The deployment scheme with Kerberos constrained delegation (KCD) requires the Administration Server and the iOS MDM Server to be located on the internal network of the organization.
This deployment scheme provides for the following:
When using this deployment scheme, you must do the following:
You can ensure that the user certificate is in compliance with the this CA-issuance requirement by using one of the following methods:
Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:
Service Principal Name for http/iosmdm.mydom.local
In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service (iosmdm.mydom.local):
setspn -a http/iosmdm.mydom.local iosmdm
Configuring the domain properties of the device with the reverse proxy (firewall.mydom.local)
To delegate traffic, trust the device with the reverse proxy (firewall.mydom.local) to the service that is defined by the SPN (http/iosmdm.mydom.local).
To trust the device with the reverse proxy to the service defined by the SPN (http/iosmdm.mydom.local), the administrator must perform the following actions:
Special (customized) certificate for the published web service (iosmdm.mydom.global)
You have to issue a special (customized) certificate for the iOS MDM web service on the FQDN iosmdm.mydom.global and specify that it replaces the default certificate in the settings of iOS MDM web service in Administration Console.
Please note that the certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).
Publishing the iOS MDM web service on the reverse proxy
On the reverse proxy, for traffic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to configure KCD on the SPN (http/iosmdm.mydom.local), using the certificate issued for the FQDN (iosmdm.mydom.global). Please note that publishing, and the published web service must share the same server certificate.