Enrolling With the iOS Agent

The following sections guide you through configuring iOS in WSO2 IoT Server and enrolling an iOS device. This tutorial follows the sample scenario of the Mob X organization of which Chris (the system administrator) is configuring iOS with WSO2 IoT Server for the organization and Alex (the device owner) is registering an iOS device. 

Configuring iOS support in WSO2 IoT Server

• Configuring WSO2 IoT Server to install iOS applications

   Click here for more information.

  The download URL for WSO2 IoT Server is configured for HTTP by default. Although you can install Android mobile applications using this default configuration, to install iOS applications, you need to configure it for HTTPS as it's required for the iOS MDM protocol behavior.

  Follow the steps given below to configure WSO2 IoT Server to install iOS mobile applications:

  1. Open the <IoT_HOME>/conf/app-manager.xml file.

  2. Add %https% as the value for the AppDownloadURLHost property.

     <Config name="AppDownloadURLHost">%https%</Config>

     To test WSO2 IoT Server App management features on Android devices, please use one of the following options:

     • Change the value of the AppDownloadURLHost property back to HTTP 
     • Continue using HTTPS to install applications on Android devices by Generating a BKS File for Android.

  Chris has now done the configurations needed to allow users to register and monitor their devices with WSO2 IoT Server. Chris then proceeds to configure iOS support in IoT Server.

• Configuring the IP or hostname

   Click here for more information.

  Thie script automatically configures the IP and creates the required SSL certificates for the IP or hostname. This method is recommended because manually configuring the IP address includes many steps and if you miss out on a step you will run into errors.

  1. Navigate to the <IOTS_HOME>/scripts directory.

  2. Run the change-ip script.
     Example: Running the script on a Mac or Linux OS.

     Tip: The script will find and replace the IP address given in argument1 (localhost) with the IP address given as argument2 (10.10.10.14), in the necessary configuration files. 

  1. Change the current IP address of the IoT Server core, broker, and analytics profile.

  2. Enter the values for IoT Server core SSL certificate.

     
     

      Click here for more information.

     Enter the requested information when prompted.

     Field	Usage/Purpose
     Country	The name of your country. Enter the two digit code for your country.
     State	The state your organization is at.
     Location	The city your organization is located at.
     Organization	The name of your organization. For this scenario, we entered wso2.
     Organization Unit	Defined the Team ID as the organization unit.
     Email	The email is used to identify the existing users. For this scenario, we entered chris@wso2.com as the email.
     Commonname	Fully qualified domain name of your server.

     

  If you want to configure the steps manually, see Configuring the IP or hostname manually and if you want to change the default ports, see Changing the Default Ports.

• Installing the iOS features

   Click here for more information.

  If you are facing issues while configuring WSO2 IoT Server for iOS in your testing environment, contact us and we will help you out.

  After obtaining a signed CSR, the P2 repository, and the other files via email, Chris can install the specific features in the P2 repository that are required to enable iOS by following the instructions given below. 

  1. Download and extract the ios-feature-deployer that you received via email. 

  2. Copy the ios-feature-deployer folder to the <IOTS_HOME> directory.  

  3. Navigate inside the ios-feature-deployer folder on the terminal and execute the following command to install the iOS features to WSO2 IoT.  Agree to the End User License Agreement (EULA) to complete the iOS configurations.

     cd ios-feature-deployer 
     mvn clean install -f ios-feature-deployer.xml

     Tip by Chris

     Tip: To verify successful installation of the iOS features, do the following:

     Open the bundles.info file found in the <IOTS-HOME>/wso2/components/default/configuration/org.eclipse.equinox.simpleconfigurator directory and verify if the following properties have changed from false to true .

