Mobile Secure Cloud Edition Document Version: 2.0-2014-06-26. ios Application Signing

Mobile Secure Cloud Edition Document Version: 2.0-2014-06-26

Table of Contents 1 Introduction.... 3 2 Apple Team Membership....4 3 Building a Team by Adding Team Admins and Team Members.... 5 4 App Protection Application Signing.... 6 5 Afaria Enterprise Client Application Signing....7 5.1 Creating the ios Distribution Certificate.... 7 5.2 Creating the App ID....8 5.3 Creating the Provisioning Profile....9 5.4 Signing and Deploying the ios Client from Mobile Secure....9 6 Installing Apple Certificates for Use with Afaria....11 7 Certificate Generation....12 7.1 Generating a Certificate Signed Request on Mac....12 7.2 Generating a Certificate Signed Request on Windows Server....13 7.3 Exporting the Private Key (.p12) on Mac....13 7.4 Exporting the Private Key (.pfx) on Windows....14 8 Important Disclaimers on Legal Aspects....15 2 2014 SAP AG or an SAP affiliate company. All rights reserved. Table of Contents

1 Introduction This document describes the process to enable enterprise ios Application signing within the Mobile Secure cloud infrastructure. It describes Apple requirements for doing third party signing, the steps required for signing ios applications after an Application Protection exercise, and special steps required to sign the Afaria ios Enterprise Client with optional APNS Messaging Introduction 2014 SAP AG or an SAP affiliate company. All rights reserved. 3

2 Apple Team Membership Add SAP as a Team Member on your enterprises Apple Developer Program. Apple requires that third party contractors are added to the enterprises developer team in order to sign custom built in house applications with your developer certificates. Apple only requires you to add a SAP contractor as a Team Member; this is for tracking purposes only. The account will not be accessed by the SAP employee. Below is an explanation of what the role permissions are: Table 1: Role Team agent Team admin Team member Description A team agent is legally responsible for the team and acts as the primary contact with Apple. The team agent can change the access level of any other member of the team.a team agent is legally responsible for the team and acts as the primary contact with Apple. The team agent can change the access level of any other member of the team. A team admin can set the privilege levels of other participants, although a team admin cannot demote the team agent. Team admins manage all assets used to sign your apps, either during development or when your team is ready to distribute an app. Team admins are the only people on a team that can sign apps for distribution on non-development devices. Team admins also approve signing certificate requests made by team members. A team member gains access to prerelease content delivered by Apple on that program s portal. A team member can also sign apps during development, and but only after he or she makes a request for a development signing certificate and has that request approved by a team admin. Instructions for Adding a SAP Team Member Follow the instructions below and utilize the following information for an SAP developer: First Name: Mark Last Name: Jordan Email Address: Afariacustomer@sybase.com 4 2014 SAP AG or an SAP affiliate company. All rights reserved. Apple Team Membership

3 Building a Team by Adding Team Admins and Team Members If you are a team admin, add people to your development team through the Member Center. When you add a person to your team, you can grant them access to the developer programs that your team is enrolled in. 1. After logging in to the Member Center, click People in the bar at the top. 2. Click Invitations in the sidebar. 3. Click Invite Person and provide the first name, last name, and email address. 4. Specify the person s access and role for each program. 5. Click Send Invitation. Building a Team by Adding Team Admins and Team Members 2014 SAP AG or an SAP affiliate company. All rights reserved. 5

4 App Protection Application Signing Wrap your application for app protection and complete the signing process. 1. From the portal, click Application App Protection, and select an application for app wrapping. 2. Define the correct App Protection Policy template, and click Apply Policy from the left navigation bar to wrap the application with current policies. The Application wrapping successful message is displayed. Note The act of Applying Policies essentially modifies the underlying IPA file and thus invalidates any application signing that was done by the developer. To be deployed, the application must be re-signed. 3. Click Yes to proceed. 4. In the Sign Application Apple Signing Guideline dialog, select Do not show this notice again if you prefer not to see this screen on subsequent signing operations, and click Next. 5. In the Sign Application Specifying Signing Information dialog, select the checkbox I have made SAP a Team Member on my enterprise Apple Developer Program and provide the signing information: 6. Click Sign. Signing certificate Private key passphrase Provisioning profile 6 2014 SAP AG or an SAP affiliate company. All rights reserved. App Protection Application Signing

