iOS Application Signing Mobile Secure Cloud Edition Document Version: 2.0 - 2014-09-25

iOS Application Signing Mobile Secure Cloud Edition Document Version: 2.0 - 2014-09-25
Mobile Secure Cloud Edition
Document Version: 2.0 - 2014-09-25
iOS Application Signing
Table of Contents
1
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2
Apple Team Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
3
Building a Team by Adding Team Admins and Team Members. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4
App Protection Application Signing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5
Afaria Enterprise Client Application Signing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1
Creating the iOS Distribution Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.2
Creating the App ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.3
Creating the Provisioning Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.4
Signing and Deploying the iOS Client from Mobile Secure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6
Installing Apple Certificates for Use with Afaria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7
Certificate Generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1
Generating a Certificate Signed Request on Mac. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.2
Generating a Certificate Signed Request on Windows Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.3
Exporting the Private Key (.p12) on Mac. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.4
Exporting the Private Key (.pfx) on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
8
Important Disclaimers on Legal Aspects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
iOS Application Signing
Table of Contents
1
Introduction
This document describes the process to enable enterprise iOS Application signing within the Mobile Secure cloud
infrastructure.
It describes Apple requirements for doing third party signing, the steps required for signing iOS applications after
an Application Protection exercise, and special steps required to sign the Afaria iOS Enterprise Client with optional
APNS Messaging
iOS Application Signing
Introduction
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
3
2
Apple Team Membership
Add SAP as a Team Member on your enterprises Apple Developer Program.
Apple requires that third party contractors are added to the enterprises developer team in order to sign custombuilt in-house applications with your developer certificates. Apple only requires you to add an SAP contractor as a
Team Member; this is for tracking purposes only. The account will not be accessed by the SAP employee. Below is
an explanation of what the role permissions are:
Role
Description
Team agent
A team agent is legally responsible for the team and
acts as the primary contact with Apple. The team agent
can change the access level of any other member of
the team.A team agent is legally responsible for the
team and acts as the primary contact with Apple. The
team agent can change the access level of any other
member of the team.
Team admin
A team admin can set the privilege levels of other par­
ticipants, although a team admin cannot demote the
team agent. Team admins manage all assets used to
sign your apps, either during development or when
your team is ready to distribute an app. Team admins
are the only people on a team that can sign apps for
distribution on non-development devices. Team ad­
mins also approve signing certificate requests made by
team members.
Team member
A team member gains access to prerelease content de­
livered by Apple on that program’s portal. A team
member can also sign apps during development, and
but only after he or she makes a request for a develop­
ment signing certificate and has that request approved
by a team admin.
Instructions for Adding an SAP Team Member
Follow the instructions below and utilize the following information for an SAP developer:
●
First Name: Richard
●
Last Name: Miller
●
Email Address: Afariacustomer@sap.com
4
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
iOS Application Signing
Apple Team Membership
3
Building a Team by Adding Team Admins
and Team Members
If you are a team admin, add people to your development team through the Member Center. When you add a
person to your team, you can grant them access to the developer programs that your team is enrolled in.
Procedure
1.
After logging in to the Member Center, click People in the bar at the top.
2.
Click Invitations in the sidebar.
3.
Click Invite Person and provide the first name, last name, and email address.
4.
Specify the person’s access and role for each program.
5.
Click Send Invitation.
iOS Application Signing
Building a Team by Adding Team Admins and Team Members
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
5
4
App Protection Application Signing
Wrap your application for app protection and complete the signing process.
Procedure
1.
From the portal, click
Application
App Protection , and select an application for app wrapping.
2.
Define the correct App Protection Policy template, and click Apply Policy from the left navigation bar to wrap
the application with current policies.
The Application wrapping successful message is displayed.
Note
The act of Applying Policies essentially modifies the underlying IPA file and thus invalidates any application
signing that was done by the developer. To be deployed, the application must be re-signed
.
3.
Click Yes to proceed.
4.
In the Sign Application – Apple Signing Guideline dialog, select Do not show this notice again if you prefer not
to see this screen on subsequent signing operations, and click Next.
5.
In the Sign Application – Specifying Signing Information dialog, select the checkbox I have made SAP a Team
Member on my enterprise Apple Developer Program and provide the signing information:
6.
6
○
Signing certificate
○
Private key passphrase
○
Provisioning profile
Click Sign.
