Skip to main content

Provisioning a Signer's Cold Wallet device

Before you begin

Please note the following important details before beginning the Cold Wallet device setup process. If you have any questions or concerns about these details or the setup process itself, contact your Customer Success Manager.

  • The Owner's Cold Wallet device must be configured before you can configure Signer devices.
  • Provisioning a Cold Wallet Signer device requires scheduling an onboarding session with your Customer Success Manager. Be sure to include the Signer's first name, last name, and email address in your request.
  • The specified Signer will receive an email from support@fireblocks.com that contains a link to join the Cold Wallet workspace. This email invitation is required during the setup process. If the Signer has not yet received the email invitation for some reason, contact Fireblocks Support.
  • Never install a SIM card in a Cold Wallet device before or after the Fireblocks Cold Wallet app installation.
  • The Cold Wallet device setup process can take a few hours to complete. During this time, be sure to have a strong, stable internet connection and to have the device connected to a power source.
  • Before installing the Fireblocks Cold Wallet app, verify the Cold Wallet device version and the iOS version on the device. You may not need to perform certain steps if you have later versions.
  • While the device is pre-processing signatures, do not move it.
  • When you reach the step to disable Bluetooth and WiFi on the Cold Wallet device, do not use the Cold Wallet device's Control Center to disable Bluetooth and WiFi. Doing so will only disable them temporarily. Use the device's Settings app to disable Bluetooth and WiFi.
  • Once the Cold Wallet device setup is complete, the device is only able to use the Fireblocks Cold Wallet app. It will remain offline as long as the Fireblocks Cold Wallet app is in use.
  • After you complete the Cold Wallet device setup and provision it to the Signer, the device is ready to use. It should stay in a safe and secure place available to the Signer because it is required for signing Cold Wallet transactions. To avoid any interruption to transaction signing in your Cold Wallet workspace, keep this device charged at all times.

Getting started

The setup process requires the presence of the following personnel and devices.

Personnel

  • The security manager: This may be an IT professional or any team member entrusted with device and network security. This person does not require a specific Fireblocks user role or access to a Fireblocks workspace.
  • The workspace Owner: This is the Fireblocks workspace user authorized to approve generating key shares for Cold Wallet devices. The workspace Owner often acts as the security manager.
  • The Signer: This is a user authorized to sign transactions in the Cold Wallet workspace. This person is usually separate from the Owner in Cold Wallet workspaces.

Devices

  • The Cold Wallet workspace Owner's device: This iOS device has already been provisioned according to the Cold Wallet Owner's device provisioning guide.
  • The Cold Wallet signer's device: This should be a new and unopened iOS device. See Provisioning a previously owned iOS device below if the device has been used before.
  • MacOS provisioning device: This is typically the security manager's computer.
  • MacOS or Windows computer: This is any computer that the Owner can use to access their Fireblocks Console. It may be the same computer as the Mac provisioning device.

Step 1: Set the device to Supervised Mode

At this point, you should have a new iOS device that has never been set up. The device should show its Hello screen.

The security manager performs this part.

  1. Install Apple Configurator 2 on the Mac Provisioning Device.
  2. Connect the Signer's Cold Wallet mobile device to the Mac Provisioning Device using the included Lightning cable. Apple Configurator should show the following screen:
    2_Configurator_new_iOS_device_selection_screen.jpg
  3. From the Apple Configurator 2 application window, right-click on the mobile device connected to the application, then select Prepare.
  4. On the Prepare Devices window, configure the settings as follows, and then select Next.
    3_Configurator_Prepare_devices_dialog_with_manual_configuration_selected.jpg
    1. Select Manual Configuration from the drop-down menu.
    2. Enable Supervise devices.
    3. Enable Allow devices to pair with other computers.
  5. Select Do not enroll in MDM from the drop-down list, then select Next.
    4_Configurator_don_t_enroll_in_MDM_selection_dialog.jpg
  6. On the Assign to Organization screen, select the organization defined when the Owner's device was provisioned for Cold Wallet, then select Next.

  7. On the Configure iOS Setup Assistant page, select Don't show any of these steps, then select Prepare.
    5_Configurator_iOS_setup_assistant_no_setup_steps_selected_dialog.jpg

    Do not allow the Signer to configure these options during initial setup

    Due to an Apple limitation, allowing the Signer to configure any of these steps during initial device setup may interfere with running the device in single-app mode. Therefore, Touch ID or Face ID and a passcode are set up later.

