Getting started

This guide explains how to configure a Cold Wallet workspace Owner's device as a Cold Wallet device. For provisioning a Cold Wallet device for a Signer, refer to the provisioning a Signer's device for Cold Wallet article.

Requirements

Personnel

The setup process may require the presence of two users:

• A security manager: This may be an IT professional or any team member entrusted with device and network security. This person does not require a specific Fireblocks user role or access to a Fireblocks workspace.
• The workspace Owner: This is a user authorized to approve generating key shares for Cold Wallet devices. The workspace Owner may act as the security manager.

See Cold Wallet - User Roles for differences between roles and best practices.

Hardware

The setup process requires the presence of at least two devices:

• The Cold Wallet workspace Owner's device: This should be a brand new iOS device. See Provisioning a previously owned device for signing below if the device has been used before.
• MacOS provisioning device: This is typically the security manager's computer.
• MacOS or Windows computer: This is any computer that the Owner can use to access their Fireblocks Console. It may be the same computer as the Mac provisioning device.

For detailed device requirements, see Cold Wallet overview.

Invite Email

The Owner should have received an email from support@fireblocks.com that specifies the name of your workspace and a link to join this workspace. This email invitation is required during Part 4: Configure Fireblocks Cold Wallet mobile app. Contact Fireblocks Support if you have not received this email.

Step 1: Set the device to Supervised Mode

At this point, you should have a new iOS device that has never been set up. The device should show its Hello screen when turned on.

The security manager performs this part.

1. Install Apple Configurator 2 on the Mac Provisioning Device.
2. Connect the offline Owner's Cold Wallet mobile device to the Mac Provisioning Device using the included Lightning cable. Apple Configurator app should show the following screen:
   
3. If this is the first time provisioning IOS devices with an Apple Configurator, create a new Organization in Apple Configurator.
   1. Open Apple Configurator 2 preferences by navigating from the menu bar to Apple Configurator 2 > Preferences or using the keyboard shortcut Command and Comma (⌘,)
   2. Navigate to Organizations.
      

   3. Select the + sign to add a new organization.

   4. Select Next on the first screen which includes an explanation of the feature.

   5. Select Skip on the screen that asks for an Apple ID.

   6. Enter the name of your organization and click Next.

   7. Select Generate a new supervision identity and then select Done.
      

   8. Enter your Mac device login credentials to approve the new supervision identity.

4. From the Apple Configurator 2 application window, right-click on the mobile device connected to the application, then select Prepare.
   
5. In the "Prepare Devices" window, configure the settings as described in the list and in the picture below. The settings are:
   • Select Manual Configuration from the drop-down menu.
   • Enable Supervise devices.
   • Enable Allow devices to pair with other computers.
   • Select Next once all options are set.
6. Select Do not enroll in MDM from the drop-down menu on the following screen, then select Next.
   
7. On the Assign to Organization screen, select the organization you created in the create a new Organization at Apple Configurator, and then select Next.
8. On the Configure iOS Setup Assistant page, select Don't show any of these steps, then select Prepare.
   

   Note

   Allowing the Signer to configure any of these steps during device setup may interfere with running the device in single-app mode (this is an Apple limitation). Therefore, Touch ID/Face ID and a passcode are set up in later steps.

   
9. Double-click on the connected device picture in the Apple Configurator 2 window (in the screenshot below this is an iPhone). Confirm that the device is now "Supervised” by the banner in the top right corner.
   
10. Disconnect the offline Owner's device from the computer.
    The Owner must have physical access to this device and a computer to continue.
    

    Note

    At this point, the device should still stay connected to the internet.

Step 2: Set up the new device

The workspace Owner performs this part.

1. For detailed information, follow the official instructions provided by Apple.
2. Connect to a wireless network. This is required to download the Fireblocks Cold Wallet app.
3. You should be redirected to the Home Screen on the new device.
4. Enter Settings > Find my and turn off this option (AppleID sign-in may be required).
5. Set up biometric identification as well as a password to open the device:
   1. Open the Settings app.
   2. Select Face ID & Passcode or Touch ID & Passcode (depending on your device's capabilities).
   3. Set up face or fingerprint identification and make sure that these are used to unlock the phone.
      

Step 3: Install the Fireblocks Cold Wallet application

The workspace Owner does this part.

The Fireblocks Cold Wallet mobile app is required to sign offline transactions. During this stage, your signing device is still connected to the Internet.

1. Open the App Store app and search for Fireblocks Cold Wallet.
   
2. Select Install.
   
   You will be asked to provide an Apple ID.
   
3. Provide a new or existing Apple ID. The Apple ID is used by Apple only and not by Fireblocks. The email address and phone number associated with this Apple ID must be active to verify the identity of this Apple ID. Your company's best practice may recommend creating a dedicated Apple ID per signing device. The Fireblocks Cold Wallet app is free and therefore no credit card is required. Apple requires entering a billing address for every Apple ID. You should provide your company's public address.
4. Download the Fireblocks Cold Wallet app once redirected back to the App Store. Open the Fireblocks Cold Wallet app after the download is complete.

