Endpoint Security Complete

iOS 5 devices accept only SSL enrollment, you can use a commercial certificate or use an in-house issued one. A commercial certificate doesn't need to proceed with the steps below as the CA will be trusted on the device by default.

The in-house certificate should be created via a CA.

NB. Assuming you have Microsoft CA server in your environment.

1-Create a SSL certificate using CA server, the name of the certificate has to match the URL which the iOS device use for communication.

• Open IIS mmc, (http://msdn.microsoft.com/en-us/library/bb763170.aspx)
• Double Click "Server Certificates", then on the right pane click "Create Domain certificate"
• A new window will pop-up, in "Common Name" field enter the exact URL as will be used for communication from the iOS device.
  ex, mdm.CompanyName.com, this has the be the same name in the "Override server connection info" for MMS site server settings.
• Fill in the rest of fields, then click Next
• For "Specify Online Certificate authority", click select and choose the CA server in your domain. Then write your favourite Friendly name and click Finish.
• Click on "Default Web Site", then on the right pane select "Bindings"
• A new window will pop-up, select (https) then click edit.
• Select your created certificate in "SSL Certificate", the certificate will appear with the (friendly name) you wrote. Click "OK" then "Close"
• Preferred to restart IIS

2- Configure the server name.

• Open the (Notification Server) console, Home > Mobile Management.
• On the left pane, expand (Configuration), then click on "Mobile Management Server settings"
• On the lower left pane (Site Server settings), select the site server you created the certificate on, and click edit "the pincer icon"
• Tick "Override server connection info" and "Use https", then fill in the "Server Name Override" field, ex. mdm.CompanyName.com
• Under (NS to MMS configuration) tick "Override server connection info"
• You can tick "Ignore SSl certificate warnings" OR preferred to install the CA intermediate certificate on the NS under "Truster root certificates"
• If you choose to use SSL communication from NS to Mobile Site Server Type the "Server Name Override" value again and tick "Use https"
• click ok to save settings.

3- Automate the CA certificate installation on the iOS devices during enrollment.

  a) Export the CA certificate.

• Open IIS mmc, (http://msdn.microsoft.com/en-us/library/bb763170.aspx)
• Double Click "Server Certificates"
• Double Click on the certificate you created int he previous step, then click on "Certificate Path" tab, Select the certificate above your created one, then click "View Certificate"
• Click on "Details tab", then "copy to file", a new window will pop-up, click "Next", Select the format of "DER", click "NEXT", click browse and save your certificate file.

  b) Add the CA certificate to a payload to be installed during enrollment.

• Open the (Notification Server) console, Home > Mobile Management.
• On the left pane, expand (Configuration) > iOS Configuration Editor Then choose (Credentials) on the right pane.
• Click the "star icon" to create a new profile, click on "Select cert file" and choose the intermediate certificate exported in step 3a.
• Add a profile name and description, then click "Save Changes"
• On the left pane click "iOS MDM Enrollment Configuration", under (Additional Configuration Profiles to include) click the "start icon" and choose the profile created, Click Save Changes.
• Open Services mmc, and restart "Symantec Mobile Management Service Agent" service.

During the enrollment the CA certificate "credentials profile" will be installed before the MDM profile allowing the communication to be trusted successfully.

In case of absence of Microsoft CA server in your environment a following article will explain how to use OpenSSL to create a CA certificate and a web server certificate.