Configuring connected services

To ensure your Coro subscription is authorized to remotely manage mobile devices, you must first configure your Coro workspace with the necessary certificates and connections. The operation differs depending on whether you intend to manage iOS/iPadOS or Android devices.

For iOS and iPadOS devices, Apple requires organizations to add a valid Apple Push Notification service (APNs) certificate. A valid APNs certificate can then be used for manual device enrollment, to configure Coro as an MDM service for organization-owned devices deployed through an Apple Device Enrollment Program (DEP), or for identity-driven enrollment of devices by users with Managed Apple IDs (MAID).

For Android devices, Google requires you to connect a Customer Managed Google Enterprise account to your Coro workspace.

To configure your Coro workspace to manage mobile devices, see the following procedures:

Adding an APNs certificate for iOS and iPadOS device management

APNs certificates are used to validate your Coro service when manually enrolling and managing iOS and iPadOS devices, or when configuring Coro as the designated MDM service for your DEP-enrolled devices.

APNs certificates are generated with an authorized Apple ID, and each connected device uses the APNs certificate for authenticating push requests from the server. Thus, each device is inherently connected to Coro through that certificate.

If you replace the certificate, the connection to all enrolled devices will be lost, and each must be manually reenrolled under a new certificate. If your certificate is due to expire, you must renew the existing certificate, using the same Apple ID, in order that your devices can continue to connect.

Important

APNs certificates are valid for a period of 12 months from the point of issue. To continue to use MDM with your currently enrolled iOS or iPadOS devices, you must renew the certificate before the original expires.

Coro sends certificate expiration reminders to workspace admin users via email at 30 days prior, then 15, 5, 3, 2, and finally 1 day before expiration.

To learn more about renewing an existing certificate, see Options for a current certificate.

The following procedure describes how to obtain a new APNs certificate. First, download a Certificate Signing Request (CSR) from Coro. Then, use the CSR to request an APNs certificate from the Apple Push Certificates portal. Finally, you upload the generated certificate back to your Coro workspace.

Perform the following steps:

  1. From the Mobile Device Management page, select the Connected services tab.
  2. Select + CONNECT :

    Connect a new service

    note

    If you have yet to configure any MDM services, no page options or tabs are available. Select CONNECT SERVICES to get started.

    The Connect services to Coro MDM dialog appears:

    MDM Settings

  3. Select Apple Push Notification (APNs) .

    The Create and connect Apple's APNs certificate dialog appears:

    Create and connect APNs certificate step 1

  4. In step 1, select Download the certificate signing request to obtain the CSR. Download this CSR to your local workstation. Select NEXT to continue.
  5. In step 2, use the link to access the Apple Push Certificates portal:

    Create and connect APNs certificate step 2

  6. Follow the steps on the Apple portal to obtain your APNs certificate.
    note

    Refer to Apple's documentation for full details.

  7. Return to the Coro console and select NEXT to continue.
  8. In step 3, use the Upload certificate box to upload the generated APNs certificate to Coro:

    Create and connect APNs certificate step 3

  9. (Optional) Add a note to describe the certificate. As certificate renewal requires you to use the same Apple ID, Coro recommends including this information here.
  10. Select UPLOAD CERTIFICATE to continue:

    Create and connect APNs certificate final step

  11. After the upload has successfully completed, select DONE to exit the dialog.

Options for a current certificate

To view your current APNs certificate, select the Connected services tab. Coro presents all currently configured Apple certificates and services under Apple Services:

Currently connected Apple services

Locate Push Notification Services (APNs), then select the adjacent three-dot menu. Choose from:

  • View : View a dialog showing more details.
  • Remove : Delete the certificate. See warning below.

The Apple Push Notification services (APNs) dialog accessed through the View action provides details for the current certificate:

Viewing an APNs certificate

In this dialog, you can:

  • RENEW CERTIFICATE : Upload a renewal for the current certificate.

    APNs certificates are valid for a period of 12 months. You can renew a certificate for a further 12 months, but you must use the same Apple ID used to generate the original certificate.

    Important

    When you need to renew an APNs certificate, you must first use the Apple Push Certificates Portal to obtain the updated certificate. Login to the portal, locate your current certificate, and use the renew option provided. DO NOT GENERATE A NEW CERTIFICATE as your enrolled devices will not recognize the new certificate and will need to be re-enrolled, even if you use the same original Coro CSR file and Apple ID. After you have obtained the renewed certificate, upload it to your Coro workspace through this option.