5 Afaria Enterprise Client Application Signing The items that are needed to successfully generate an enterprise signed version of the ios Afaria client are: 1. Distribution Certificate for issued to the Enterprise developer account. 2. Private key used to generate the Distribution Certificate. 3. Provisioning Profile that links the AppID and Distribution Certificate. 5.1 Creating the ios Distribution Certificate Create an ios Distribution Certificate to sign and distribute apps. 1. From the ios Dev Center page, in the ios Developer Program section, select Certificates, Identifiers, & Profiles. 2. On the Certificates, Identifiers, & Profiles page, select Certificates under the ios Apps section. 3. In the Certificates section, select Production. From here, you can request the ios Distribution Certificate by selecting the + icon. 4. Select Inhouse and Ad Hoc under the Production section. Note If the "In-House and Ad Hoc option is greyed out, this means that an iphone Distribution certificate already exists under your developer program. The ios Developer program only allows the creation of one iphone Distribution certificate and not multiple. 5. Select Continue and follow the instructions to submit a CSR (Certificate Signed Request). Refer to Certificate Generation section for information on using a Mac or PC to create the CSR that is submitted in this process. Once the process is complete the portal will provide a download button. 6. Select the certificate from the list, download the certificate, and save the.cer file. This is your Signing Certificate. This certificate will be required for signing and must be in the form of a.p12/.pfx file. Afaria Enterprise Client Application Signing 2014 SAP AG or an SAP affiliate company. All rights reserved. 7

5.2 Creating the App ID The ios App ID uniquely identifies an application with the Apple application services such as push notifications, inapp purchase, game centers etc., and enables you to incorporate them in your app. 1. From the ios Apps tab of the ios Dev Center, select App IDs under Identifiers. 2. Select the + icon to create a new App ID for the Afaria client ( ex. com.companyname.afariaclient). Do not use 'com.sap.afariaclient' since that will match the App ID of the Afaria client on the AppStore. Note Do not use the option to create a wildcard App ID. A wildcard app ID is not permitted to be used in the custom app signing portal, and will be rejected. 3. Leave the required selections checked. There is no requirement of what App Services need to be enabled for the App ID. However, you must enable Push Notifications if you wish to take advantage of the ability to send push messages to the custom Afaria client application. This feature is available in Afaria 7.x SP2 and later. 4. Select Explicit App ID and enter the Bundle ID for your Afaria app using your company name and afariaclient (e.g. com.<companyname>.afariaclient) Note Do not select Wildcard App ID. A wildcard app ID will be rejected by the custom app signing portal. 5. Confirm the App ID settings by selecting Submit. 6. (Optional) If push messaging is required, click Edit. 7. Under Push Notification, select the Create Certificate... button for Production SSL Certificate. Note If Push Notifications service was not enabled on the App ID during the time you obtained the custom Afaria client, you will need to re-obtain the custom client once you have Push Notifications enabled. This will involve having to redownload the Provisioning Profile used to sign the custom Afaria application and reinstalling the client on all ios devices. Otherwise, push messages won't be able to be sent to the custom Afaria application on any ios device the application was installed on prior to enabling the Push Notifications service for the App ID. 8. Select Continue. 9. Click the Choose File... button and upload the CSR file created on either the Windows machine or Mac. Refer to the Certificate Generation section for directions on how to create a CSR. The wizard says to select.certsigningrequest file saved on your Mac, but you can also select the CSR file you saved on your Windows machine also. The CSR does not have to come only from a Mac. 8 2014 SAP AG or an SAP affiliate company. All rights reserved. Afaria Enterprise Client Application Signing

