Skip to main content

ESET Mobile Device Management for Apple iOS (6.5 and later) - Kennisbank / ESET Security Management Center / Mobile Device Management / MDM for iOS - ESET Tech Center

ESET Mobile Device Management for Apple iOS (6.5 and later)

Authors list


Issue

  • You want to configure ESET Remote Administrator 6.5 or later to manage iOS devices using ESET Mobile Device Management

For version 6.4 and earlier

For version 6.4 and earlier please follow this KB article.

Details

Benefits of ESET MDM for Apple iOS:

  • Ability to manage the security of iOS devices from ERA 6
  • Manage key security aspects of iOS: passcode settings, autolock time, device restrictions for camera usage and settings for iCloud usage
  • Anti-Theft: remotely wipe all device data if a device is lost (including emails and contacts)
  • Push Exchange account, Wi-Fi account, VPN and other related settings in batches to iOS devices
  • ERA MDM 6.5 supports Apple Device Enrollment Program (DEP) which provides a supervised mode for device management. 
Upgrade MDM component to the latest version

To ensure your MDM component continues to function properly, we recommend you upgrade to ESMC version 7.2.11.3 by November 1, 2020. Click here for more information on the Apple Push Notification service (APNs) policy.

Solution


End of support for version 6.4 and 6.5 of ESET Remote Administrator / MDM

ESET Remote Administrator version 6.5 is currently in Limited Support status and will soon be in Basic Support status. It is expected to reach End of Life status in December 2020.

ESET Remote Administrator version 6.4 is currently in End of Life status and no longer available for download.

The MDM functionality in ESET Remote Administrator version 6 is currently in End of Life status and no longer available for download


Before you continue, these prerequisites must be met:

To enroll iOS devices in ESET Mobile Device Connector, follow the steps in each section:

I. Create an MDM Certificate

II. Create an APN/DEP Certificate

III. Create an MDM Policy

IV. Register your iOS device in ERA

V. Enroll your iOS device

VI. Create an Activation task for iOS MDM

Pre-existing MDM Policy

If you already have an MDM Certificate, MDM Policy, and APN/DEP Certificate, proceed to Enroll your iOS device. Sections I, II, and III only need to be completed again if a change was made to the hostname, policy, or certificate after the initial Certificate or Policy creation. 


I. Create an MDM certificate

If you already have an MDM certificate (3rd party HTTPS certificate signed by trusted Certification Authority, or certificate created in ERA and signed by ERA CA), proceed to Create an APN/DEP Certificate.

MDM Certificate automatically created during some installations

The MDM certificate is automatically created if you used the all-in-one installation ofESET Remote Administrator Server with Mobile Device Connector or the Mobile Device Connector (Standalone) Installation. To verify the existence of an MDM certificate, navigate to the Computers section in the ERA Web Console, select the device on which Mobile Device Connector is installed and click Show Details. Click Configuration → Request Configuration. The ESET Remote Administrator Mobile Device Connector configuration will be displayed. Select it and click Open Configuration to open it. Click General  HTTPS certificate to verify that the MDM certificate is being applied.

  1. Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in. How do I open ERA Web Console?
     
  2. Click   Admin→ Certificates → New → Certificate.  

Figure 1-1
Click the image to view larger in new window
 

  1. In the Basic section, select Mobile Device Connector from the Product drop-down menu. Type the IP address or Hostname of the server where Mobile Device Connector is installed in the Host field.

If the MDM server does not have internet access and communications are port-forwarded from a router connected to an outside network, use the IP address or Hostname of that router instead. You can also enter the IP address from the HTTPS certificate.

The Hostname in the HTTPS certificate must match the Hostname that you will enter in the ESET Mobile Device Connector Policy

If you are using the hostname from the HTTPS certificate, you must also use this same hostname in the ESET Mobile Device Connector Policy.

Profile Installation Failed error: click here for the steps to resolve the issue.