  • REMOVE CERTIFICATE : Deletes the current certificate and removes the connection to all enrolled iOS and iPadOS devices.
    Important

    This process is irreversible. Only remove the certificate if you are sure of the outcome.

Connecting to an Apple Device Enrollment Program

note

Before you can perform this procedure, first configure a valid APNs certificate. See Adding an APNs certificate.

Coro can connect to an Apple Device Enrollment Program (DEP) to be authorized for management of organization-owned and deployed iOS and iPadOS devices. Coro supports two DEP variants:

  • Apple Business Manager (ABM)
  • Apple School Manager (ASM)

In both cases, before you can designate Coro as an MDM service for devices in the program, you must set up a valid connection between Coro MDM and the selected DEP. This process requires you to obtain a public key from Coro, upload it to your ABM or ASM account, generate a token file, and upload this token back to Coro. This establishes the secure connection required to enable Coro as an MDM option in your Apple DEP console.

Important

Apple DEP tokens are valid for a period of 12 months from the point of issue. To continue to use Coro MDM with your DEP-deployed devices, you must renew the token before the original expires. Failure to do so can mean your devices are disenrolled.

Coro sends token expiration reminders to workspace admin users via email at 30 days prior, then 15, 5, 3, 2, and finally 1 day before expiration.

To connect Coro MDM to an Apple DEP, perform the following steps:

  1. From the MDM module page, select the Connected services tab, then select + CONNECT :

    Connect a new service

    The Connect services to Coro MDM dialog appears:

    MDM Settings

    note

    If you have yet to configure an APNs certificate, Coro does not provide a DEP option.

  2. Select Device Enrollment Program (DEP) .

    The Create and connect Apple's DEP service dialog appears.

  3. In step 1, select your program (ABM or ASM), then select NEXT to continue:

    Create and connect DEP service dialog

  4. In step 2, select Download public key to download a public key file from Coro. Save it to your local workstation, then select NEXT to continue:

    Create and connect DEP service step 2

  5. Follow the instructions shown in step 3 to add Coro as an MDM service in your ABM or ASM service:

    Create and connect DEP service step 3

    note

    Refer to Apple's documentation for full details.

  6. Return to the Coro console and select NEXT to continue.
  7. In step 4, use the Upload token box to select the generated ABM or ASM token file obtained from the previous step:

    Create and connect DEP service step 4

  8. Select UPLOAD TOKEN to continue:

    Create and connect DEP service final step

  9. After the upload has successfully completed, select DONE to exit the dialog.

Options for an existing connection

To view your current DEP connection information, select the Connected services tab. Coro presents all currently configured Apple certificates and services under Apple Services:

Currently connected Apple services

Locate Device Enrollment Program (DEP), then select the adjacent three-dot menu. Choose from:

  • View : View a dialog showing more details.
  • Remove : Delete the connection. See warning below.

The Apple Device Enrollment Program (DEP) dialog accessed through the View action provides details for the current connection:

Viewing a DEP connection

In this dialog, you can:

  • RENEW TOKEN : Upload a renewal for the current connection.

    DEP connection tokens are valid for a period of 12 months. You can renew a token for a further 12 months, but you must use the same Apple ID used to generate the original.

  • REMOVE TOKEN : Deletes the current connection and removes all DEP-enrolled iOS and iPadOS devices from Coro MDM.
    Important

    This process is irreversible. Only remove the token if you are sure of the outcome.

Configuring MAID enrollment

note

Before you can perform this procedure, first configure a valid APNs certificate. See Adding an APNs certificate.

Coro can be configured with your organization as the designated MDM solution for identity-driven device enrollment through Managed Apple IDs (MAID). That is, where a user with MAID credentials signs in to a work or school account on a device, that device is automatically enrolled with Coro for device management.

Coro works with MAID through a choice of the following enrollment types:

Enrollment type Description
Device-driven Designed for organization-owned devices where the device is monitored remotely through Coro MDM.

You can obtain the device's status and information, including the installed application list for validation against an approved applications policy, but you cannot restrict installation or enforce compliance.

You can remotely wipe the device from the Coro MDM console.
User-driven Designed for user-owned devices where the user retains control over the device.

A separate profile/partition is created for work-related files and access, separate to a user's personal files and applications. As the organization does not own the device, Coro has limited capabilities with the device. Coro cannot obtain device information, and cannot obtain details of, or enforce, compliance of installed applications.

Coro cannot remotely wipe the device from the Coro console. However, you can remove the installed work profile by disenrolling the device.

NOTE: Coro does not support installation of applications in the work profile via Apple Business Manager (ABM).

