Before you begin

Please note the following important details before beginning the Cold Wallet device setup process. If you have any questions or concerns about these details or the setup process itself, contact your Customer Success Manager.

• The Owner's Cold Wallet device must be configured before you can configure Signer devices.
• Provisioning a Cold Wallet device requires scheduling an onboarding session with your Customer Success Manager. Be sure to include the Owner's first name, last name, and email address in your request.
• The Owner will receive an email from support@fireblocks.com that contains a link to join the Cold Wallet workspace. This email invitation is required during the setup process. If the Owner has not yet received the email invitation for some reason, contact Fireblocks Support.
• Never install a SIM card in a Cold Wallet device before or after the Fireblocks Cold Wallet app installation.
• The Cold Wallet device setup process can take a few hours to complete. During this time, be sure to have a strong, stable internet connection and to have the device connected to a power source.
• Before installing the Fireblocks Cold Wallet app, verify the Cold Wallet device version and the iOS version on the device. You may not need to perform certain steps if you have later versions.
• Make sure to document the Owner's passphrase and keep it safe and secure for future recovery purposes. Passphrase reset is not possible on the Fireblocks Cold Wallet app.
• When you reach the step to disable Bluetooth and WiFi on the Cold Wallet device, do not use the Cold Wallet device's Control Center to disable Bluetooth and WiFi. Doing so will only disable them temporarily. Use the device's Settings app to disable Bluetooth and WiFi.
• Once the Cold Wallet device setup is complete, the device is only able to use the Fireblocks Cold Wallet app. It will remain offline as long as the Fireblocks Cold Wallet app is in use.
• After you complete the Cold Wallet device setup and provision it to the Owner, the device is ready to use. It should stay in a safe and secure place available to the Owner. To avoid any interruption to approvals in your Cold Wallet workspace, keep this device charged at all times.

Getting started

The setup process requires the presence of the following personnel and devices.

Personnel

• The security manager: This may be an IT professional or any team member entrusted with device and network security. This person does not require a specific Fireblocks user role or access to a Fireblocks workspace.
• The workspace Owner: This is the Fireblocks workspace user authorized to approve generating key shares for Cold Wallet devices. The workspace Owner often acts as the security manager.

Devices

• The Cold Wallet workspace Owner's device: This should be a brand-new iOS device.
• MacOS provisioning device: This is typically the security manager's computer.
• MacOS or Windows computer: This is any computer that the Owner can use to access their Fireblocks Console. It may be the same computer as the Mac provisioning device.

Step 1: Set the device to Supervised Mode

At this point, you should have a new iOS device that has never been set up. The device should show its Hello screen when turned on.

The security manager performs this part.

1. Install Apple Configurator 2 on the Mac Provisioning Device.
2. Connect the Owner's Cold Wallet mobile device to the Mac Provisioning Device using the included Lightning cable. Apple Configurator app should show the following screen:
   
3. If this is the first time provisioning IOS devices with an Apple Configurator, create a new Organization in Apple Configurator.
   1. Open Apple Configurator 2 preferences by navigating from the menu bar to Apple Configurator 2 > Preferences or using the keyboard shortcut Command + Comma (⌘ + ,)
   2. Navigate to Organizations.
      
   3. Select + to add a new organization.
   4. Select Next on the first screen, which includes an explanation of the feature.
   5. Select Skip on the screen that asks for an Apple ID.
   6. Enter the name of your organization, then select Next.
   7. Select Generate a new supervision identity and then select Done.
      
   8. Enter your Mac device login credentials to approve the new supervision identity.
4. From the Apple Configurator 2 application window, right-click on the mobile device connected to the application, then select Prepare.
   
5. On the Prepare Devices window, configure the settings as follows and then select Next.
   
   1. Select Manual Configuration from the drop-down list.
   2. Enable Supervise devices.
   3. Enable Allow devices to pair with other computers.
6. Select Do not enroll in MDM from the drop-down list on the following screen, then select Next.
   
7. On the Assign to Organization screen, select the organization you created, then select Next.

8. On the Configure iOS Setup Assistant page, select Don't show any of these steps, then select Prepare.

   Do not allow the Owner to configure these options during initial setup

   Due to an Apple limitation, allowing the Owner to configure any of these steps during initial device setup may interfere with running the device in single-app mode. Therefore, Touch ID or Face ID and a passcode are set up later.

   

9. Double-click on the connected device picture in the Apple Configurator 2 window (in the screenshot below, this is an iPhone). Confirm that the device is now "Supervised” by the banner in the top right corner.
   
10. Disconnect the Owner's mobile device from the computer.

The Owner must have physical access to this device and a computer to continue.

Step 2: Set up the new device

The workspace Owner performs this part. At this point, the device should remain connected to the internet.