  • Remove any previous MDM profiles from device settings—there should be no other MDM profiles enrolled on the device.
  • Make sure all MDM ports are open—communication between the device and MDM could be blocked.
  • Try using the device's Serial Number (instead of its IMEI number) when adding your iOS device into ERA.
  1. In the Attributes (Subject) section, type the organization name used in ESET Remote Administrator in the Organization Name field. 

Figure 1-2
Click the image to view larger in new window

 

  1. Expand the Sign section and click Select Certification Authority

Figure 1-3
Click the image to view larger in new window
 

  1. Select the certification authority that you want to use and click OK.

Figure 1-4
Click the image to view larger in new window
 

  1. Click Finish and proceed to Create an APN/DEP certificate.

II. Create an APN/DEP certificate

  1. Click Admin CertificatesNew → APN/DEP Certificate.
     
  2. Enter the certificate attributes and then click Submit Request.

 

Figure 2-1
Click the image to view larger in new window

 

  1. Expand the Download section, click Download Private Key and Download CSR and save the certificates to your hard drive. 

Figure 2-2
Click the image to view larger in new window
 

  1. Click Open Apple Portal or navigate to https://identity.apple.com/pushcert in your web browser and sign in with your Apple ID.

Figure 2-3
Click the image to view larger in new window
 

  1. Click Create a Certificate.

Figure 2-4
Click the image to view larger in new window
 

  1. If you agree to the Apple Push Certificate Portal Terms of Use, click Accept.
     
  2. Click Browse, select the CSR certificate you downloaded in step 3 above, click Open and then click Upload

Figure 2-5
Click the image to view larger in new window
 

  1. After the upload completes (this may take time and it might be necessary to refresh the browser), click Download and save the certificate to your hard drive.

Figure 2-6
Click the image to view larger in new window
 

If you are completing a DEP enrollment, continue on to steps 9-12. If you are completing a non-DEP enrollment, proceed to Create an MDM Policy.

  1. Click Open Apple DEP Portal or navigate to https://deploy.apple.com in your web browser and sign in with your Apple DEP Account.

Figure 2-7
Click the image to view larger in new window

 

  1. Click Manage Servers → Add MDM Server. Type the MDM Server Name in the field and select the check box next to Automatically Assign New Devices if you want all new devices connected to your Apple DEP account to be assigned to this MDM server, and then click Next

Figure 2-8
Click the image to view larger in new window

 

  1. Upload your public key (this is the Private key file you downloaded in step 3). Click Choose File, select the public key file, upload it and then click Next

Figure 2-9
Click the image to view larger in new window

 

  1. Download the Apple DEP Server token. Click Your Server Token, save the file on your hard drive and click Done.   

Figure 2-10
Click the image to view larger in new window
 

  1. Proceed to Create an MDM Policy  

III. Create an MDM Policy

  1. Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in. How do I open ERA Web Console?
     
  2. Click Admin  → Policies.
     
  3. Click New Policy.

Figure 3-1
Click the image to view larger in new window

 

  1. Expand Basic and type a name for the policy in the Name field (the Description field is optional).
     
  2. Expand Settings and select ESET Remote Administrator Mobile Device Connector from the drop-down menu.

Figure 3-2
Click the image to view larger in new window

 

  1. Type the IP address of the server where Mobile Device Connector is installed in the Hostname field. If the MDM server does not have internet access and communications are port-forwarded from a router connected to an outside network, use the IP address or Hostname of that router instead.

    The Hostname in the HTTPS certificate must match the Hostname that you entered in the MDM Certificate from section I

    If you entered the IP address from the HTTPS certificate in section I step 3, you must also enter that same IP address in the ESET Mobile Device Connector Policy.

  2. Type the organization name used in ESET Remote Administrator in the Organization field. This name will be used by the enrollment profile generator to update the profile.
     
  3. In the HTTPS certificate section, click Change certificate Open certificate list, select the MDM Certificate created in part II and then click OK.

When changing the certificate used in your policy for MDC

Once the certificate change is initiated, do not restart the MDM service or the MDM host device until the certificate change is completed. Restart during the certificate change may damage the process.