You select the enrollment type when first setting up the MAID service in Coro. The selected type remains in place for all device enrollments, and cannot be changed unless you remove the MAID service and create a new one.

Configuring Coro for MAID deployments

To enable MAID enrollment, download a file containing enrollment information from the Coro console and host this file in the web domain corresponding to your MAID users. If a MAID user with an email address based on that domain signs in to the work or school service on a device, that device must be able to make an HTTPS web request to the same domain to obtain a response containing MDM server details for device enrollment.

For example, if your MAID user identities use email addresses in the form john.doe@maid.example.com, make sure the enrollment file is present and accessible at the maid.example.com domain.

The procedure described here enables you to configure Coro for MAID deployments and includes how to obtain and use the enrollment file.

To configure Coro for MAID and to obtain the enrollment details:

  1. From the MDM module page, select the Connected services tab, then select + CONNECT :

    Connect a new service

    The Connect services to Coro MDM dialog appears:

    MDM Settings

    note

    If you have yet to configure an APNs certificate, Coro does not provide a Managed Apple ID (MAID) option. See Adding an APNs certificate.

  2. Select Managed Apple ID (MAID) .

    The Set up Apple's MAID service dialog appears.

  3. In step 1, select your MAID enrollment type , then select NEXT to continue:
    Important

    You can select only one of these options for your MAID enrollment. Make sure you select the type that reflects the device types you want to enroll. For more information, see enrollment types.

    You can change the type at a later date by re-running this procedure. This would affect future enrollments; existing enrolled devices are unaffected.

    Set up Apple's MAID service dialog

  4. In step 2, enter the web domain associated with your MAID service, then select NEXT to continue:

    Enter your MAID web domain

  5. In step 3, download the enrollment JSON file using the link provided. Select NEXT to continue:

    Download the enrollment JSON file

  6. In step 4, make a note of the provided URL, or select COPY URL to copy it to your clipboard:

    Copy the enrollment URL

  7. Select DONE to complete this process.

    Coro shows MAID enrollment on the Connected services page with a status of Pending:

    Connected services showing MAID enrollment pending

  8. Rename the downloaded JSON file to "com.apple.remotemanagement" and make it available at the URL displayed in step 4. For example:

    https://maid.example.com/.well-known/com.apple.remotemanagement

    Important

    You must allow external HTTPS requests at this location.

    Coro checks every five minutes for the presence of your enrollment file at the designated domain. When the enrollment file becomes accessible, Coro updates the MAID enrollment status on the Connected services page to Valid. To ensure the status remains accurate, Coro continues to monitor for access to the enrollment file at four-hour intervals.

This completes the MAID enrollment setup process.

Options for an existing MAID service

To view your current MAID enrollment service information, select the Connected services tab. Coro presents all currently configured Apple certificates and services under Apple Services:

Currently connected Apple services

Locate Managed Apple ID (MAID) enrollment, then select the adjacent three-dot menu. Choose from:

  • View : View a dialog showing more details:

Viewing a MAID enrollment service

Important

If you need to change any aspect of your MAID enrollment, repeat setup of your MAID service by selecting + CONNECT and re-following the steps described in Configuring Coro for MAID deployments. This does not affect your currently-enrolled devices.

Connecting a Customer Managed Google Enterprise account

To manage Android devices, connect Coro to your Customer Managed Google Enterprise account. This provides the necessary authorization for enrolled devices to authenticate requests from the server.

Important

To perform this process, you must have a Google account capable of accessing the Google Enterprise service.

To connect a Customer Managed Google Enterprise account, perform the following steps:

  1. From the MDM module page, select the Connected services tab, then select + CONNECT :

    Connect a new service

    note

    If you have yet to configure any MDM services, no page options or tabs are available. Select CONNECT SERVICES to get started.

    The Connect services to Coro MDM dialog appears:

    MDM Settings

  2. Select Google Enterprise .

    Coro shows a connection dialog:

    Launch Google Enterprise dialog

  3. To start the Google Enterprise configuration process, select LAUNCH GOOGLE ENTERPRISE .
  4. Follow the steps in the Google Enterprise portal to register or select your account.
    note

    Refer to Google's documentation for full details.

  5. Return to the Coro console and observe that the Customer Managed Google Enterprise connection is shown:

    A connected Google Enterprise account

Options for a current connection

On this page, you can:

  • REMOVE CONNECTION : Deletes the current connection and removes all enrolled Android devices.
    Important

    This process is irreversible. Only remove the connection if you are sure of the outcome.

  • ADD NOTE : Add more information about the account you used to create the connection.