     org.wso2.carbon.device.mgt.ios.api.utils,3.0.5.SNAPSHOT,../plugins/org.wso2.carbon.device.mgt.ios.api.utils_3.0.5.SNAPSHOT.jar,4,true
     
     org.wso2.carbon.device.mgt.ios.apns,3.0.5.SNAPSHOT,../plugins/org.wso2.carbon.device.mgt.ios.apns_3.0.5.SNAPSHOT.jar,4,true
     
     org.wso2.carbon.device.mgt.ios.core,3.0.5.SNAPSHOT,../plugins/org.wso2.carbon.device.mgt.ios.core_3.0.5.SNAPSHOT.jar,4,true
     
     org.wso2.carbon.device.mgt.ios.payload,3.0.5.SNAPSHOT,../plugins/org.wso2.carbon.device.mgt.ios.payload_3.0.5.SNAPSHOT.jar,4,true
     
     org.wso2.carbon.device.mgt.ios.plugin,3.0.5.SNAPSHOT,../plugins/org.wso2.carbon.device.mgt.ios.plugin_3.0.5.SNAPSHOT.jar,4,true

     Once the ios-feature-deployer script has finished running, you can see the <IOTS_HOME>/ios-configurator directory that was created.

  4. Navigate inside the <IOTS_HOME>/ios-configurator directory and run the ios.sh script. 

     cd ios-configurator
     sh ios.sh

  5. Enter the requested information when prompted. Be sure to provide the same information when configuring the iOS platform configurations.

     Field	Usage/Purpose
     Country	The name of your country. Enter the two digit code for your country.
     State	The state your organization is at.
     Location	The city your organization is located at.
     Organization	The name of your organization. For this scenario, we entered MobX.
     Organization Unit	Defined the Team ID as the organization unit.
     Email	The email is used to identify the existing users. For this scenario, we entered chris@mobx.com as the email.
     Commonname	Fully qualified domain name of your server.

     
     This part of the script creates a key pair, generates a signature, and signs the key using the signature.

• Generating an MDM APNS certificate

   Click here for more information.

  Except for a few operations (ring, message and get location) that are performed by the WSO2 IoT Server agent, all the other device operations, and policies are applied on an iOS device via it's operating system. Therefore, for the WSO2 IoT Server server to communicate with the operating system of the device, you need to generate the MDM APNS certificate.

  The MDM APNS certificate will be referred to as the MDM certificate in the IoT Server Console.

  1. Go to  https://appleid.apple.com/account#!&page=create and get an Apple ID, if you do not have one already. 
  2. Go to the Apple Push Certificate Portal at https://identity.apple.com/pushcert/ and log in with your customer account details. You do not need an enterprise account for this. Your Apple ID is sufficient.
  3. Click Create Certificate and agree to the terms and conditions.

  4. Upload the encoded .plist file got after signing your certificate.

     Didn't get your certificate signed by Apple? Register your organization with the Apple Developer Enterprise Program and follow the steps mentioned in MDM Vendor CSR Signing Overview. 

  5. Download the generated MDM signing certificate, which is a certificate for third-party servers provided by Apple, and rename it to MDM_Certificate.

  6. Get the USERID (TOPIC ID) from the MDM signing certificate (MDM_Certificate.pem), as it will be used later in the configuration. 
     You can decode the MDM signing certificate to obtain the USERID by executing the following command:

     openssl x509 -in MDM_Certificate.pem -text -noout

     The TOPIC ID is assigned to the UID property.
     Example: UID=com.apple.mgmt.External.0dbe5637-8f16-4d9f-bac4-e18cac2f7d4e

  7. Remove the password/pass phrase from your private key file (e.g.,customerPrivateKey.pem).

     openssl rsa -in customerPrivateKey.pem -out customerKey.pem 

  8. Merge the customer key file that was derived in the latter step with the MDM signing certificate to generate the MDM Apple Push Notification Service (APNS) Certificate. In this example, Chris merges the customerKey.pem file with the MDM_Certificate.pem file to generate the MDM_APNSCert.pem file.

