Apple+MDM+Information

1. Profile Manger service
Profile Manager delivers configuration-based profile setup and mobile device management for Mac computers running Lion and iOS devices such as iPad and iPhone. It simplifies the creation of user accounts for mail, calendar, contacts, and chat; enforcement of restrictions; PIN and password policies; system settings; and more. Profile Manager is integrated with the Apple Push Notification service so updated configurations, settings, and policies are sent over the air automatically. There are two basic approaches to enrollment. Self enroll, users can then clear their passcode, remote lock and remote wipe their device. This may be a model that you use for teacher devices or user owned devices. The other is to have the administrator enroll the devices through the use of a general enrollment profile. This gives the institution a choice of letting the user have some ownership in managing their device(s). Feel free to contact me or your SE to have a more in depth conversation on these approaches.

2. Apple Push Notification Service (APNs) Certificate
This certificate is used by all MDM solutions to enable triggering of events. It is required to enable Device Management in Profile Manager and for all MDM solutions. Obtaining this certificate is easy with Profile Manager since Server app uses an Apple ID to pull down the APNs cert. Third party MDM solutions require the customer join the iOS Developer Enterprise Program in order to create an APNs certificate for MDM. An APNs certificate can only come directly from Apple and it is free (aside from the iDEP fee). Use a new Apple ID, one that is tied to your institution, specifically for the purpose of MDM. Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to have TCP port 2195 open. To reach the feedback service, you will need to have TCP port 2196 open. Devices and computers connecting to the push service over Wi-Fi will need to have TCP port 5223 open. The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules. http://developer.apple.com/library/ios/#technotes/tn2265/_index.html @http://support.apple.com/kb/ts1629

3. Profile Manager -MDM and Certificates
Secure Sockets Layer (SSL) Web Certificate This certificate is used by the web server to encrypt traffic between the clients and the server as well as for the administrative interface. SSL is required to use Profile Manager. For SSL certificates you have two options, purchase an SSL certificate signed by a well-known trusted Certificate Authority (VeriSign, GoDaddy, GeoTrust, etc.) or use the self-generated certificate that is created by the server when building an Open Directory Master (which is done as part of the Profile Manager setup). Below are the tradeoffs between the two: SSL Certificate Signed by Well Known Certificate Authority (CA) - BEST PRACTICE

Cost: $10+/year Benefits: No need to install Trust Profile before enrollment. No security warnings when connecting to Profile Manager web UI for enrollment or management. Self-generated SSL Certificate - NOT RECOMMENDED

Cost: Free Drawbacks: User must install Trust Profile before enrollment (or enrollment will fail). Users will see security warnings when connecting Profile Manager web UI for enrollment or management before installing Trust Profile. You will have to map port 1640 TCP (cert-responder) to your server, for the Profile Manager service. This only applies to managing devices outside the network. Port 443 is also required to reach the server.

4. Code Signing Certificate
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

A code signing certificate is used to sign profiles that are distributed by the server. Profiles that are signed by a trusted certificate show us "Verified" in green text when installed (either manually by the user or automatically via MDM). This includes the MDM enrollment profile that users see when they first enroll in the MDM server. Profile signing is optional, therefore a code signing certificate is not required to use Profile Manager or MDM. Profiles that are not signed appear as "Unsigned" and profiles signed with a certificate that is not trusted show up as "Not Verified" in red when installed. Just as with SSL certificates, for code signing certificates the customer has two options, purchase a code signing certificate signed by a well-known trusted Certificate Authority (VeriSign, GoDaddy, GeoTrust, etc.) or use the self-generated code signing certificate that is created by the server when building an Open Directory Master (which is done as part of the Profile Manager setup). In addition you may choose not to sign profiles. Below are the tradeoffs between the three options: Code Signing Certificate Signed by Well Known Certificate Authority (CA) - BEST PRACTICE

Cost: $200+/year, longer purchase process, requires proof of organization/company. Benefits: Profiles appear as "Verified" in green without the need to install a Trust Profile. Self-generated Code Signing Certificate Cost: Free Drawbacks: In order for profiles to appear as "Verified" in green the user must install Trust Profile before installing profiles (including enrollment). Otherwise profiles will appear as "Not verified". No Profile Signing - NOT RECOMMENDED

Cost: Free Drawbacks: Profiles will always appear as "Unsigned" in red when installed.

5. Additional Resources
IOS 4 Education Deployment Guide

@http://images.apple.com/education/docs/20110727_IOS_4_Education_Deployment_Guide.pdf

iPhone/iOS in the Enterprise @http://www.apple.com/support/iphone/enterprise/

IPCU iPhone Configuration Utility for Mac OS X

Creating an iTunes App Store account without a credit card @http://support.apple.com/kb/ht2534