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
iOS Application Signing
App Protection Application Signing
5
Afaria Enterprise Client Application
Signing
The items that are needed to successfully generate an enterprise signed version of the iOS Afaria client are:
1.
Distribution Certificate for issued to the Enterprise developer account.
2.
Private key used to generate the Distribution Certificate.
3.
Provisioning Profile that links the AppID and Distribution Certificate.
Keychain Sharing in 2.2
SAP introduced support for keychain sharing in Mobile Secure 2.2. Keychain sharing allows iOS apps signed using
the same Apple keychain to share data such as passwords with one another. For example, keychain sharing allows
customers to implement Single-Sign On on mobile devices. Users only need to sign in once to access all apps
sharing a common keychain.
To allow keychain sharing, sign your iOS Afaria client using the steps in this section and then sign your iOS apps
using the same keychain. If you signed your client and apps prior to 2.2, you will need to resign them to take
advantage of keychain sharing.
When signing or resigning your apps to share keychain items with the Afaria client, specify the Afaria client in the
app's keychain access group entitlements using the following format: <<Team ID>>.<<Bundle ID>>shared.
5.1
Creating the iOS Distribution Certificate
Create an iOS Distribution Certificate to sign and distribute apps.
Procedure
1.
From the iOS Dev Center page, in the iOS Developer Program section, select Certificates, Identifiers, &
Profiles.
2.
On the Certificates, Identifiers, & Profiles page, select Certificates under the iOS Apps section.
3.
In the Certificates section, select Production. From here, you can request the iOS Distribution Certificate by
selecting the + icon.
4.
Select Inhouse and Ad Hoc under the Production section.
Note
If the "In-House and Ad Hoc” option is greyed out, this means that an iPhone Distribution certificate already
exists under your developer program. The iOS Developer program only allows the creation of one iPhone
Distribution certificate and not multiple.
iOS Application Signing
Afaria Enterprise Client Application Signing
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
7
5.
Select Continue and follow the instructions to submit a CSR (Certificate Signed Request).
Refer to Certificate Generation section for information on using a Mac or PC to create the CSR that is
submitted in this process. Once the process is complete the portal will provide a download button.
6.
Select the certificate from the list, download the certificate, and save the .cer file.
This is your Signing Certificate. This certificate will be required for signing and must be in the form of
a .p12/.pfx file.
5.2
Creating the App ID
The iOS App ID uniquely identifies an application with the Apple application services such as push notifications, inapp purchase, game centers etc., and enables you to incorporate them in your app.
Procedure
1.
From the iOS Apps tab of the iOS Dev Center, select App IDs under Identifiers.
2.
Select the +’ icon to create a new App ID for the Afaria client ( ex. com.companyname.afariaclient).
Do not use 'com.sap.afariaclient' since that will match the App ID of the Afaria client on the AppStore.
Note
Do not use the option to create a wildcard App ID. A wildcard app ID is not permitted to be used in the
custom app signing portal, and will be rejected.
3.
Leave the required selections checked.
There is no requirement of what App Services need to be enabled for the App ID. However, you must enable
“Push Notifications” if you wish to take advantage of the ability to send push messages to the custom Afaria
client application. This feature is available in Afaria 7.x SP2 and later.
4.
Select Explicit App ID and enter the Bundle ID for your Afaria app using your company name and “afariaclient”
(e.g. com.<companyname>.afariaclient)
Note
Do not select Wildcard App ID. A wildcard app ID will be rejected by the custom app signing portal.
5.
Confirm the App ID settings by selecting Submit.
6.
(Optional) If push messaging is required, click Edit.
7.
Under Push Notification, select the Create Certificate... button for Production SSL Certificate.
Note
If Push Notifications service was not enabled on the App ID during the time you obtained the custom Afaria
client, you will need to re-obtain the custom client once you have Push Notifications enabled. This will
involve having to redownload the Provisioning Profile used to sign the custom Afaria application and reinstalling the client on all iOS devices. Otherwise, push messages won't be able to be sent to the custom
8
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
iOS Application Signing
Afaria Enterprise Client Application Signing
Afaria application on any iOS device the application was installed on prior to enabling the Push
Notifications service for the App ID.
8.
Select Continue.
9.
Click the Choose File... button and upload the CSR file created on either the Windows machine or Mac.
