Enrollment and Apple iOS Management Extender Installation

This page has not been liked. Updated 2/14/14, 5:42 PM by Audrey_IBMTags:

The Enrollment and Apple iOS Management Extender is required to manage Android and Apple iOS devices (including iPhones, iPads, and iPod Touches).

Installing the Enrollment and Apple iOS Management Extender requires that you have already installed the Tivoli Endpoint Manager Server. See Installation Instructions for more information on how to install the TEM Server. Once installed, the TEM Server must be subscribed to the Mobile Device Management Fixlet site.

Setting up the Enrollment and Apple iOS Management Extender involves three primary steps:

  1. Installing the iOS Management Extender
  2. Obtaining an Apple APNS Certificate
  3. Configuring the iOS Management Extender

See the steps below for details about each part of the process.

NOTE: If your deployment does not manage iOS devices, the Enrollment and Apple iOS Management Extender can be deployed without an Apple APNS Certificate.

NOTE: If the iOS management extender is re-installed, you must complete this entire process--including certificate generation and configuration.


Generating an Apple MDM Certificate

A certificate is required to manage iOS devices through Apple’s Push Notification Service (APNS). This APNS certificate allows the Management Extender to establish a secure, trusted channel of communication with the iOS devices

Installing the Enrollment and Apple iOS Management Extender

The Management Extender is installed using a Fixlet in the Mobile Device Management site.

NOTE: If the Enrollment and Apple iOS Management Extender is re-installed, you must complete this entire process--including certificate generation and configuration.


  • The Management Extender for Apple iOS must be installed on the TEM Server or on a relay (the deploy Fixlet will be relevant for only computers with a TEM Agent and a Relay or Server installed).
  • The Apple iOS devices must be able to connect to the Management Extender (default port is 443) at the DNS name/IP address that you specify during the installation.


Step 1: Deploy the Management Extender Fixlet

  1. Open the Task: Deploy Management Extender for Apple iOS ID# 70. The Task is found in the "Mobile Device Management" domain under the "Setup and Maintenance" node.
  2. Click the button in the Fixlet and select the target computer to deploy the Management Extender. A TEM Agent and a TEM Relay are prerequisites for the Management Extender for iOS and so if the target computers are not relevant, make sure the TEM Agent and a TEM Relay are installed first.
  3. Target the computers to install the Management Extender for Apple iOS.
  4. The installation will create a certificate request that must be signed by both IBM and Apple before you can manage your Apple iOS devices.


Step 2: Obtain certificate to manage Apple iOS devices

  1. As part of the installation step above, a private key and certificate request (CSR) file was generated on the Management Extender for iOS.
  2. Download the CSR file (push.csr) by using a browser and visiting https://<dns or IP address from step 1>/csr. Alternately, you can get the CSR file from the management extender on the following directory (default at C:\Program Files\BigFix Enterprise\Management Extender\MDM Provider\public\push.csr). Copy and save the file to your local machine.
  3. Send an email to iem-mdm-signup@wwpdl.vnet.ibm.com and attach the push.csr file. Please use the email subject of: "MDM APNS CSR <organization name>".
  4. IBM will respond in email with a signed certificate request.
  5. After you get your signed file from IBM. Go to https://identity.apple.com/pushcert/.
  6. Log in with your Apple ID (consider using a non-personal ID so that other members of the organization can use the Apple ID in the future).
  7. Select Create Certificate.
  8. Read and agree to the Terms and Conditions.
  9. Follow the instructions to upload the certificate file that you received from IBM.
  10. Download the new signed push certificate "MDM_IBM Global Engineering Solutions_Certificate.pem".
  11. If you open the pem file in a text editor (wordpad), you should see a base64 encoded certificate that starts with "-----BEGIN CERTIFICATE-----" and has a few dozen lines of seemingly random characters. There should be no line breaks before "-----BEGIN CERTIFICATE-----".
  12. Rename the file to "push.cer" and create a backup copy.

Step 3: Configure the Management Extender

NOTE: There will be a delay of a few minutes after deploying the management extender before it will report its configuration info and appear in this dashboard.

  1. Open the "Setup and Configuration" Dashboard from Mobile Device Management Domain Tree.
  2. Click "Configure Extenders" under "Setup Apple iOS Management Extender", select the management extender, and click "Next".
  3. Select the configuration options.
    • It is not common to change the port numbers.
    • The refresh interval controls how often the management extender will send a refresh command to the agents. Using a more frequent refresh interval will allow you to see updated information from your devices faster, but will potentially cause more data and battery usage on the device.
    • Select the "push.cer" for the APNS certificate that you received from Apple.
    • If you had previously generated an APNS cert (saved from a previous installation of a management extender) and you have a push.cer and push_key.pem file, you can provide both files (note that push.cer and push_key.pem files are tied together as public/private keys. If you have multiple keys/certificates, please make sure not to mix them up or they will be invalid).
  4. If you have an HTTPS key and a signed certificate, you can setup via the option for, 'Use my own externally signed SSL files' (this will replace the self-signed HTTPS certificate and prevent the HTTPS warnings on the devices).
  5. Important: If you are using a self-signed SSL certificate, please make sure the hostname or ip address field is the address that the devices will use to connect. If the dns or ip here is different than what the the devices use, the Apple iOS devices will complain about an invalid certificate and not allow the MDM profiles to be installed.

Your Management Extender for Apple iOS is now ready to manage iOS devices (listening on port 443). You can test it by opening your browser and visiting 'https://<dns or ip for management extender>'. (Note that if you are using a self-signed certificate, your browser will give you a warning about an untrusted certifcate). Once the certificate is configured properly on the Extender iOS devices can proceed to installing the certificate and enrolling the device.


Removing the Management Extender

1. The extender can be removed using ID# 79 Task: Remove Management Extender. Consider backing up your APNS key (push_key.pem) and certificate (push.cer) located on the Management Extender (default C:\Program Files\BigFix Enterprise\Management Extender\MDM Provider\private) so that you do not need to generate a new APNS certificate if you choose to reinstall.

2. If you re-install the Extender begin again at step #1 Task: Deploy Management Extender for Apple iOS ID# 70.

3. Note that if you do not save your APNS cert/key, then you must generate a new CSR file if you redeploy the management extender.


Please refer to the Management Extender for Apple iOS Troubleshooting information if you experience problems.

To start managing Apple iOS devices, see installing Apple iOS devices.