     Tip: Before you merge the customerKey.pem file and the MDM_Certificate.pem file, make sure both files are in the same directory.

     cat MDM_Certificate.pem customerKey.pem > MDM_APNSCert.pem

  9. Open the APNS Certificate (MDM_APNSCert.pem) and add a line break between the content of the two files. For example, if your content looks as "-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----", add a line break after 5 dashes so that the content looks as follows:

     -----END CERTIFICATE-----
     -----BEGIN RSA PRIVATE KEY-----

  10. Convert the MDM_APNSCert.pem fileto MDM_APNSCert.pfx file. You need a password for this, which you will need again when configuring the iOS platform configurations.
      

      openssl pkcs12 -export -out MDM_APNSCert.pfx -inkey customerPrivateKey.pem -in MDM_APNSCert.pem

• Generating the APNS certificate

   Click here for more information.

  This section guides you on how to generate an APNS certificate.

  Why is this step required?

  You can register an iOS device with WSO2 IoT Server, with or without the WSO2 IoT Server's iOS agent. This certificate is required to carry out operations on the device that need to be triggered via the iOS agent, such as ringing the device, getting the device location, and sending notifications or messages to the device. Therefore, if you are not installing the iOS agent on your devices, you don't need this certificate.

  Further, in iOS, the server passes messages to the client via the Apple Push Notification Service (APNS). When doing so in order to establish a secure connection between WSO2 IoT Server and the APNS server, a client SSL certificate needs to be generated and downloaded from Apple Inc. This APNS certificate is used to send an awake message to the iOS agent application.

  Prerequisites

  • You have to be enrolled in the  Apple Developer Program as an individual or organization before starting the iOS server configurations.
  • A valid distribution certificates that you obtained from Apple.

  Follow the steps given below:

  1. Clone the emm-agent-ios repository to a preferred location.

     git clone https://github.com/wso2/emm-agent-ios

  2. Open the emm-agent-ios from X-Code and follow the subsequent steps:
     1. Change the org.wso2.carbon.emm.ios.agent  Bundle Identifier so that it matches your organization details.
        Example: org.<ORGANIZATION_NAME>.emm.ios.agent

     2. Select the development team, provisioning profile and sign certificate from Xcode.

        If you are unsure of how to select the development team, or add the provisioning profile or sign the certificate via Xcode, see the blog post on How to export “in-house” developed iOS app as an enterprise application.

  3. Log in to the Apple Developer program and follow the subsequent steps:

     Before you follow the steps, confirm that your machine is connected to the Internet and that Xcode has a valid developer account.

     1. Navigate to Certificates, IDs & Profiles that is under Identifiers.
     2.  Click App IDs and see if the Bundle ID that you defined under Xcode is listed here.
        
  4. Click the Bundle ID, and click Edit.
     
  5. Creating an APNs SSL certificate:
     1. Select Push Notifications to enable the setting.
        
        Once push notification is enabled, you are able to generate the development and production certificates.
     2. To try out the create certificate use case, let's create a development SSL certificate.
        Please note that the development SSL certificate is created only as an example. You can create a production SSL certificate if you have registered with the Apple Developer Program as an Organization.
        
        Click Create Certificate that is under Development SSL Certificate.
        
  6. Creating a CSR file using the keychain access tool in the Mac OS:
     1. Launch the keychain access application.
     2. On the menu bar click KeyChain Access > Certificate Assistant > Request a Certificate from Certificate Authority.
        
     3. Define the email address, common name, select Saved to disk, and click Continue.
        Example:
        
  7. Go back to the Apple Developer Portal, upload the generated certificate, and click Continue.
     
  8. Exporting the certificate to the pfx format.
     1. Click Download to download the file.
        
     2. Double-click the downloaded file to open it with the Keychain access tool.
     3. Right-click the certificate and select export.
        
     4. Define the location where you wish to save the file and set a password for the exported file when prompted.
     5. Rename the p12 extensionof the file to pfx.

  What's Next?

  You need to configure the WSO2 IoT Server iOS client configurations. 

• Configuring the iOS platform

   Click here for more information.

  Multiple tenants can use WSO2 IoT Server while maintaining tenant-based isolation. The iOS platform configurations page enables tenants to customize the iOS settings based on their own requirements.

  Chris proceeds to configure the iOS platform configurations by adding the generated MDM APNS certificate.