10. Click Generate. 11. Once complete, click Download to receive the APNS certificate. The file will be in.cer file format. This is your APNS Push Certificate to be used later, but it must be in a.p12/.pfx format. Create a.p12 file as specified in the Exporting the private key section of this document. 12. Click Done. 13. Click Done once registration of the App ID is complete. 5.3 Creating the Provisioning Profile Create a provisioning profile to associate developers of an application and their devices with an authorized development team, and enable those devices for testing. 1. From the ios Apps tab of the ios Dev Center, select Distribution under Provisioning Profiles. 2. Select the + symbol to create a new Distribution profile. 3. Select Distribution In House. 4. In the Select App ID page, select the App ID created in previous steps for custom client. 5. In the Select certificates page, select the radio button for the Distribution certificate created. 6. Enter a profile name and select Generate. 7. Once the Provisioning Profile is created, save the.mobileprovision file. 5.4 Signing and Deploying the ios Client from Mobile Secure Sign and deploy the ios client application from Mobile Secure Cloud Edition. 1. From the portal page, navigate to Device Settings page. 2. Select the Enterprise ios Client tab. 3. Select the client and click Sign and Deploy ios Client. 4. In the Sign Application Apple Signing Guideline dialog, select the checkbox Do not show this notice again and click Next. 5. In the Sign Application Specifying Signing Information dialog, select the checkbox I have made SAP a Team Member on my enterprise Apple Developer Program. Provide the following signing information and click Sign: Afaria Enterprise Client Application Signing 2014 SAP AG or an SAP affiliate company. All rights reserved. 9

Signing certificate Private key passphrase Provisioning file 6. Due to a known issue in the April 12th release of SAP Mobile Secure, cloud edition, it is necessary for the Afaria administrator to perform one addition step within the Afaria Administration console. This is only necessary the first time a signed ios Client is uploaded. Subsequent clients can be uploaded without performing this procedure. 1. In the Afaria Administration console, navigate to Server Configuration ios Application. 2. Change the Setting from AppStore to Custom, then click Save. Note If the setting is changed back to AppStore, then in order for the Custom client to be distributed the settings must once again manually be changed back to Custom. 10 2014 SAP AG or an SAP affiliate company. All rights reserved. Afaria Enterprise Client Application Signing

6 Installing Apple Certificates for Use with Afaria Install certificates such as Apple Computer, Inc. Root Certificate or Apple Inc. Root Certificate (.cer file), Worldwide Developer Relations (WWDR) Certificate (.cer file), and Apple Production ios Push Services Certificate (.pfx or.p12 file). 1. In the Afaria Administrator, navigate to Server Configuration Component ios Notification. 2. In the APNS Push Certificate (for Custom-Signed Afaria Application) section, click Browse. 3. Browse to and select the.p12/.pfx certificate file. 4. In the Password field, enter the correct password required for exporting the Push certificate/private key. 5. Click Install. Once you click Install, if it is detected that the Apple Root and Intermediate certificates don't exist within the certificate store on the Afaria Server, you will be prompted to provide the certificates. 6. On the Select Apple Root Certificates window, browse to and select the Apple Root CA and Worldwide Developer Relations certificates, and click Install. 7. Click Save to store the changes. The APNS push certificate name is populated on the screen. 8. Click the Validate link at any point of time, to see that certificate chain is OK or if there is a problem. This APNS certificate is valid for one year and must be renewed annually. To renew the certificate, you must logon to the Apple Developer Program and select the certificate and there should be an option to Renew. A new CSR must be generated to renew the Apple certificate. To update the certificate in the Afaria Administrator UI, you can follow the same steps as described above. Installing Apple Certificates for Use with Afaria 2014 SAP AG or an SAP affiliate company. All rights reserved. 11