1. For the initial device setup, follow Apple's official instructions.
2. Connect to a wireless network. This is required to download the Fireblocks Cold Wallet app.
3. You should be redirected to the Home Screen on the new device. Tap Settings > Find My and turn off this option. An Apple ID sign-in may be required.
4. While in the Settings app, set up biometric identification and a passcode to open the device:
   1. Select Face ID & Passcode or Touch ID & Passcode, depending on your device's capabilities.
   2. Set up face or fingerprint identification. Make sure that these are used to unlock the device.
      

Step 3: Install the Fireblocks Cold Wallet app

The workspace Owner performs this part. The Fireblocks Cold Wallet mobile app is required to sign offline transactions. During this stage, the signing device is still connected to the Internet.

1. Open the App Store and search for "Fireblocks Cold Wallet". Be sure to download the Fireblocks Cold Wallet app and not the Fireblocks app. The Fireblocks app is used for hot wallet devices.
   
2. Tap Install .
3. When prompted, provide a new or existing Apple ID. Please note that the Apple ID is only used by Apple. The email address and phone number associated with this Apple ID must be active to verify the identity of this Apple ID. Your company's best practice may recommend creating a dedicated Apple ID per signing device. The Fireblocks Cold Wallet app is free, and therefore, no credit card is required. Apple requires entering a billing address for every Apple ID. You should provide your company's public address.
4. After you're redirected to the App Store, download the Fireblocks Cold Wallet app and open it after the download finishes.

Step 4: Configure the Fireblocks Cold Wallet app

The workspace Owner performs this part.

1. Using a desktop or laptop computer, the Owner opens the Cold Wallet workspace invitation email and selects the Join Workspace link in it.
2. Sign up for the workspace with either a username and password, a Google SSO, or a Microsoft Account SSO.
3. Set up Two-Factor Authentication (2FA). Scan the 2FA QR code using the Google Authenticator App and enter the corresponding code.
4. The Fireblocks Console should show this screen:
   
5. Tap Scan QR code on the Fireblocks Cold Wallet app, then scan the QR code on the computer monitor to pair the device with the workspace.
6. Follow the Fireblocks Cold Wallet app's instructions on your device to continue with its initial configuration:
   1. Allow notifications.
   2. Allow use of device biometrics (Face ID or Touch ID). The device's biometrics are used to submit and approve requests.
   3. Set up a passcode. The device's passcode is used to submit and approve requests.
   4. Create and then verify your recovery passphrase for key share recovery. Remember to record your passphrase and keep it secure!

Step 5: Disconnect the device from the internet

The Owner performs this part.

1. After the Owner completes the above, the Fireblocks Cold Wallet app asks to use Bluetooth once the pairing is complete. This blocks access to the mobile device when the app detects that Bluetooth is enabled. Tap OK to allow the app to detect and block Bluetooth usage.
2. Exit the Cold Wallet app, open the Settings app, and sign out of your Apple ID.

3. While still in the Settings app, do the following:

   1. Disable Bluetooth.
   2. Disable WiFi.
   3. Enable Airplane Mode.

   Make these changes only in the Settings app!

   Do not use the iPhone's Control Panel to disable Bluetooth and WiFi. Doing so will only disable them temporarily.

4. While still in the Settings app, verify that WiFi and Bluetooth are disabled:
   
5. The Fireblocks Cold Wallet app should display the following screen.
   

Step 6: Final device configuration

Single App Mode ensures that the device can only run the Fireblocks Cold Wallet app.

1. Before continuing, be sure that WiFi and Bluetooth are disabled and Airplane Mode is enabled on the Owner's device.
2. The security manager should connect the Owner's device to the computer using the Lightning cable.
3. On the Apple Configurator 2 window, right-click on the device icon on the main screen and select Add > Profiles.

4. Download and apply this configuration file. Make sure the device is unlocked while applying the profile. This file ensures that Bluetooth and WiFi remain disabled, even when the device restarts itself.

   Verify your device and iOS versions before continuing!

   Do not follow the steps below if you are using an iPhone 14 Pro or later, or iOS version 18 or later. You can now disconnect the device from the computer. You are now ready to use the Fireblocks Cold Wallet app!

5. Right-click on the device icon on the main screen and choose Advanced > Start Single App Mode.
   
6. A list of available apps on the device then appears. Find the Fireblocks Cold Wallet app, then select Select App. Make sure the device is unlocked before running the process.
   
7. Disconnect the device from the computer.
8. To verify that Kiosk Mode (aka Single App Mode) was enabled successfully, the Owner should try to navigate to the home screen or to another app on the device. If they are unable to do so, Kiosk Mode has been enabled successfully.

Provisioning a previously owned iOS device

Fireblocks does not recommend using a previously owned iOS device because even after performing a factory reset, there is the risk of malicious files or apps existing on the device since a factory reset only flags user-created files as deleted.

If you want to test Cold Wallet functionality on a non-production workspace using a previously configured iOS device, you can reset the phone (without creating a backup unless necessary) before provisioning it to the appropriate user.