The Management Extender for Apple iOS is required to manage Apple iOS devices (including iPhones, iPads, and iPod Touches).

Installing the Management Extender for iOS requires that you have already installed the Tivoli Endpoint Manager Server. See Installation Instructions for more information. You also must be subscribed to the MDM Beta Fixlet site.

Setting up the Management Extender for Apple iOS involves three primary steps: getting an Apple APNS Certificate, setting up the Management Extender, and enrolling iOS devices. See the steps below for details about each part of the process.

Generating an Apple MDM Certificate

A certificate is required to managed iOS devices through Apple’s Push Notification Service (APNS). This APNS certificate allows the Management Extender to establish a secure, trusted channel of communication with the iOS devices.

Step 1: Create a certificate request and send it to IBM

  1. Create the certificate by downloading OpenSSL.
  2. Open a command prompt (start > run > cmd.exe)
  3. Type: openssl req -new -newkey rsa:2048 -nodes -keyout push_key.pem -outform der -out push.csr
  4. You will be prompted to enter information about your organization. (Note: you don’t need to enter the optional challenge password or company name)
  5. A private key file and certificate request file will be generated. Store the push_key.pem file in a safe location (it will be needed later)
  6. Send an email to and attach the push.csr file. Please use the email subject of: "MDM Beta APNS CSR <organization name>"


Step 2: Submit your certificate to Apple

After IBM has signed and returned your certificate, you will need to have Apple also sign the certificate.

  1. Go to
  2. Log in with your Apple ID (consider using a non-personal ID so that other members of the organization can use the Apple ID in the future).
  3. Select Create Certificate.
  4. Agree to the Terms and Conditions.
  5. Follow the instructions to upload the certificate file that you received from IBM.
  6. Download the new signed push certificate "MDM_IBM Global Engineering Solutions_Certificate.pem"
    • If you open the pem file in a text editor, you should see a base64 encoded certificate that starts with "-----BEGIN CERTIFICATE-----" and has a few dozen lines of seemingly random characters.
  7. Rename the file to "push.cer" and create a backup copy (along with the "push_key.pem" file created in the section above).


Installing the Management Extender for Apple iOS

Now that you have a signed push certificate, you can install the Management Extender for Apple iOS component. The Management Extender is installed using a Fixlet in the MDM Beta site.


  • The Management Extender for Apple iOS must be installed on the TEM Server or on a relay (the deploy Fixlet will only be relevant for computers with a TEM Agent and a Relay or Server installed).
  • Microsoft XML and Java 1.6 is required (these prerequisites will be installed by the deployment Fixlet if they are not already installed).
  • The Apple iOS devices must be able to connect to the Management Extender (default port is 443) at the DNS name/IP address that you specify during the installation.


Deploying the Management Extender Fixlet

  1. Open the "Deploy Management Extender for Apple iOS" Fixlet. The Fixlet is in the "Mobile Device Management" domain under the "Setup" node.
  2. Click the button in the Fixlet and select the target computer to deploy the Management Extender (if the target computers are not relevant, make sure the agent and a relay are installed first)
  3. When prompted, use a DNS name (or IP address) that the Apple iOS devices can reach. A self-signed certificate will be created for this name (so it is not very easy to change later).
  4. Specify a port (default is 443).
  5. After the Fixlet returns "Completed", you will need to manually copy the push.cer and push_key.pem files generated in the steps above into the “private” folder under the Management Extender subfolder. (Example: C:\program files\bigfix enterprise\management extender\mdm provider\private")
  6. Open the services dialog and start the TEM Apple iOS Server service and then BES ProxyAgent service.

Your Management Extender for Apple iOS is now ready to manage iOS devices (listening on port 443). The You can test it by opening your browser and visiting https://<dns or IP address from step3>.

Please refer to the Management Extender for Apple iOS Troubleshooting information if you experience problems.

To start managing Apple iOS devices, see installing Apple iOS devices.




Please note that some parts of mobile device management are still in Beta. Please read the Beta disclaimer:

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.