  8. Double-click on the connected device picture in the Apple Configurator 2 window (the screenshot below displays an iPhone). Confirm that the device is now "Supervised” as indicated by the banner in the top right corner.
    6_Configurator_supervised_iPhone_management_screen.jpg
  9. Disconnect the Signer's mobile device from the computer.

The Signer must have physical access to this device and a computer to continue.

Step 2: Set up the new device

The Signer performs this part. At this point, the device should remain connected to the internet.

  1. For the initial device setup, follow Apple's official instructions.
  2. Connect to a wireless network. This is required to download the Fireblocks Cold Wallet app.
  3. You should be redirected to the Home Screen on the new device. Tap Settings > Find My and turn off this option. An Apple ID sign-in may be required.
  4. While in the Settings app, set up biometric identification and a passcode to open the device:
    1. Select Face ID & Passcode or Touch ID & Passcode, depending on your device's capabilities.
    2. Set up face or fingerprint identification. Make sure that these are used to unlock the device.
      7_iPhone_touch_ID_and_passcode_settings_screen.jpg

Step 3: Install the Fireblocks Cold Wallet app

The Signer performs this part. The Fireblocks Cold Wallet app is required to sign offline transactions. During this stage, the signing device is still connected to the internet.

  1. Open the App Store and search for "Fireblocks Cold Wallet". Be sure to download the Fireblocks Cold Wallet app and not the Fireblocks app. The Fireblocks app is used for hot wallet devices.
    8_Fireblocks_Cold_Wallet_app_icon.jpg
  2. Tap Install mceclip1.png.
  3. When prompted, provide a new or existing Apple ID. Please note that the Apple ID is only used by Apple. The email address and phone number associated with this Apple ID must be active to verify the identity of this Apple ID. Your company's best practice may recommend creating a dedicated Apple ID per signing device. The Fireblocks Cold Wallet app is free, and therefore, no credit card is required. Apple requires entering a billing address for every Apple ID. You should provide your company's public address.
  4. After you're redirected to the App Store, download the Fireblocks Cold Wallet app and open it after the download finishes.

Step 4: Configure the Fireblocks Cold Wallet app

The Signer performs this part.

  1. Using a desktop or laptop computer, the Signer opens the Cold Wallet workspace invitation email and selects the Join Workspace link in it.
  2. Sign up for the workspace with either a username and password, a Google SSO, or a Microsoft Account SSO.
  3. Set up Two-Factor Authentication (2FA). Scan the 2FA QR code using the Google Authenticator App and enter the corresponding code.
  4. The Fireblocks Console should show this screen:
    12_Link_another_user_QR_desktop_screen.jpg
  5. Tap Scan QR code on the Fireblocks Cold Wallet app, then scan the QR code on the computer monitor to pair the device with the workspace.
  6. Follow the Fireblocks Cold Wallet app's instructions on your device to continue with its initial configuration:
    1. Allow notifications.
    2. Allow use of device biometrics (Face ID or Touch ID). The device's biometrics are used to sign each transaction.
    3. Set up a passcode. The device's passcode is used to sign each transaction.

At this point, the Fireblocks Cold Wallet app should indicate that your digital vault is ready.

Step 5: Approve the Cold Wallet device

The workspace Owner performs this part. The Owner must now approve the new user.

  1. In the Cold Wallet workspace, open the Offline Signing panel by selecting the QR code icon in the top-right corner of the Console.
  2. The Offline Signing panel shows two Add User requests. One request is to approve ECDSA signatures, and the second is for EdDSA signatures.
  3. Select Sign on one of the requests. A QR animation then appears on the computer. Scan the QR animation using the Owner's Cold Wallet mobile device. Keep the mobile device in place until the New MPC Device screen appears on it.
  4. The Owner taps Approve in the Fireblocks Cold Wallet app, then enters the required passcode and biometric ID. The Fireblocks Cold Wallet app then shows a QR animation.
  5. In the Cold Wallet workspace, select Confirm Mobile Scan, then use the computer's camera to scan the app's QR animation. Keep the mobile device in front of the computer's camera until the scan is complete.
  6. Repeat this bilateral QR animation scanning for the second Add User request.

Step 6: Pre-processing offline signatures

The Signer performs this part.

