MDM

Zentral can be used as MDM server for Apple devices.

Push certificates

To be able to send notifications to the devices, Zentral needs a push certificate (aka. APNS certificate). To get one, you first need to generate an MDM vendor certificate. An Apple Developer Enterprise Account with the ability to generate MDM CSRs is required. You can then use this vendor certificate to sign an APNS certificate request. The mdmcerts Zentral management command can be used to help with this process.

MDM vendor certificate

Run the following command to setup a working directory with a vendor certificate request:

python server/manage.py mdmcerts -d the_working_directory init

Choose a password for the vendor certificate request private key, and remember it!

The content of the working directory should be the following:

$ ls the_working_directory
vendor.csr  vendor.key

Sign in to the Apple Developer Portal and navigate to Certificates, Identifiers & Profiles.
Create a new certificate, choose Services > MDM CSR.
Upload the vendor.csr file.
Download the generated certificate and store it as vendor.crt in the working directory.

Push/APNS certificate

Run the following command to create an APNS certificate request and sign it with the vendor certificate:

python server/manage.py mdmcerts -d the_working_directory req COUNTRYCODE

Choose a password for the push/APNS certificate request private key, and remember it!
Enter the password for the MDM vendor certificate private key.

The content of the working directory should be the following:

$ ls the_working_directory
push.b64  push.csr  push.key  vendor.crt  vendor.csr  vendor.key

Sign in to the Apple Push Certificate Portal.
To renew an existing certificate, choose the certificate and click the Renew button.
To create a new certificate, click the Create a Certificate button.
Upload the push.b64 signed certificate request.
Download the generated certificate.

Navigate to the Zentral MDM > Push certificates section, and either select an existing certificate and click on the Update button to renew an existing certificate, or click on the Add button to create a new push certificate. Upload the generated certificate, the push.key private key, and enter the password of the push certificate private key.

Renewing a Push/APNS certificate

IMPORTANT do not let the push/APNS certificates expire! Remember to renew them ahead of their expiry!

To be able to keep sending notifications to enrolled devices, it is important to renew the existing certificates, and not generate new ones (it it important that the topic of a push certificate stays the same). In the Apple Push Certificate Portal, look for the existing certificate and click on the Renew button, and not on the Create a Certificate button. In the Zentral MDM > Push certificates section, find the certificate and click on the Update button, and do not Add a new certificate.