7 Certificate Generation Ensure that you install the certificate on the same server that you generated the CSR on, for successful association of the private key that was created during the CSR process. For IIS you must ensure that you have already installed the Apple Root and Intermediate certificates on your server before you complete the certificate request. 7.1 Generating a Certificate Signed Request on Mac Use the Keychain Access application to generate a code signing request on a Mac OS machine. 1. On your Mac, navigate to Applications Utilities Keychain Access. 2. In the Menu bar at the top of the desktop window, choose Keychain Access Certificate Assistant Request a Certificate From a Certificate Authority. 3. In the Certificate Information window: 1. In the User Email Address field, enter your email address. 2. In the Common Name field, enter your name. 3. In the Request is group, select the Saved to disk option. 4. Select the Let me specify key pair information option. 4. Click continue. 5. For ease of access, choose your desktop as the location of the.csr file. 6. In the Key Pair Information pane, choose 2048 as the key size and RSA as the algorithm. 7. Click Continue. The Certificate Assistant then saves the.csr file to your desktop. 12 2014 SAP AG or an SAP affiliate company. All rights reserved. Certificate Generation

7.2 Generating a Certificate Signed Request on Windows Server Create a cerificate signed request on a Windows Server using IIS Manager. 1. Click on the Start Menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager. 2. Click on the name of the server in the Connections column on the left. 3. Under the IIS section in the center window pane, double-click Server Certificates. 4. In the Actions column on the right, click on Create Certificate Request... 5. On the Distinguished Name Properties window, enter the following information: Common Name the name of the person generating the request (any name can be entered into this field). Organization the legal name of your organization. Organizational Unit the division of your organization handling the certificate (Most CAs don t validate this field). City/Locality the city where your organization is located. State/province the state/region where your organization is located. Country/Region the two-letter ISO code for the country where your organization is located. 6. Leave the default Cryptographic Service Provider (Microsoft RSA...), increase the Bit Length to 2048 or higher, and click Next. 7. Click the button with the three dots and enter a location and filename where you want to save the CSR file. 8. Click Finish. 7.3 Exporting the Private Key (.p12) on Mac Export the private key on a Mac machine, using Keychain access. 1. Copy the.cer certificate file to the Mac and double-click it to upload it to Keychain Access in order to complete the signing request. 2. To export your private key and certificate, open up the Keychain Access Application and select the Keys category. 3. For the ios Distribution Certificate: Certificate Generation 2014 SAP AG or an SAP affiliate company. All rights reserved. 13

1. Control-click on the private key associated with your ios Distribution Certificate and click Export Items in the menu. The private key is identified by the ios Developer: <First Name> <Last Name> public certificate that is paired with it. 2. Save your key in the Personal Information Exchange (.p12) file format. 4. For the Push Messaging Certificate: 1. Expand the Name (the Common Name you entered when generating the CSR) that shows the "private key" under the Kind column. 2. Control-click (or right-click) the "Apple Production IOS Push Services..." key and select Export Items in the menu. 5. You will be prompted to create a password which is used when you attempt to import this key on another computer. You can now transfer this.p12 file between systems. 7.4 Exporting the Private Key (.pfx) on Windows Create a.pfx file from the.cer certificate received from the ios Developer Portal. 1. Click on the Start Menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager. 2. Click on the name of the server in the Connections column on the left, and then double-click Server Certificates. 3. In the Actions column on the right, click on Complete Certificate Request... 4. Click the button with the three dots and select the.cer certificate that you received from the ios Developer Portal. If the certificate does not have a.cer file extension, select to view all types. 5. Enter a friendly name you want so you can keep track of the certificate on this server, and click OK. If successful, you will see the certificate in the list. If you receive an error stating that the request or private key can t be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on. 6. To export the certificate to the correct format, right-click the certificate you just imported and select Export. 7. Click the button with the three dots to specify a path to save the certificate file in.pfx format. When exporting the certificate, you must enter a password used for exporting the certificate. The certificate in.pfx format is saved. 14 2014 SAP AG or an SAP affiliate company. All rights reserved. Certificate Generation

8 Important Disclaimers on Legal Aspects This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http://help.sap.com/disclaimer Important Disclaimers on Legal Aspects 2014 SAP AG or an SAP affiliate company. All rights reserved. 15

www.sap.com/contactsap 2014 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.