  1. Log in to the device management console at https://<IoT_HOST>:9443/devicemgt using admin as the username and password if you haven't previously logged in.

  2. Click > CONFIGURATION MANAGEMENT > PLATFORM CONFIGURATIONS > iOS Configurations and fill in the form.

     Use the generated MDM-APNS certificate for both the MDM certificate and the generated APNS certificate for the APNS certificate.

     • MDM Certificate Password: Give the same password you gave when converting the MDM_APNS certificate from the pem tothe pfx format. 
     • MDM Certificate Topic ID: Give the topic ID of the certificate. If you are unsure of the topic ID, refer step 6 under generating the MDM APNS certificate.
     • APNS Certificate Password: Give the same password you gave when converting the APNS certificate to the pfx format. 

     

     Tip: To learn more about each platform setting, hover your mouse pointer over the help tip.

Creating users and a sample policy

Follow the steps given below to create two users, Alex and Chris, and a configured passcode policy. This will make it easy for you to try out the IoT Server quick start guide.

1. Navigate to the mobile-qsg directory located in the <IOTS_HOME>/samples directory on the terminal window. 

2. Run the mobile-qsg.sh script to configure the iOS server settings in WSO2 IoT Server. 

   cd <IoT_PRODUCT_HOME>/samples/mobile-qsg
   sh mobile-qsg.sh

   When you add a new user to WSO2 IoT Server, the user receives an email with the username and password that needs to be used to log in to WSO2 IoT Server. In this quick start guide, we have not configured WSO2 IoT Server to send emails. Therefore you will get an error in the terminal where the core profile is running. If you don't want to see this error, you need to configure the email settings. For more information, see Configuring the Email Settings.

    Click here to see the error you get.

   [2017-07-27 02:47:14,527] [IoT-Core] ERROR - {org.apache.axis2.description.ClientUtils} The system cannot infer the transport information from the mailto:chris@mobx.com URL.
   [2017-07-27 02:47:14,527] [IoT-Core] ERROR - {org.apache.axis2.description.ClientUtils} The system cannot infer the transport information from the mailto:alex@example.com URL.
   [2017-07-27 02:47:14,531] [IoT-Core] ERROR - {org.wso2.carbon.email.sender.core.service.EmailSenderServiceImpl} Error occurred while delivering the message, subject: 'You have successfully been registered in WSO2 IoT', to: 'chris@mobx.com'
   org.apache.axis2.AxisFault: The system cannot infer the transport information from the mailto:chris@mobx.com URL.
   	at org.apache.axis2.description.ClientUtils.inferOutTransport(ClientUtils.java:81)
   	at org.apache.axis2.client.OperationClient.prepareMessageContext(OperationClient.java:288)
   	at org.apache.axis2.description.OutOnlyAxisOperationClient.executeImpl(OutOnlyAxisOperation.java:249)
   	at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
   	at org.apache.axis2.client.ServiceClient.fireAndForget(ServiceClient.java:511)
   	at org.apache.axis2.client.ServiceClient.fireAndForget(ServiceClient.java:488)
   	at org.wso2.carbon.email.sender.core.service.EmailSenderServiceImpl$EmailSender.run(EmailSenderServiceImpl.java:117)
   	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
   	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
   	at java.lang.Thread.run(Thread.java:748)
   [2017-07-27 02:47:14,531] [IoT-Core] ERROR - {org.wso2.carbon.email.sender.core.service.EmailSenderServiceImpl} Error occurred while delivering the message, subject: 'You have successfully been registered in WSO2 IoT', to: 'alex@example.com'
   org.apache.axis2.AxisFault: The system cannot infer the transport information from the mailto:alex@example.com URL.
   	at org.apache.axis2.description.ClientUtils.inferOutTransport(ClientUtils.java:81)
   	at org.apache.axis2.client.OperationClient.prepareMessageContext(OperationClient.java:288)
   	at org.apache.axis2.description.OutOnlyAxisOperationClient.executeImpl(OutOnlyAxisOperation.java:249)
   	at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
   	at org.apache.axis2.client.ServiceClient.fireAndForget(ServiceClient.java:511)
   	at org.apache.axis2.client.ServiceClient.fireAndForget(ServiceClient.java:488)
   	at org.wso2.carbon.email.sender.core.service.EmailSenderServiceImpl$EmailSender.run(EmailSenderServiceImpl.java:117)
   	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
   	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
   	at java.lang.Thread.run(Thread.java:748)

