One of the most common questions I get from both internal Novell employees and customers alike is “what certificate does what in ZENworks Mobile Management?” So in this blog post I want to answer that question.
Understanding the Components on the Managed Device
Before I answer that question though it’s important to understand one other thing. That is that with ZENworks Mobile Management (and most other MDM tools) there are multiple agents in play at any given time. The platform you are managing determines what agents are actually present. The three agents that you might be using include:
1) The ZENworks Application. The ZENworks Application is the application that you download and install from either the app store or from the zmmupdates.novell.com/apps page. This application can communicate with the server using either HTTP or HTTPS. On iOS is is used for enrollment, jailbreak detection and location tracking. On Android it is used for almost everything.
2) An MDM Agent embedded in the platform. Currently the bulk of iOS management is performed via the iOS MDM agent that Apple includes in the box. During ZENworks enrollment an MDM profile is installed on the device which instructs the MDM agent to use your ZMM server as its MDM server. Per Apple, the MDM agent will only use HTTPS to communicate with your MDM Server. Going forward Microsoft provides a similar MDM agent for Windows Phone.
3) ActiveSync. The final agent is the ActiveSync client on the device. This is where you get email and calendar and is the agent that enforces the ActiveSync policies that ZMM pushes down. ActiveSync can work over either HTTP or HTTPS, but in the real world almost every ActiveSync connection runs over HTTPS.
Understanding the Certificates that ZMM Needs
Now that you understand the components involved on the agent, we can talk about the certificates that ZMM uses. There are really four types of important certificates for ZMM.
The SSL Certificate. The SSL certificate is the certificate that is used to secure any communication between the server and managed device or the server and console. This certificate lives outside of ZMM and is something you have to use the IIS Administration tool to manage. The ZMM documentation includes steps on creating this certificate, but the short steps are:
1) Create a Certificate Signing Request from IIS Admin.
2) Send the CSR to either a public CA or your organizational CA for signing.
3) Download the signed certificate and use IIS Admin to complete the signing process. This should result in the certificate showing up in IIS Admin as shown below:
4) If the certificate was imported from a non-public CA, be sure to import the Trusted Root Certificate into the Machine’s trusted root store using the Certificate Management tool.
5) Configure an SSL binding for your site that uses this certificate.
Once this is in place you should be able to browse to your server by going to https://<server dns> This should display the end user self service portal. To validate that this works on your mobile device, do the same thing in the mobile browser. If you receive any certificate warning you will need to address the issue before continuing on. Typically this will be a matter of importing your CA’s trusted root certificate on the device.
The System or Organizational Signing Certificate. The signing certificate is used only when managing iOS devices. The iOS MDM agent expects that profiles that it is sent will be signed by the server that created them. If this is the case then when you view a profile on the iOS device it will show a status of Verified indicating that it has been signed by a trusted entity. Typically the signing certificate is the SSL certificate that has been exported from IIS Admin as a file and then imported into the console as shown below:
Signing certificates can be imported per organization or once for the entire system depending on the requirements of the organizations being managed in the system.
Apple Push Notification Service (APNS) Certificate. The Apple Push Notification Certificate is only required if you are managing iOS devices. If you are using iOS devices, then the APNS certificate is absolutely critical to the proper operation of your environment. Without this certificate an MDM profile will not be created and installed as part of the enrollment process and therefore the iOS MDM Agent won’t be listening for notifications from your server, nor be able to communicate with your server. Apple Push Notifications are used for instructing the device to check-in with the MDM server and perform work. The work is then performed by the iOS MDM Agent which must make an SSL connection to the server. There is a whole guide dedicated to the APNS certificate process in the online documentation, but the high level steps are:
1) Create a signing request from within IIS Admin, but for the Common Name attribute enter the name of an iTunes account you have created for this purpose.
2) Send the signing request to https://zmmupdate.novell.com/apn. This will add Novell’s MDM signing certificate to the request.
3) Download the response from Novell and then upload to to Apple’s push notification certificate request portal (https://identity.apple.com/pushcert).
4) Download the certificate that is generated.
5) Complete the certificate request in IIS Admin and then immediately export the certificate to a PFX file. If you don’t, then you’ll need to use the certificate manager plug-in for MMC to export it later.
6) Upload the PFX file as the Organization APNS certificate in the ZMM console as should below:
Make sure that the Server and Check-in URLs use https URLs that use the common name of the server as defined in the SSL certificate’s subject name so that the iOS MDM agent can make an SSL connection to the server.
Once this is done you should now be able to test the certificate and any iOS devices enrolled in the system should automatically receive the MDM profile to register the iOS MDM Agent with the server.
Simple Certificate Enrollment Protocol (SCEP) certificates. This last type of certificate is optional, and is used only by iOS devices at this time. If you require certificate based authentication of the iOS agent to the MDM server and encryption of the profiles being sent to them, then you can configure a SCEP Server corporate resource and then assign that resource to one or more iOS devices. You will need to special a specific enrollment string in the assignment properties for each device which is used to enroll with the SCEP server. This is an area where we are investigating improving the ZENworks Mobile Management product to make it easier to interface with third party SCEP servers such as the Microsoft Network Device Enrollment service provided with Windows 2008 or higher.
To ensure the security and functionality it is critical to properly configure an SSL Certificate, Signing Certificate and APNS Certificate that can be used with ZENworks Mobile Management. Additionally, if you require further security for iOS management you can utilize the SCEP configuration in conjunction with a third party SCEP server to generate unique certificates for your iOS devices.