consumer engagement, leveraging the power of storytelling to help publishers, corporations and agencies forge deeper relationships with their audiences.
  • Jason Richelson of, a cloud-based point-of-sale service that allows small retail businesses to replace their cash registers with iPads and ring up customers, collect sales tax, print receipts, accept credit cards and manage inventory and customers.
  • Jamie Manalio of Rust Labs, dedicated to exploring new technologies for custom hardware and A/V installations, creating custom interactive presentations for private and public events, programming applications for smart phones.
  • Joseph Wachs of [x]cube LABS, a specialty mobile app development firm offering end-to-end solutions across a wide range of mobile applications; from games to enterprise apps, across all major mobile platforms, including iPhone, BlackBerry, and Android, as well as the iPad.
  • Irven Cassio of Luxottica Group, a retail technologist - with a focus on convergence, multichannel integration, social media, fashion, design and marketing.

The event is being sponsored by my employer, Tekserve, New York's largest independent Apple consultancy and retailer.

Update: We've posted a video and some Q&A of the event on this site.

EiOS and Tekserve in CIO

Your rating: None (2 votes)

CIO Magazine has published an interview with me about the iPad Culture Shock for IT. I would sincerely appreciate your thoughts on the topic.

Managing iOS Devices with Lion Server

Your rating: None (2 votes)

The eBook "Managing iOS Devices with Lion Server" is now available on the iBooks store and the Kindle store, and soon on

The $4.99 ($3.99 for Kindle) is a steal considering the weeks I put into preparing this. I really hope you find it useful.

I also wrote the official description below, and I think it captures it perfectly; there's not much about using Profiles for managing Macs other than remotely locking and wiping them (which is vey cool). It really is all about managing iOS devices.

Learn how to use Profile Manager, a feature included in OS X Lion Server, to configure and remotely manage iOS devices (including iPad, iPhone, and iPod touch) and Macs running Lion. With this eBook, you will learn how to use Profile Manager's web-based tools to configure user settings for services such as Mail, Calendar, VPN, and Wi-Fi; define passcode settings to prevent unauthorized access to data stored on your users' devices; and remotely wipe devices if they go missing. The Profile Manager uses the Apple Push Notification Service (APNS), so you can immediately push configuration changes to your devices, as long as they have some kind of network connectivity. Why do all the work yourself? Show your users how easy it is for them to use the self-service web portal to download and install the configuration profiles you've carefully crafted for them, and how to remotely lock or wipe their own devices without your intervention. This eBook includes the knowledge you need to configure your Lion Server to be an Open Directory master, use an appropriate SSL certificate, provide Profile Manager services, and perform basic troubleshooting.

It's 339 pages on my iPhone 4.

Apple Introduces App Store Volume Purchasing for Business

Your rating: None (2 votes)

Apple today introduced its Volume Purchase Program for Business Apps. The program, available "soon," answers a simple question that has had no satisfactory answer: How does a company buy apps for its users?

Some notes:

  • Businesses must have a Dun & Bradstreet number to participate, and go through a validation process.
  • Admins will be asked to create a new Apple ID for exclusive use with the Business VPP.
  • There are no minimum or maximum quantities for purchase.
  • Only paid apps are available through VPP. Free apps should be downloaded by the device user.
  • Payment must be made via corporate credit card or PayPal. (There seems to be no mechanism for purchase orders at this time.)

The program seems to follow the contours of the Education VPP system, introduced last year. The enrollment process, which is not yet online, is outlined in a PDF. Here's what they say about distribution:

Distributing apps purchased through the Volume Purchase Program is easy. For each app you purchase you’ll receive a redemption code to authorize the app download. The program website delivers these redemption codes in a spreadsheet format that contains multiple codes, one for each app in the quantity purchased. Each time a code is redeemed, the spreadsheet is updated on the program website so you can track the number of codes that have been redeemed by your users. The spreadsheet also includes a redemption URL with the redemption code embedded in the link so users don’t have to type or enter the redemption code manually when downloading apps.

Apple suggests that you email these URLs to each user, but I'd rather poke my eye with a stick. Alternatively, expect your MDM Provider to allow for VPP Integration. Casper Suite and Absolute Manage MDM already has this feature, and I hope others quickly jump on board.

So the user clicks on the link, they visit the Apple store, "purchase" the app, and the redemption code is used in lieu of payment. Then the app downloads and installs.

Read the documentation closely, and you'll find a second new initiative: Apple is releasing private app distribution for businesses. The idea here is to combine custom app development but use VPP for distribution, creating a new market strategy for enterprise-focused developers. (And Apple will happily take its 30% cut for the service.) Sound interesting?

Any outstanding questions? Do you like the plan? Please add your comments below.

Recent Activity