  1. After completing both approval requests, a Complete MPC enrollment request appears on the Signer's Cold Wallet mobile device. Tap Open to accept the enrollment request, then tap Accept.
  2. Create a recovery passphrase. This passphrase is used if this device is required to replace the Owner's lost or damaged Cold Wallet device.
  3. A process called signature pre-processing then starts. You must run the Fireblocks Cold Wallet app in the foreground during signature preprocessing, and you should not move the device while the process is running. This process may take a few hours, as the device is being loaded with thousands of signatures. Your Fireblocks Support representative or Customer Success Manager should assist you with the estimated time to complete this operation.

About signature pre-processing

Pre-processing completes the first three out of four rounds of communication required by the MPC-CMP protocol. The pre-processed signatures are stored on the mobile device for further usage.

  • This pre-processing stage requires internet connectivity because the mobile device must communicate with the Fireblocks cloud co-signers to compute these signatures.
  • The fourth and final round of communication required to complete the full signature is accomplished by scanning a QR code instead of using internet connectivity.

Here is a diagram of the process:

Step 7: Disconnect the device from the internet

Note: Allow all apps to finish installing on the device before you disconnect it from the internet.

The Signer performs this part.

  1. After the signing device completes its pre-processing step, the Fireblocks Cold Wallet app asks to use Bluetooth once the pairing is complete. This blocks access to the mobile device when the app detects that Bluetooth is enabled. Tap OK to allow the app to detect and block Bluetooth usage.
  2. Exit the Cold Wallet app, open the Settings app, and sign out of your Apple ID.

  3. While still in the Settings app, do the following:

    1. Disable Bluetooth.
    2. Disable WiFi.
    3. Enable Airplane Mode.

    Make these changes only in the Settings app!

    Do not use the iPhone's Control Panel to disable Bluetooth and WiFi. Doing so will only disable them temporarily.

  4. While still in the Settings app, verify that WiFi and Bluetooth are disabled:
    1a0f46b7-bb1d-4554-bf89-b6cebc1dd0dc.png 2a7132b6-fc9e-46bf-bb4c-aa0db5dcc1ac.png
  5. The Fireblocks Cold Wallet app should display the following screen.
    26_Cold_wallet_mobile_ready_screen.jpg

Step 8: Final device configuration

Single App Mode ensures that the device can only run the Fireblocks Cold Wallet app.

  1. Before continuing, be sure that WiFi and Bluetooth are disabled and Airplane Mode is enabled on the Cold Wallet device.
  2. The security manager should connect the Signer's Cold Wallet device to the computer using the Lightning cable.
  3. On the Apple Configurator 2 window, right-click on the device icon on the main screen and select Add > Profiles.

  4. Download and apply this configuration file. Make sure the device is unlocked while applying the profile. This file ensures that Bluetooth and WiFi remain disabled, even when the device restarts itself.

    Verify your device and iOS versions before continuing!

    Do not follow steps 8.5 to 8.8 below if you are using an iPhone 14 Pro or later, or iOS version 18 or later. You can now disconnect the device from the computer. You are now ready to use the Fireblocks Cold Wallet app!

  5. Right-click on the device icon on the main screen and choose Advanced > Start Single App Mode.
    27_Configurator_select_single_app_mode.jpg
  6. A list of available apps on the device then appears. Find the Fireblocks Cold Wallet app, then select Select App. Make sure the device is unlocked before running the process.
    Screenshot 2024-08-22 at 4.27.09 PM.png
  7. Disconnect the device from the computer.
  8. To verify that Kiosk Mode (aka Single App Mode) was enabled successfully, the Signer should try to navigate to the home screen or to another app on the device. If they are unable to do so, Kiosk Mode has been enabled successfully.

Cold Wallet signature notifications

Your Customer Success Manager will help determine how many signatures should be loaded onto each Cold Wallet signing device according to your workspace requirements. Signatures are pre-loaded onto the Cold Wallet iOS device, typically enough that the device can be used for two or more years.

Fireblocks issues an Audit Log event every time a transaction is signed from a device with less than 10% of its original capacity for either ECDSA signatures or EdDSA signatures.

Provisioning a previously owned iOS device

Fireblocks does not recommend using a previously owned iOS device because even after performing a factory reset, there is the risk of malicious files or apps existing on the device since a factory reset only flags user-created files as deleted.

If you want to test Cold Wallet functionality on a non-production workspace using a previously configured iOS device, you can reset the phone (without creating a backup unless necessary) before provisioning it to the appropriate user.

Was this article helpful?
0 out of 0 found this helpful

Related Articles