If anyone doubted that iOS devices are rapidly outstripping Mac OS ones – certainly in terms of raw sales figures – they’d have been rapidly disabused by Apple’s Q1 results for 2012, which showed 52.47 million iOS devices (37.04 million iPhones plus 15.43 million iPads) sold against 5.2 million Macs. That’s a little over ten iOS devices sold for every Mac OS device. It makes perfect sense, then, for Apple’s server OS to be able to manage such devices, and that’s precisely the feature that was beefed up in Lion Server, with support for Mobile Device Management (MDM).
MDM is a non-proprietary framework that allows enterprise IT departments to manage and configure handheld devices wirelessly, unlike the older iPhone Configuration Utility (iPCU), which needed physical access to the devices. This tutorial offers a brief outline of Apple’s implementation of MDM in Lion Server and its use in practice: specifically, setting up your server with an SSL certificate.
Step 1: Set up your network
To allow incoming traffic from iOS devices you’ll need to make sure your network is configured properly. The first step is to make sure your server is using a fixed IP address rather than the default DHCP. To do this you’ll need to follow the instructions for your router. Tip: use your router’s admin interface to reserve a range of IP addresses to allow for network expansion.
Step 2: Pass the port
Next, you’ll need to set up port forwarding to your server’s fixed IP address so that the iOS devices on your network can access the services they require. For this you’ll need to follow the instructions for your particular router: the screenshot shows a detail of the relevant admin page for the popular Netgear DG834N. The ports to be set up are 443, 5223 and 1640.
Step 3: Changing the host name
If you’ve just installed Lion Server, chances are your server hardware still has a generic host name and computer name. To change it to something more meaningful, click on the name of your server under Hardware in the sidebar, select the Network tab then the Edit… button next to Host Name.
Step 4: Checking network settings
Follow the onscreen instructions, choosing to set Host Name for Internet when prompted. Click Continue, set the host name and a unique computer name, then click Change Network…. Check that Configure IPv4 is set to Manually, and that your server has a valid fixed IP address. Add the subnet mask (255.255.255.0 for a small-scale network) and router address. Click Apply.
Step 5: Finishing off
After clicking Continue one more time you should be back where you started, in the Network pane, with the new network settings visible. Note that there might be a brief pause before they show up. Time now to move on to the next stage of the process: obtaining a security certificate.
Step 6: Obtaining a certificate 1
Alone of all the mobile operating systems supporting MDM, iOS requires a valid security certificate in order for remote functions to be carried out. As those functions include remote wiping, Apple argues that it makes sense to do things that way. Start, then, by making sure that the Next Steps panel is visible along the bottom of the Server application window, and click on Review Certificates.
Step 7: Obtaining a certificate 2
Next, click the Settings tab, then the Edit… button adjacent to the wording SSL Certificate. This should bring up the SSL Certificates sheet. From the Action menu (with the cog, or gear icon) at the bottom left of this sheet choose Manage Certificates… then, from the + popup menu, choose Create a Certificate Identity…
Step 8: Obtaining a certificate 3
The Certificate Assistant will then walk you through the process of creating a Certificate Signing Request (CSR), for submission to an approved Certificate Authority. Start, then, by filling in the name you want to use for the certificate: this should be relevant to your organisation. At this stage it’s important to make sure the details you give are valid and correct, otherwise your request will be rejected.
Step 9: Obtaining a certificate 4
Leave the other options (Identity Type and Certificate Type) on their defaults (Self Signed Root and SSL Server, respectively), then use the checkbox to select the option Let me override defaults. At this stage you’ll be warned that you’re about to create a self-signed certificate. Click Continue to pass through to the Certificate information pane.
Step 10: Obtaining a certificate 5
Leave the Serial Number and Validity Period on their defaults and click Continue. This will take you through to the pane in which you give more information about your organisation, starting with the email address of the person responsible for certificates, usually your network administrator. It’s important to get the information on this page correct or your certificate application will be rejected.
Step 11: Obtaining a certificate 6
Other points to remember when completing this page:
Common Name is the fully-qualified domain name for which you plan to use your certificate
Organization is the full legal name of your organisation, which must be the legal registrant of the domain name in the certificate request.
Your organisation’s address must be spelled out in full, with no abbreviations, and the correct two-letter ISO country code.
Step 12: Obtaining a certificate 7
After double-checking the information and clicking Continue, click through the following panes without changing the defaults. When you reach the Conclusion, you’ll see the message that your root certificate isn’t trusted: this is perfectly normal, as you haven’t yet completed the validation process. Click Done; then, when you’re asked if you want to allow Lion Server to export the certificate, click Always Allow.
Step 13: The Certificate Signing Request
So far, you’ve created a self-signed certificate, which isn’t valid for online transactions. The next stage is to generate a Certificate Signing Request (CSR) and upload it to one of the recognised Certificate authorities (CAs). So, choose your new certificate from the list in the Manage Certificates sheet, click the action menu, and choose Generate Certificate Signing Request (CSR)…
Step 14: Saving your CSR
Next you’ll see a sheet appear with the Base64 encoded information that makes up your Certificate Signing Request. Click Save… to save the file, using the default name suggested and the filename suffix .csr. You might need to change the suffix manually after you’ve saved the file if your text-editor won’t let you do this during the save. For the next stage, see the box Applying for your certificate.
Step 15: Final steps
Drag the .crt file into the well when it appears and click Replace Certificate. If you’re told the certificate was signed by an unknown authority, find your intermediate certificate, double-click its .crt file and add it to your system keychain. Your validated certificate will be will then need to be chosen in Hardware > [Server Name] > Settings, by clicking Edit… (next to SSL Certificate).
Bonus Tip: Applying for your certificate
The process, and cost, of applying for your certificate will vary, depending on the Certificate Signing Authority (CSA) you use. Authorities such as Thawte (www.thawte.com), VeriSign (www.verisign.com) and Comodo Group, Inc. (www.comodo.com) offer an almost bewildering array of products, so take their advice before you buy. Also, since the end of 2011, you can use the Apple Push Certificates Portal (https://identity.apple.com/pushcert/) to obtain a certificate free of charge, though first you’ll need an intermediate certificate from your reseller.
Once you’ve received your signed certificate, return to the Manage Certificates sheet (see steps 6 and 7, above). Choose your self-signed certificate then, from the action pop-up, choose Replace Certificate with Signed or Renewed Certificate…. (return to step 15).