Skip to main content
Matrix42 Self-Service Help Center

Device Enrollment Program: Token Creation on macOS

Create your Device Enrollment Program Token

This guide describes the Device Enrollment Program Token creation on a macOS machine.

This Knowledge Base article is designed for Silverback 20.0 version and earlier.  With Silverback 20.0 Update 1 a simplified process has been established, which is part of the Device Enrollment Program Integration Guide. 

Create your Public Key

For creation of  a Public Key for your Device Enrollment Program you'll need the following: 

  • Mac Computer with latest macOS and
    • Apple macOS Keychain application (built-in)
    • Apple macOS Terminal application (built-in)
    • Apple macOS TextEdit application (built-in)

Create Unique Certificate

  • Log into your Mac Computer
  • Open Keychain Access Application. Go to Launchpad and type Keychain
  • From the top left, ensure “Login” is selected and then “My Certificates at the bottom
  • Click the Keychain Access Menu from the top of your screen
  • Click Certificate Assistant
  • Click Create a Certificate
  • Enter your as Name e.g. Imagoverum
  • Ensure that Identity Type is “Self Signed Root” and that Certificate Type is set to “S/MIME (Email)”
  • Click the Create button
  • Click Continue
  • Click Done

Export Certificate

  • Right Click your created certificate
  • Select Export 
  • Give the Certificate as friendly name, e.g silverback
  • Ensure that Personal Information Exchange (.p12) is selected
  • Choose the Downloads folder to store the silverback.p12 file there
  • Click Save

For the purposes of this document, we will call the file “silverback.p12”, this is referenced in some commands later in the document. If you name the file differently, you will need to adjust the commands appropriately.

  • Enter a Password, e.g. Pa$$w0rd and keep it in your memory
  • Click OK
  • Enter your MacOS Login password
  • Click Always Allow

Change Certificate Format

  • Open Terminal Application
  • Enter cd downloads
  • Enter ls to see you silverback.p12 file list
  • Now enter the following command 
    • openssl pkcs12 -in silverback.p12  -out silverback.pem -nodes
  • Enter the your created password, e.g. Pa$$w0rd
  • Press Enter
  • To ensure the silverback.pem is listed use again ls command

If you copy and paste the text from this document, the command might fail, please type out this command manually if you receive errors.

Create the Keys

  • Now navigate to Finder
  • Click Go
  • Click Downloads
  • Right click your certificate.pem file
  • Select Open with
  • Choose other
  • Select TextEdit
  • Click Open 

Read Instructions

When you have opened the pem file with TextEdit, the displayed content will have the structure shown in the table.  We need to copy & paste the Certificate Part and the Public Key Part into two different new text files with the ending .key .

  • certificatepublic.key: Will be used to register your Server on Apple
  • certificateprivate.key: Will be used for Decrypt the Token from Apple and creating your unique Silverback DEPToken. 

Please ensure that you will copy the part of your text on your file, do not copy and paste the displayed one in the table below

  • Read the table and proceed with steps below
Value Action to take

Bag Attributes

 friendlyName: CompanyName

 localKeyID: 6D 41 81 8D C1 C4 FC 7B C1 4C 24 E0 97 DA 2C 77 DB 9C B5 F1



No action







Save this text part in a separate file named certificatepublic.key

(Certificate Area)

Bag Attributes

    friendlyName: CompanyName

    localKeyID: 6D 41 81 8D C1 C4 FC 7B C1 4C 24 E0 97 DA 2C 77 DB 9C B5 F1

Key Attributes: <No Attributes>

No action








  • Save this text part in a separate file named certificateprivate.key

(Private Key Area)

Create and Save Files

  • Now Select the Certificate Area
  • Press cmd + c to copy the content in your clipboard
  • Click File
  • Click New
  • Click Format
  • Click Make Plain Text
  • Press cmd + v to paste the content
  • click cmd + s to open Save Wizard
  • Enter as name certificatepublic.key
  • Select your Downloads folder to store the key
  • Uncheck If no extension is provided, use ".txt".
  • Click Save
  • Repeat the steps for the private key Area and save it as certificateprivate.key
  • Your Download folder should now have both files listed
    • certificateprivate.key
    • certificatepublic.key

Add MDM Server

  • Login or open to Apple Business Manager or navigate back if already logged in
  • Click on the bottom left on your account
  • Select Preferences
  • Press +Add next to Your MDM Servers
  • Enter as Server name e.g. Silverback

Upload Public Key

  • Click Choose File
  • Select the certificatepublic.key file with the included Public Key that you created
  • Proceed with Choose
  • Click Save

Download Server Token

  • Click Download Token
  • Confirm Download Server Token
  • Now we need to decrypt that Server Token
  • The token file should be stored under Downloads
  • Check your Downloads Folder for a .p7m file
  • Copy the name of the complete file into your clipboard

Decrypt Server Token

  • Navigate back to Terminal Application
  • Type openssl smime -decrypt -in and press cmd + v 
  • Add now -inkey and add certificateprivate.key
  • Add at the End >DEPToken.json 
  • Press Enter

The complete command should look similar to this:

openssl smime -decrypt -in Filename.p7m -inkey certificateprivate.key > DEPToken.json

If you copy and paste the text from this document, the command might fail,  so better type this command manually.

  • Check your Downloads folder, there should be now the DEPToken.json file listed

Edit Server Token

  • Right Click the DEPToken.json file
  • Open with TextEditor (check if it still displayed in plain-text editor mode)
  • Remove the header & footer information as shown in the table below
  • Save the file 
  • Proceed with Import Server Token
Before After

Content-Type: text/plain;charset=UTF-8

Content-Transfer-Encoding: 7bit



-----END MESSAGE-----


Import Token in Silverback

Import Server Token

  • Open your Silverback Management Console
  • Login as Administrator
  • Navigate to Admin
  • Navigate to Device Enrollment Program
  • Navigate to General Settings
  • Click Enabled
  • Click Choose File 
  • Upload the DEPToken.json file.
  • Click Save
  • Click Ok
  • Wait a few moment for the system to connect and update with Apple
  • Refresh the Browser Page or navigate to another section and switch back to Device Enrollment Program
  • Congratulations. Silverback is now linked with Apple Device Enrollment Program

Next Steps