Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Signing the Mobile Security for Enterprise client using an Apple Developer Enterprise Certificate

    • Updated:
    • 22 Nov 2016
    • Product/Version:
    • Mobile Security for Enterprise 9.6
    • Platform:
    • iOS 7.0+
Summary

Know the steps on how to sign the Mobile Security for Enterprise client using an Apple Developer Enterprise Certificate.

Details
Public

To sign the Mobile Security for enterprise iOS client, follow the steps below:

  1. Prepare a Mac machine that meets the requirements.
     
    The sign process was verified using Mac OSX Yosemite (10.10.5) and Xcode 7.0.1 (7A1001).
  2. Create a working folder. Do the following:
    1. Open the Terminal.app.
    2. Enter the command below:

      $ mkdir tmp && cd tmp

      Where tmp is the folder name.

  3. Download TMMS_ScanOnly_SignTool.zip and extract it to the working folder. Do the following:
    1. Login to the TMMS Enterprise Admin console.
    2. Do either of the following:

      For Version 9.6

      1. Go to Administration > Communication Server Settings > iOS Settings.
      2. Look for the iOS Deployment Settings section.
      3. Click Security Scan only.

      For Version 9.6 SP1

      1. Go to Administration > Deployment mode.
      2. Click Security Scan only.
      3. Tick the Enable support in iOS app version (for iOS 7.1 or later) checkbox.
    3. Click on the TMMS_ScanOnly_SignTool.zip link indicated on Step 1. Download the Mobile Security app.
      Download unsigned IPA 
    4. Save the file to the working folder.
    5. Open the Terminal.app and browse to the working folder.
    6. Enter the command below:

      $ unzip TMMS_ScanOnly_SignTool.zip

      After extracting, the following files will be available in the working folder:

      File NameDescription
      codesign_allocateAssistant utility for signing
      ENT Security.entitlements.templateTemplate for generating entitlements file
      plutil.plAssistant utility for signing
      READMEA simple invocation sample
      sign.shMain script used to sign the app
      TMMS_ScanOnly_Unsigned.zipOriginal unsigned app package
  4. Prepare the following information to sign the app:
    • Apple Enterprise Account.
       

      An Apple Enterprise Account is required for the procedure. To enroll for an Enterprise Account, go to the Apple Developer Enterprise Program portal.

    • Team ID (e.g. Q64GK8FQYN) and App ID (e.g. com.trendmicro.nomdminhouse.entsecurity)

      To obtain the Team ID and App ID, do the following:

      1. Login to the Apple Developer Portal, then click on Certificates, Identifiers & Profiles.

        Apple Developer Portal 

      2. On the left pane, click Identifiers > App IDs. The Team ID and App ID will be shown on the right pane.

        iOS App IDs

    • Enterprise Certificate (e.g. iPhone Distribution: Trend Micro Incorporated (Ent) in the Keychain Access.app)

      The Enterprise Certificate can be downloaded from the Apple Developer Portal. Make sure its private key in the Keychain Access.app. It is recommended to use the Apple Developer Enterprise Program (In-House) account type.

      Certificates 

    • Provision Profile in working folder, assuming that it was saved as ‘distribution.mobileprovision’

      The Provision Profile can be retrieved from the Apple Developer Portal.

       
      When creating a new provision profile, remember to enable the APN service. This is needed to create a production SSL certificate.
      Provisioning Profiles
  5. Invoke the sign.sh. Do the following:
    1. Open the Terminal.app.
    2. Enter the command below:

      $ bash sign.sh --team-id="Q64GK8FQYN" --app-id="com.trendmicro.nomdminhouse.entsecurity" --provision-profile="distribution.mobileprovision" --private-key="iPhone Distribution: Trend Micro Incorporated (Ent)"

    3. Click Allow or Always Allow if the codesign wants to sign using the key in the Keychain Access.app. The signed copy of TMMS_ScanOnly.ipa will now be located inside the working folder.
  6. Upload the signed TMMS_ScanOnly.ipa to the MDM server for distribution

The certificate used to sign the IPA file should be valid. The TMMS agent may not be able to launch successfully if the certificate has expired. So it is recommended to renew the certificate before it expires, then upgrade the application accordingly.

Also, it is not possible to upgrade the application as this is controlled by Apple. If this case happens, the end-user will need to renew the certificate, and uninstall then reinstall the TMMS agent on the iOS device.

Premium
Internal
Rating:
Category:
Configure; Deploy; Install
Solution Id:
1113297
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.