Enroll an iOS device

Follow the instructions given below to enroll an iOS device:

1. Sign in to the WSO2 IoT Server Device Management Console.

    Click here for more information.

   Error rendering macro 'excerpt-include' : No link could be created for 'Accessing the WSO2 IoTS Consoles'.
2. Click Enroll New Device if you a device user. If you are administrator click Add under DEVICES.
   

3. Click iOS to enroll your device with WSO2 IoT Server.
   The IoT Server registration screen appears in the Safari browser. iOS devices need the root certificate to be downloaded to trust the server certificate. If the certificate is a self-signed SSL certificate, tap Install IoT Server Certificate, else go to step 5.

   

4. Tap Install as required to download the root certificate. The IoT Server registration screen appears.
   

   Tip

   If you are using iOS 10 with a self-signed certificate, do the following to mark it as a trusted certificate. This is required in iOS 10 because there is a change in how self-signed CA certificates are trusted by iOS devices from iOS 10 onwards.

   1. Open the Certificate Trust Settings found in Settings>General>About.

   2. Enable full trust for the certificate related to WSO2 IoT Server.

5. Tap Install IoT Server Agent.
   

   If you are using iOS 10 or above, you will get the Cannot connect to <IP or host name> error message.
   Example:
   To overcome this, follow the steps given below: This is required in iOS 10 because there is a change in how self-signed CA certificates are trusted by iOS devices from iOS 10 onwards.

   1. Open the Settings > General > About > Certificate Trust Settings .

   2. Enable full trust for the certificate related to WSO2 IoT Server.

   3. Repeat step 5 again and Install the WSO2 IoT Server agent.

6. After the IoT Server agent is installed, click on the WSO2 IoT Server app on your device to start the registration.

   Getting an Untrusted Enterprise Developer message?

   When you open the WSO2 IoTS app for the first time, you may see the Untrusted Enterprise Developer message.

    Click here for more informations on how to establish the trust for the IoTS iOS application

   Follow the steps given below to establish the trust for the IoTS iOS application:

   1. Click Cancel to dismiss the Untrusted Enterprise Developer message.
      
   2. Tap Settings > General > Profiles or Profiles & Device Management.
      Example:
      
   3. Tap the WSO2 Inc profile that is under Enterprise App.

   4. Tap Trust "WSO2 Inc".

      An Internet connection is required to verify the app developer's certificate when establishing trust. If you are behind a firewall, make sure it's configured to allow connections to https://ppq.apple.com. If you are not connected to the Internet when you trust an app, the device displays Not Verified instead. In order to use the app, you need to connect to the Internet, and tap the Verify App button.

      

   5. Tap Trust to confirm that you trust the developer.
      The developer WSO2 Inc. remains trusted until you use Delete App to remove all apps from the developer.
      

   

7. Tap Allow to let the WSO2 Agent access your device location.

8. Enter your server address, based on your environment, in the text box provided and tap Enroll Device. 

   • Developer Environment - Enter your entire server address as your server address.
     Example: https://10.10.10.123
   • Deployment Environment - Enter your domain as your server address.
   
9. Enter your details:
   
   • Domain - Enter the domain only if the server is hosted with multi-tenant support.
   • Username - Enter the username that you provided when registering with WSO2 IoTS.
   • Password - Enter the password that you provided when registering with WSO2 IoTS.

   By default, WSO2 IoTS only supports the BYOD registration process for the iOS platform.

