Smallstep Apple MDA Demo with SimpleMDM

A demonstration of using Smallstep Certificate Manager with ACME DA and SimpleMDM.

This demo intends to show how ACME DA can be used with an MDM solution. We won’t configure the MDM solution to take full control of the device in this demo. We also won’t be using any of the Apple enterprise/business functionality, such as the Device Enrollment Program. Enrolling devices will be done by scanning a QR code or link instead. In an actual MDM deployment enrolling and control of the device will be done differently, but for demo purposes this should be sufficient.

We’re using SimpleMDM because it’s simple. A similar setup will work with other MDM solutions, as long as they support custom profiles or native ACME certificate profiles. (As of November 2023, most MDM providers do not yet support ACME certificate profiles.)

In the demo, acmeda is used as the authority name and context.

Prerequisites

A SimpleMDM instance. A trial instance is sufficient. Configuration is described below.
An Apple account to get an Apple push certificate, as required by SimpleMDM.
An macOS 14.x or iOS 16.x device (iPadOS/tvOS also have support for ACME, but we haven’t tested those).
A hosted authority on Smallstep Certificate Manager with MDA enabled

Configure SimpleMDM

If no SimpleMDM instance available yet, create one by signing up at https://a.simplemdm.com/admin/account/new?plan=7
- Follow the instructions shown in the web app to setup the instance, creating/using an Apple ID, creating an Apple push certificate and uploading that to the SimpleMDM app.
- A getting started guide for SimpleMDM is available here: https://help.pdq.com/hc/en-us/articles/4411053699867-How-do-I-get-started-with-SimpleMDM-A-quick-start-guide-SimpleMDM
- A doc on creating a push certificate is available here: https://help.pdq.com/hc/en-us/articles/4411045136923
Create a new Profile for the Root CA Certificate
- Navigate to the profiles page.
- Click the Create Profile button.
- Pick the Custom Configuration Profile.
- Name it Root CA Certificate.
- Add the following XML (toggle):
- Replace the REPLACE_ME_WITH_BASE64_ROOT_CA_CRT value of the inner PayloadContent withyour base64-encoded root CA PEM file:
```
step ca root | base64
```
- Leave other properties as default.
- Save the new profile.
Create a new Profile for the ACME Certificate
- Navigate to the profiles page.
- Click the Create Profile button.
- Pick the Custom Configuration Profile.
- Name it X ACME Certificate. The X prefix is there because SimpleMDM applies profiles alphabetically, and we want the root CA profile to be installed before the ACME certificate profile.
  
  Note: Alternatively, it may also work if the root and ACME payload are combined in a single profile. In that case, only a single profile needs to be configured, containing both payloads. However, a single-profile configuration may create a bootstrapping issue in some scenarios.
- Add the following XML (toggle):
- Replace the REPLACE_ME_WITH_ACME_DIRECTORY_URL value with the URL of your ACME provisioner. Eg. https://acmeda.example.ca.smallstep.com/acme/attestation/directory.
- Ensure that Enable attribute support is checked. This results in the {{udid}} and {{device_name}} attributes to be set correctly in the profile when a device is added to SimpleMDM.
- Leave the other properties as default.
- Save the new profile.
Create a new Device Group and assign Profiles
- Navigate to the Groups page.
- Click the Create Group button.
- Name it Example ACME DA Group
- Leave the other defaults.
- Save the new Group.
- Click the newly created Group and navigate to the Profiles tab.
- Click the Assign Profiles button.
- Click the Assign buttons for the Root CA Certificate and X ACME Certificate profiles.
Create a new Enrollment
- Navigate to the Enrollments page.
- Select Group Enrollment from the Add Enrollment dropdown.
- Name it Example Group Enrollment.
- Select the Example ACME DA Group from the Initial device group dropdown.
- Leave User Enrollment at No.
- Save the new Enrollment.

Enroll an iOS Device

Before enrolling, ensure your CA is running and reachable by the device you want to enroll!