Refer to the Certificate Generation section for directions on how to create a CSR. The wizard says to
select .certSigningRequest file saved on your Mac, but you can also select the CSR file you saved on your
Windows machine also. The CSR does not have to come only from a Mac.
10. Click Generate.
11. Once complete, click Download to receive the APNS certificate.
The file will be in .CER file format. This is your APNS Push Certificate to be used later, but it must be in
a .p12/.pfx format. Create a .p12 file as specified in the Exporting the private key section of this document.
12. Click Done.
13. Click Done once registration of the App ID is complete.
5.3
Creating the Provisioning Profile
Create a provisioning profile to associate developers of an application and their devices with an authorized
development team, and enable those devices for testing.
Procedure
1.
From the iOS Apps tab of the iOS Dev Center, select Distribution under Provisioning Profiles.
2.
Select the + symbol to create a new Distribution profile.
3.
Select
4.
In the Select App ID page, select the App ID created in previous steps for custom client.
5.
In the Select certificates page, select the radio button for the Distribution certificate created.
6.
Enter a profile name and select Generate.
7.
Once the Provisioning Profile is created, save the .mobileprovision file.
Distribution
In House .
iOS Application Signing
Afaria Enterprise Client Application Signing
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
9
5.4
Signing and Deploying the iOS Client from Mobile Secure
Sign and deploy the iOS client application from Mobile Secure Cloud Edition.
Procedure
1.
From the portal page, navigate to
2.
Select the Enterprise iOS Client tab.
3.
Select the client and click Sign and Deploy iOS Client.
4.
In the Sign Application – Apple Signing Guideline dialog, select the checkbox Do not show this notice again and
click Next.
5.
In the Sign Application – Specifying Signing Information dialog, select the checkbox I have made SAP a Team
Member on my enterprise Apple Developer Program. Provide the following signing information and click Sign:
10
○
Signing certificate
○
Private key passphrase
○
Provisioning file
Device
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
Settings
page.
iOS Application Signing
Afaria Enterprise Client Application Signing
6 Installing Apple Certificates for Use with
Afaria
Install certificates such as Apple Computer, Inc. Root Certificate or Apple Inc. Root Certificate (.cer file),
Worldwide Developer Relations (WWDR) Certificate (.cer file), and Apple Production iOS Push Services Certificate
(.pfx or .p12 file).
Procedure
1.
In the Afaria Administrator, navigate to
Server
Configuration
Component
iOS Notification .
2.
In the APNS Push Certificate (for Custom-Signed Afaria Application) section, click Browse.
3.
Browse to and select the .p12/.pfx certificate file.
4.
In the Password field, enter the correct password required for exporting the Push certificate/private key.
5.
Click Install.
Once you click Install, if it is detected that the Apple Root and Intermediate certificates don't exist within the
certificate store on the Afaria Server, you will be prompted to provide the certificates.
6.
On the Select Apple Root Certificates window, browse to and select the Apple Root CA and Worldwide
Developer Relations certificates, and click Install.
7.
Click Save to store the changes.
The APNS push certificate name is populated on the screen.
8.
Click the Validate link at any point of time, to see that certificate chain is OK or if there is a problem.
This APNS certificate is valid for one year and must be renewed annually. To renew the certificate, you must
logon to the Apple Developer Program and select the certificate and there should be an option to Renew. A
new CSR must be generated to renew the Apple certificate. To update the certificate in the Afaria
Administrator UI, you can follow the same steps as described above.
iOS Application Signing
Installing Apple Certificates for Use with Afaria
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
11
7
Certificate Generation
Ensure that you install the certificate on the same server that you generated the CSR on, for successful
association of the private key that was created during the CSR process. For IIS you must ensure that you have
already installed the Apple Root and Intermediate certificates on your server before you complete the certificate
request.
7.1
Generating a Certificate Signed Request on Mac
Use the Keychain Access application to generate a code signing request on a Mac OS machine.
Procedure
1.
On your Mac, navigate to
Applications
Utilities
Keychain Access .
2.
In the Menu bar at the top of the desktop window, choose
Keychain Access
Certificate Assistant
Request a Certificate From a Certificate Authority .
3.
In the Certificate Information window:
1.
In the User Email Address field, enter your email address.
2.
In the Common Name field, enter your name.
3.
In the Request is group, select the Saved to disk option.
4.
Select the Let me specify key pair information option.
4.
