To sign the Mobile Security for enterprise iOS client, follow the steps below:
- Prepare a Mac machine that meets the requirements. The sign process was verified using Mac OSX Yosemite (10.10.5) and Xcode 7.0.1 (7A1001).
- Create a working folder.
- Open the Terminal.app.
- Enter the command below:
$ mkdir tmp && cd tmp
Where tmp is the folder name.
- Download TMMS_ScanOnly_SignTool.zip and extract it to the working folder.
- Login to the TMMS Enterprise Admin console.
- Do either of the following:
For Version 9.6
- Go to Administration > Communication Server Settings > iOS Settings.
- Look for the iOS Deployment Settings section.
- Click Security Scan only.
For Version 9.6 SP1
- Go to Administration > Deployment mode.
- Click Security Scan only.
- Tick the Enable support in iOS app version (for iOS 7.1 or later) checkbox.
For Version 9.7
- Go to Administration > Deployment mode.
- Click Security Scan only.
- Select Unlisted MDM Solution.
- Click the iOS Agent tab and tick the Enable support in iOS app version (for iOS 7.1 or later) checkbox.
- Click on the TMMS_ScanOnly_SignTool.zip link indicated on Step 1. Download the Mobile Security app.
- Save the file to the working folder.
- Open the Terminal.app and browse to the working folder.
- Enter the command below:
$ unzip TMMS_ScanOnly_SignTool.zip
After extracting, the following files will be available in the working folder:
File Name Description codesign_allocate Assistant utility for signing ENT Security.entitlements.template Template for generating entitlements file plutil.pl Assistant utility for signing README A simple invocation sample sign.sh Main script used to sign the app TMMS_ScanOnly_Unsigned.zip Original unsigned app package
- Prepare the following information to sign the app:
- Apple Enterprise Account.
An Apple Enterprise Account is required for the procedure. To enroll for an Enterprise Account, go to the Apple Developer Enterprise Program portal.
- Team ID (e.g. Q64GK8FQYN) and App ID (e.g. com.trendmicro.nomdminhouse.entsecurity)
To obtain the Team ID and App ID, do the following:
- Login to the Apple Developer Portal, then click on Certificates, Identifiers & Profiles.
- On the left pane, click Identifiers > App IDs. The Team ID and App ID will be shown on the right pane.
- Login to the Apple Developer Portal, then click on Certificates, Identifiers & Profiles.
- Enterprise Certificate (e.g. iPhone Distribution: Trend Micro Incorporated (Ent) in the Keychain Access.app)
The Enterprise Certificate can be downloaded from the Apple Developer Portal. Make sure its private key in the Keychain Access.app. It is recommended to use the Apple Developer Enterprise Program (In-House) account type.
- Provision Profile in working folder, assuming that it was saved as ‘distribution.mobileprovision’
The Provision Profile can be retrieved from the Apple Developer Portal.
When creating a new provision profile, remember to enable the APN service. This is needed to create a production SSL certificate.
- Apple Enterprise Account.
- Invoke the sign.sh. Do the following:
- Open the Terminal.app.
- Enter the command below:
$ bash sign.sh --team-id="Q64GK8FQYN" --app-id="com.trendmicro.nomdminhouse.entsecurity" --provision-profile="distribution.mobileprovision" --private-key="iPhone Distribution: Trend Micro Incorporated (Ent)"
- Click Allow or Always Allow if the codesign wants to sign using the key in the Keychain Access.app. The signed copy of TMMS_ScanOnly.ipa will now be located inside the working folder.
- Upload the signed TMMS_ScanOnly.ipa to the MDM server for distribution
The certificate used to sign the IPA file should be valid. The TMMS agent may not be able to launch successfully if the certificate has expired. So it is recommended to renew the certificate before it expires, then upgrade the application accordingly.
Also, it is not possible to upgrade the application as this is controlled by Apple. If this case happens, the end-user will need to renew the certificate, and uninstall then reinstall the TMMS agent on the iOS device.