How to set MDM Payload's “Identity” in iPCU？

Question

Someone tell me I should first do configure SCEP using IPCU,so I set a SCEP sever in Windows sever 2008.Then set the URL in the SCEP payload. but I can\'t install the Confi

Answer 1

If you are using self-signed ssl then,While generating self-signed ssl certificate in server side,generate identity.p12 certificate and this certificate you need to use in identity section of IPCU.

These few lines you can use to generate the idendtity.p12

//Creating the device Identity key and certificate request

openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr


//Signing the identity key with the CA. 
//Give it a passphrase. You'll need to include that in the IPCU profile.

openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt

openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt

Answer 2

If you aren't signing the MDM responses from the device (which I would recommend that you don't do until you are comfortable with the rest of the MDM protocol) then any p12 will do, however I believe it should have the key as well as the certificate. If you export a certificate with a key using the keychain utils on OSX, you should get a usable p12 file. The p12 must be base64 encoded within your profile but the iPCU will handle this for you.