   

10. Tap Login. 

11. Read the End User License Agreement (EULA) and tap I accept the terms.
    

12. Tap Install where ever required to install the WSO2 Profile Service.
    

    A warning message appears to indicate that by installing the profile, WSO2 IoTS has access to remotely manage the iOS device. 

13. Tap Install.

    

14. Tap Trust to confirm that you are aware of the device being remotely managed by installing the profile.

    

15. After the profile is installed, click Done.
    Upon the successful registration, the following confirmation appears.

    

    Thereafter, your browser automatically closes and after 1 or 2 seconds, the native iOS Agent is loaded.

Try it out

You can view device details and carry out operations on your device, after successfully enrolling it with WSO2 IoTS. Let's take a look at how you can do it:

1. Navigate to the WSO2 IoTS Device Management page to view all the created devices.

    Click here for more information on navigating to the Device Management page.

   1. Sign in to the Device Management console.
   2. Click the menu icon.
   3. Click Device Management.
      

2. Click the view icon on the iOS device you enrolled.

   This directs you to the device details page where you can view the device information and try out operations on a device.

    View device details

   The details of each registered devices will be shown on separate pages within the Device page.

   	Description
   Device Details	The following device information will be retrieved automatically when you register with WSO2 IoTS. Device This shows the name the user has given his/her device (e.g., Kim's iPhone). Model The type of device will be stated (e.g., iPhone, iPad) IMEI The International Mobile Station Equipment Identity (IMEI) number of all GSM devices. This is not applicable to devices such as iPads which work without a SIM. Status Indicates if the device is active, inactive or removed from WSO2 IoTS.
   Policy Compliance	If your device does not comply to certain criteria in the enforced policy, the aspects in which your device is none compliant will be highlighted under this section.
   Device Location	Provide the location of your device.
   Installed Application	A list of all the applications that have been installed on your device and the memory consumption by each application will be listed under this section.
   Operation Log	A list of all the operations that have been carried out by you and its current status

    Device operations

   Click on the operation you wish to carry out and provide the required details (if requested) to apply the selected operation on your device.

   Operation	Description
   Device Lock	Ability to lock a device via WSO2 IoTS.
   Location	Ability to receive the location of the device.
   Mute Device	Ability to enable the silent profile on a device via WSO2 IoTS.
   Enterprise Wipe	Ability to unregister a device from WSO2 IoTS.
   Clear Password	Ability to remove a device lock via WSO2 IoTS.
   Change Lock-Code	Ability to change the provided passcode or lock-code via WSO2 IoTS.
   Ring	Ability to ring the device via WSO2 IoTS.
   Message	Ability to send a message to the device via WSO2 IoTS. The WSO2 IoTS admin can use this device operation to send group messages or even private messages to the WSO2 IoTS users.
   APN Configurations	Ability to set the APN configurations on a user's device. In iOS, the WSO2 IoT server does not detect whether a device (i.e., iPad) has only Wifi, or whether the device has 3G and Wifi. If there is only  Wifi, the APN configurations can not be pushed, and a policy violation occurs.
   Google calendar	Ability to set the google calendar configurations on the WSO2 IoTS user's device.
   LDAP	Ability to set the LDAP account configurations on the WSO2 IoTS user's device.

Unregistering and uninstalling the iOS agent

Want to unregister your device from WSO2 IoT Server and uninstall the iOS agent that's on your device? Follow the steps given below:

1. Open the WSO2 iOS agent application and tap unregister.
2. Next, go back, tap and hold down the icon of the iOS agent app. After a few seconds, all the apps in your iPhone will start wiggling and a tiny "X" icon will appear beside them. Note that the "X" icon will not appear beside the apps that came with the device.
3. Press the "X" icon that appears beside the iOS agent app. A message-box will appear.
4. Tap Delete to delete the iOS agent app.
5. Navigate to Settings > General > Profiles or Profiles & Device Management.

6. Tap the configuration profile you installed when enrolling the device and tap Delete Profile.

Now you have successfully unregistered your device from WSO2 IoT Server, removed the profiles that were added when the iOS agent was installed, and uninstalled the WSO2 Device management application.