Step 4: Configure the Fireblocks Cold Wallet app

The workspace Owner performs this part.

1. The Owner must accept the email invitation from Fireblocks and click the Join Workspace link on their desktop or laptop computer.
   
2. Sign in to the workspace with either a username and password, a Google SSO, or a Microsoft Account SSO.
   
3. Set up Two-Factor Authentication (2FA). Scan the 2FA QR code using the Google Authenticator App and enter the corresponding code. Learn more about how to set up Two-Factor Authentication.
   
4. Fireblocks Console should show this screen:
   
   Select Scan QR code on the Fireblocks Cold Wallet App to pair the device with the Console.
   
5. The Cold Wallet device should now be paired with the Cold Wallet workspace.
6. Follow the Fireblocks Cold Wallet app's instructions on your device to continue with its initial configuration:
   1. Allow notifications.
   2. Allow use of device biometrics (FaceID or TouchID). You must identify yourself using device biometrics to sign each transaction.
   3. Set up a 6-digit passcode. You must enter this passcode to sign each transaction.
   4. Set up a recovery passphrase for key share recovery.
   5. Verify the recovery passphrase for key share recovery.
      

      Important

      Make sure to document the Owner's passphrase and keep it safe and secure for future recovery purposes. Note that passphrase reset is not possible on the Fireblocks Cold Wallet app, so the initial passphrase must be kept and securely recorded.

Step 5: Disconnect the device from the internet

The workspace Owner performs this part. Make sure these three steps are performed from the iOS Settings app, not from the Control Center.

1. The Fireblocks Cold Wallet app asks to use Bluetooth once the pairing is complete. This is done to block the mobile device from being used when the application detects that Bluetooth is enabled. Select OK as shown below to allow the app to detect and block Bluetooth usage.
   
2. Exit the Fireblocks Cold Wallet app, then open the Settings app and perform the following:
   1. Sign out from your AppleID.
   2. Disable Bluetooth.
   3. Disable WiFi.
   4. Enable Airplane Mode.
3. Open the Control Center to verify that Bluetooth and WIFI are completely disabled. Their icon should show a diagonal cross-out. Make sure that "Disconnecting nearby WI-FI until tomorrow" is not displayed.
   

   Good configuration (Bluetooth and WIFI are completely disabled)	Bad configuration (Bluetooth and WIFI are only temporarily disabled, will turn back on after a few hours)	Configuration should be checked (Airplane mode is on; to verify whether Bluetooth and WIFI are disabled the user must go into Settings)

4. Fireblocks Cold Wallet app should display the following screen.
   

Step 6: Final device configuration

Single App Mode ensures that the device can only run the Fireblocks Cold Wallet app and no other apps. From this point on, the device should be kept charged at all times to avoid any interruptions to workspace operations.

1. Before continuing, in your device ensure that the following settings are configured as required:
   
   • WiFi is disabled
   • Bluetooth is disabled
   • Airplane Mode is enabled
2. The security manager should connect the Owner's device to the computer.
3. From the Apple Configurator 2 application window, right-click on the device icon on the main screen and select Add → Profiles.
4. Download and apply the following configuration file. Make sure the device is unlocked while applying the profile. This file ensures that Bluetooth and WiFi consistently stays disabled, including in cases where the device restarts: FireblocksColdWalletProvisionProfile.mobileconfig
   

   Important

   Do not follow steps 6.5 to 6.8 below if you are using an iPhone 14Pro and up, or version iOS18 and newer. You can now disconnect the device from the computer. You are now ready to use the Fireblocks Cold Wallet app!

5. Right-click on the device icon on the main screen and select Advanced → Start Single App Mode.
6. A list of available applications on the device will appear. Find the Fireblocks Cold Wallet application as shown and select Select App. Make sure the device is unlocked before running the process.
   
7. Disconnect the device from the computer.
8. To verify that Kiosk Mode (aka Single App Mode) was enabled successfully, the workspace Owner should try to navigate to the home screen or another application on the device. If you are unable to do so, Kiosk Mode is enabled successfully.

Device storage and maintenance

The device is now ready to use. It should stay with the workspace Owner in a safe and secure place. This device is required for approving any new Cold Wallet device and to avoid any interruption to approval capabilities in your Cold Wallet workspace, it should remain charged at all times.

Next step: Provisioning a signer's device for Cold Wallet

Provisioning a previously owned iOS device

Fireblocks does not recommend using a previously owned iOS device, because even after performing a factory reset, there is the risk of malicious files or apps existing on the device since a factory reset only flags user-created files as deleted.

If you want to test Cold Wallet functionality on a non-production workspace using a previously configured IOS device, you can reset the phone before provisioning by following these steps:

1. On your mobile device, go to Settings > Apple ID > Find My > Find My iPhone.
2. Toggle off the Find My iPhone setting.
3. Return to the main Settings page, then go to General > Transfer or Reset iPhone.
4. On the Transfer or Reset iPhone page, select Erase All Content and Settings. This performs a factory reset on the mobile device. After the factory reset completes, begin the provisioning process.