Click continue.
5.
For ease of access, choose your desktop as the location of the .CSR file.
6.
In the Key Pair Information pane, choose 2048 as the key size and RSA as the algorithm.
7.
Click Continue.
The Certificate Assistant then saves the .CSR file to your desktop.
12
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
iOS Application Signing
Certificate Generation
7.2 Generating a Certificate Signed Request on Windows
Server
Create a cerificate signed request on a Windows Server using IIS Manager.
Procedure
1.
Click on the Start Menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
2.
Click on the name of the server in the Connections column on the left.
3.
Under the IIS section in the center window pane, double-click Server Certificates.
4.
In the Actions column on the right, click on Create Certificate Request....
5.
On the Distinguished Name Properties window, enter the following information:
○
Common Name – the name of the person generating the request (any name can be entered into this
field).
○
Organization – the legal name of your organization.
○
Organizational Unit – the division of your organization handling the certificate (Most CAs don’t validate
this field).
○
City/Locality – the city where your organization is located.
○
State/province – the state/region where your organization is located.
○
Country/Region – the two-letter ISO code for the country where your organization is located.
6.
Leave the default Cryptographic Service Provider (Microsoft RSA...), increase the Bit Length to 2048 or
higher, and click Next.
7.
Click the button with the three dots and enter a location and filename where you want to save the CSR file.
8.
Click Finish.
7.3
Exporting the Private Key (.p12) on Mac
Export the private key on a Mac machine, using Keychain access.
Procedure
1.
Copy the .cer certificate file to the Mac and double-click it to upload it to Keychain Access in order to
complete the signing request.
2.
To export your private key and certificate, open up the Keychain Access Application and select the ‘Keys’
category.
3.
For the iOS Distribution Certificate:
iOS Application Signing
Certificate Generation
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
13
4.
5.
1.
Control-click on the private key associated with your iOS Distribution Certificate and click ‘Export Items’
in the menu. The private key is identified by the iOS Developer: <First Name> <Last Name> public
certificate that is paired with it.
2.
Save your key in the Personal Information Exchange (.p12) file format.
For the Push Messaging Certificate:
1.
Expand the Name (the Common Name you entered when generating the CSR) that shows the "private
key" under the Kind column.
2.
Control-click (or right-click) the "Apple Production IOS Push Services..." key and select “Export Items” in
the menu.
You will be prompted to create a password which is used when you attempt to import this key on another
computer.
You can now transfer this .p12 file between systems.
7.4
Exporting the Private Key (.pfx) on Windows
Create a .pfx file from the .cer certificate received from the iOS Developer Portal.
Procedure
1.
Click on the Start Menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
2.
Click on the name of the server in the Connections column on the left, and then double-click Server
Certificates.
3.
In the Actions column on the right, click on Complete Certificate Request....
4.
Click the button with the three dots and select the .cer certificate that you received from the iOS Developer
Portal.
If the certificate does not have a .cer file extension, select to view all types.
5.
Enter a friendly name you want so you can keep track of the certificate on this server, and click OK.
If successful, you will see the certificate in the list. If you receive an error stating that the request or private
key can’t be found, make sure you are using the correct certificate and that you are installing it to the same
server that you generated the CSR on.
6.
To export the certificate to the correct format, right-click the certificate you just imported and select Export.
7.
Click the button with the three dots to specify a path to save the certificate file in .pfx format.
When exporting the certificate, you must enter a password used for exporting the certificate. The certificate
in .pfx format is saved.
14
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
iOS Application Signing
Certificate Generation
8
Important Disclaimers on Legal Aspects
This document is for informational purposes only. Its content is subject to change without notice, and SAP does
not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF
MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and
are not intended to be used in a productive system environment. The Code is only intended to better explain and
visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness
of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code,
unless damages were caused by SAP intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of
the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software
products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or
commitments are formed either directly or indirectly by this document.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed
directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring
to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does
not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the
documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint
about where to find related information. SAP does not warrant the availability and correctness of this related
information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful
misconduct. Regarding link classification, see: http://help.sap.com/disclaimer
iOS Application Signing
Important Disclaimers on Legal Aspects
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
15
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).
16
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
iOS Application Signing
Important Disclaimers and Legal Information
iOS Application Signing
Important Disclaimers and Legal Information
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
17
www.sap.com/contactsap
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising