Getting started

This guide explains how to configure a mobile device for a user assigned a Signer role. For provisioning a Cold Wallet device for the owner, see provisioning an owner's device for Cold Wallet.

Requirements

Prerequisites

1. Before configuring signing devices, complete provisioning an owner's device for Cold Wallet.
2. Contact your Customer Success Manager with the signer's user details (first name, last name, and email address). A Fireblocks team member will schedule a designated time for provisioning each signing device.

Personnel

The setup process requires the presence of the following roles:

• The security manager: This may be an IT professional or any team member entrusted with device and network security. This person does not require a specific Fireblocks user role or access to a Fireblocks workspace.
• The workspace Owner: This is the Fireblocks workspace user authorized to approve generating key shares for Cold Wallet devices. The workspace Owner often acts as the security manager.
• The Signer: This is a user authorized to sign transactions in the Cold Wallet workspace. This person is usually separate from the Owner in Cold Wallet workspaces.

Learn more about Cold Wallet user roles best practices and differences.

Devices

The setup process requires the presence of at least three devices:

• The Cold Wallet workspace Owner's device: This iOS device has already been provisioned according to the Cold Wallet Owner's device provisioning guide.
• The Cold Wallet signer's device: This should be a new and unopened iOS device. See Provisioning a previously owned iOS device below if the device has been used before.
• MacOS provisioning device: This is typically the security manager's computer.
• MacOS or Windows computer: This is any computer that the Owner can use to access their Fireblocks Console. It may be the same computer as the Mac provisioning device.

For detailed device requirements, see Cold Wallet overview.

Invitation email

The Signer should have received an email from support@fireblocks.com that specifies the name of your workspace and a link to join this workspace. This email invitation is required during Part 4: Configure Fireblocks Cold Wallet mobile app. Please contact Fireblocks Support in you have not received this email.

Transaction preprocessing

During the offline device provisioning described in this article, a step is required to preprocess transactions for MPC-CMP signatures.

Preprocessing completes the first three out of four rounds of communication required by the MPC-CMP protocol. The preprocessed signatures are stored on the mobile device for further usage. This preprocessing stage requires internet connectivity because the mobile device must communicate with the Fireblocks cloud co-signers to compute these signatures. The fourth and final round of communication required to complete the full signature is accomplished by scanning a QR code instead of using internet connectivity. Here is a diagram of the process:

Setup

The setup consists of the following steps:

• Part 1: Set the device to Supervised Mode
• Part 2: Set up the new device
• Part 3: Install Fireblocks Cold Wallet mobile app
• Part 4: Configure Fireblocks Cold Wallet mobile app
• Part 5: The owner approves the signing device
• Part 6: Pre-process offline signatures
• Part 7: Disconnect the device from the internet
• Part 8: Set the device to Single App Mode

Once the setup is complete, this device is only able to use the Fireblocks Cold Wallet app, and it remains offline as long as the Fireblocks Cold Wallet app is in use.

The complete setup process may take up to a few hours, primarily to pre-process thousands of signatures in advance during Step 6. Accordingly, setup requires a strong and stable internet connection and a connection to a power source. 

Part 1: Set the device to Supervised Mode

At this point, you should have a new iOS device that has never been set up. The device should show its Hello screen.

The security manager performs this part.

1. Install Apple Configurator 2 on the Mac Provisioning Device.
2. Connect the offline signer's Cold Wallet mobile device to the Mac Provisioning Device using the included Lightning cable.
   Apple Configurator should show the following screen:
   
3. From the Apple Configurator 2 application window, right-click on the mobile device connected to the application, then select Prepare.
4. In the "Prepare Devices" window, configure the settings as described in the list and in the picture below. The settings are:
   1. Select Manual Configuration from the drop-down menu.
   2. Enable Supervise devices.
   3. Enable Allow devices to pair with other computers.
   4. Select Next after all options are set. 
      
5. Select Do not enroll in MDM from the drop-down menu on the following screen, then select Next.
   
6. On the Assign to Organization screen, select the organization defined when the owner's device was provisioned for Cold Wallet (see: Create a new Organization in Apple Configurator), and then select Next.
7. On the Configure iOS Setup Assistant page, select Don't show any of these steps, then select Prepare. 
   

   Allowing the signer to configure any of these steps during device setup may interfere with running the device in single-app mode (this is an Apple limitation). Therefore, Touch ID/Face ID and passcode are set up in later steps.

   
8. Double-click on the connected device picture in the Apple Configurator 2 window (the screenshot below displays an iPhone). Confirm that the device is now "Supervised” as indicated by the banner in the top right corner. 

9. Disconnect the Cold Wallet device from the computer. The offline signer must have physical access to this device and a computer to continue.

   At this point, the device should still stay connected to the internet.

Part 2: Set up the new device

The Signer performs this part.

1. For detailed information, follow the official instructions provided by Apple.
2. Connect to a wireless network. This is required in order to download the Fireblocks Cold Wallet app.
3. You should be redirected to the Home Screen on the new device.
4. Enter Settings > Find my and turn off this option (AppleID sign-in may be required).
5. Set up biometric identification as well as a passcode to open the device:
   1. Open the Settings app.
   2. Select Face ID & Passcode or Touch ID & Passcode (depending on your device capabilities).
   3. Set up face or fingerprint identification and make sure that these are used to unlock the device.
       

Part 3: Install the Fireblocks Cold Wallet application

The Signer performs this part.

Fireblocks Cold Wallet mobile app is required to sign offline transactions. During this stage, your signing device is still connected to the internet.

1. Open the App Store app and search for Fireblocks Cold Wallet. 
   

   Make sure to download the Fireblocks Cold Wallet app, and not the Fireblocks app. The Fireblocks app is used for Hot Wallet devices while this is a Cold Wallet device.

    
2. Select Install . You will be asked to provide an Apple ID.
    
3. Provide a new or existing Apple ID. The Apple ID is used by Apple only and not by Fireblocks. The email address and phone number associated with this Apple ID must be active to verify the identity of this Apple ID. Your company's best practice may recommend creating a dedicated Apple ID per signing device. The Fireblocks Cold Wallet app is free and therefore no credit card is required. Apple requires entering a billing address for every Apple ID. You should provide your company's public address.
4. Download the Fireblocks Cold Wallet app once redirected back to the App Store. Open the Fireblocks Cold Wallet app after the download is complete.

Part 4: Configure the Fireblocks Cold Wallet app

The Signer performs this part.

1. The offline signer must accept the email invitation from Fireblocks and select the Join Workspace link on a desktop or laptop computer.
    

2. Sign up to the workspace with either a username and password, a Google SSO, or a Microsoft Account SSO.

   

3. Set up Two-Factor Authentication (2FA). Scan the 2FA QR code using the Google Authenticator App and enter the corresponding code. Learn more about how to set up Two-Factor Authentication here.
   

4. Fireblocks Console should show this screen: 
   
5. Select Scan QR code on the Fireblocks Cold Wallet App to pair the device with the console.
   
6. The Cold Wallet device should now be paired with the Cold Wallet workspace.
7. Follow the Fireblocks Cold Wallet app's instructions on your device to continue with its initial configuration:
   1. Allow notifications.
   2. Allow use of device biometrics (FaceID or TouchID). You will be asked to identify yourself using the device biometrics to sign each transaction.
   3. Set up a passcode. You will be asked to enter this passcode to sign each transaction.
8. Fireblocks Cold Wallet should display that your digital vault is ready. In the next step, the workspace owner grants signing privileges to your user account.

Part 5: Approve the Cold Wallet device

The workspace Owner performs this part.

The workspace Owner must now approve the new user.

1. The Owner logs into their Fireblocks workspace. Select the offline signing tab in the top right corner, identified by the QR icon.
   
2. The offline signing panel then opens with two "Add User" requests ready for approval. One request is to approve ECDSA signatures and the second is for EdDSA signatures.
   
3. Select Sign for each request. A QR animation then appears on the computer. Scan the QR animation using the workspace owner’s Cold Wallet device. 
4. Hold the mobile device while scanning the QR animation until the "New MPC Device" screen appears as shown below.
   
5. The workspace owner selects the Approve button in the Fireblocks Cold Wallet app on their mobile device, then enters the required passcode and biometric ID. Fireblocks Cold Wallet app then shows a QR animation. 
6. In the Fireblocks web console, select the Confirm Mobile Scan, then scan the QR animation displayed on the mobile device from the web browser using the computer's camera.
   
7. Hold the mobile device in front of the computer's camera until the scan is complete.
8. Repeat this bilateral QR animation scanning again for the second Add User request. One approval is for the ECDSA key and the other is for the EdDSA key.

Part 6: Pre-processing offline signatures

The Signer performs this part.

1. After both approval requests have been completed, a "Complete MPC enrollment" request appears on the Cold Wallet mobile device, as shown below
   
2. Select Open to accept the enrollment request, then select Accept.
3. Create a Recovery Passphrase. The recovery passphrase is used in case this device is required to replace the workspace owner's lost or damaged device. For more, see Key Share Backup and Recovery (Soft Key Recovery).
4. A process called pre-processing then starts. The signature pre-processing procedure may take a few hours, as the device is loaded with thousands of signatures. Your Fireblocks Support representative or Customer Success Manager should assist you with the estimated time to complete this operation.
   

Part 7: Disconnect the device from the internet

1. After the signing device completes its pre-processing step, the Fireblocks Cold Wallet app asks to use Bluetooth once the pairing is complete. This is done to block access to the mobile device when the application detects that Bluetooth is enabled. Select OK as shown below to allow the app to detect and block Bluetooth usage.
   
2. Exit the Cold Wallet app, navigate to Settings and sign out from your AppleID.
3. Open the Settings app to do the following:
   1. Disable Bluetooth
   2. Disable WIFI
   3. Enable Airplane Mode
      

      Make sure this is done from the IOS Settings app, not from Control Center.

4. Open Control Center to verify that Bluetooth and WIFI are completely disabled. Their icon should show a diagonal cross-out. Make sure that  "Disconnecting nearby wi-fi until tomorrow" is not displayed.

   Good configuration (Bluetooth and WIFI are completely disabled)	Bad configuration (Bluetooth and WIFI are only temporarily disabled, and will turn back on after a few hours)	Configuration should be checked (Airplane mode is on; to verify whether Bluetooth and WIFI are disabled, the user must open Settings)

5. The Fireblocks Cold Wallet app should display the following screen.
   

Part 8: Final device configuration

Single App Mode ensures that the device can only run the Fireblocks Cold Wallet app and no other app.

1. Before continuing, in your device ensure that the following settings are configured as required:
   
   • WiFi is disabled
   • Bluetooth is disabled
   • Airplane Mode is enabled
2. The security manager should connect the Cold Wallet iOS signing device to the computer using the Lightning cable.
3. From the Apple Configurator 2 application window, right-click on the device icon on the main screen and choose Add →  Profiles...
4. Download and apply the following configuration file. Make sure the device is unlocked while applying the profile. This file ensures that Bluetooth and WiFI consistently stay disabled including in cases where the device restarts itself: FireblocksColdWalletProvisionProfile.mobileconfig
   

   Important

   Do not follow steps 8.5 to 8.8 below if you are using an iPhone 14Pro and up, or version iOS18 and newer. You can now disconnect the device from the computer. You are now ready to use the Fireblocks Cold Wallet app!

5. Right-click on the device icon on the main screen and choose Advanced → Start Single App Mode... 
   
   
6. A list of available applications on the device then appears. Find the Fireblocks Cold Wallet application as shown and select Select App. Make sure the device is unlocked before running the process.
   
7. Disconnect the device from the computer.
8. To verify that Kiosk Mode (aka Single App Mode) was enabled successfully, the signer user should try to navigate to the home screen or to another application on the device. If they are unable to do so, Kiosk Mode is enabled successfully.

Device storage and maintenance

The device is now ready to use. It should stay in a safe and secure place available to the Signer. This device is required for signing Cold Wallet transactions. To avoid any interruption to transaction signing in your Cold Wallet workspace, keep this device charged at all times.

Cold Wallet signature notifications

Your Customer Success Manager will help determine how many signatures should be loaded onto each Cold Wallet signing device according to your workspace requirements. Signatures are pre-loaded onto the Cold Wallet iOS device during Part 6 above, typically so the device can be used for more than two years.

Fireblocks issues an Audit Log event every time a transaction is signed from a device with less than 10% of its original capacity for either ECDSA signatures or EdDSA signatures. Learn more about which blockchains use each signing algorithm. 

Use the Notification Center to subscribe to notifications for this event and more. Cold Wallet device notifications are sent in the transactions event category.

Provisioning a previously owned iOS device

Fireblocks does not recommend using a previously owned iOS device, because even after performing a factory reset, there is the risk of malicious files or apps existing on the device since a factory reset only flags user-created files as deleted.

If you want to test Cold Wallet functionality on a non-production workspace using a previously configured IOS device, you can reset the phone before provisioning by following these steps:

1. On your mobile device, go to Settings > Apple ID > Find My > Find My iPhone.
2. Toggle off the Find My Phone setting.
3. Return to the main Settings page.
4. On the main Settings page, go to General > Transfer or Reset iPhone.
5. On the Transfer or Reset iPhone page, select Erase All Content and Settings. This performs a factory reset on the mobile device.
6. After the factory reset completes, begin the provisioning process.
7. After you complete the provisioning process, you're ready to sign transactions using your Cold Wallet device.