For implementing a app like Kidslox or Screen Time and I need to make use of MDM server. I went through various blogs for creating or setting-up the MDM server and for that MDM certificate is required. But I'm not getting the MDM CSR option while creating a new certificate.
I already have the Apple's Developer account so my biggest question is that:
Do I really need to signup for the Apple's Enterprise Program?
This answer says that we do not require enterprise account for using an MDM service but we require it for creating an MDM service? Quite confusing.
Here are the blogs & posts that I referred:
MDM protocol https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf
https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/profile-service/profile-service.html#/
Understanding certificates https://micromdm.io/blog/certificates/
generate MDM certificate
http://avibirnale.blogspot.com/2013/05/mdm-development-configuration-for-ios.html
How to develop mobile device management application in iOS
How to develop iPhone MDM Server?
https://docs.oracle.com/cd/E60418_01/doc.1210/e58650/admmdmarch.htm#OLDEP080
https://developerinsider.co/how-to-create-a-verified-ios-mobile-device-management-mdm-profile/
MDM Architecture https://docs.oracle.com/cd/E60418_01/doc.1210/e58650/admmdmarch.htm#OLDEP100
Prerequisites for MDM https://github.com/macadmins/mdm-server/blob/master/README.md#prerequisites
I went through the top questions of MDM as well: https://stackoverflow.com/questions/tagged/mdm+ios?sort=frequent
Most of these blog posts are quite old so I believe things have changed since then so I'm curious why we need the enterprise account when that program is majorly for distributing proprietary in-house apps within the company or organization while we are doing this for end-users?
Yes, in order to become an MDM vendor with Apple, you need an Enterprise Developer Program; this program requires you to register it in a company name (not a personal name), be registered with your country's tax department, and also obtain a DUNS (Dun & Bradstreet) number.
All in all, just a bit of paperwork and a few hundred dollars would set you straight.
Yes, technically you need to register with the Enterprise Developer Program, however with some clever trickery, it is possible to obtain a certificate like this for free.
Apple has maintained the "macOS Server" program for years now and it includes a service called Profile Manager. It is a rudimentary MDM server made by Apple. It uses MDM push certificates just as 3rd party vendors do, however they have made their own system for getting these certificates. I won't go too in depth here because this is kind of gray area on the terms & conditions front, but with some research on GitHub, you can find where people have uploaded scripts that use the protocol used by the macOS server program to get & renew its push certificate for free.
I reverse engineered it a while ago and have been using it to run by own personal mdm server for years. In my opinion, much cheaper and easier (and kinda fun if you're interested in this kinda stuff) than paying for an enterprise account.
Related
i have some doubt to how distributing for clients that have an Enterprise Developer account works.
Here is the situation:
-My company have its own developer account (normal one not enterprise).
-My client wants to distribute an app using their own account.
-My company have to develop this app.
Now, how do i setup my xcode for this? Which solution is the best? Should i use directly the clients account or there is a way in which they add my account as developer in their team?
I'm concerned about this because i'm going to use my company account to test this app on devices during the development and xcode , to me, is pretty hard to understand when it comes to change certificates and accounts.
Thanks a lot.
As Alessia already wrote the easiest way is to build the app with the enterprise certificate of your customer. For that your customer has to provide you the private/public key pair or give you access to their enterprise program so you can create and download it.
If your customer do not want to provide it to you (maybe for security reasons) there is another way. It's more complicated especially if your customer has no experience with iOS development. In that case you have to develop and test your app with your own developer program. If your release version successfully passes your quality tests you deliver it to your customer and they need to resign your app. see: example for resign
i think the easiest thing is to make the build with the certificates in enterprise.
So you should ask identity and mobile provisioning created from enterprise account of your client, and then build your app with this certificates.
Your client can also enable (in developer mode) your apple account so you can create yourself certificates (in enterprise).
You can also create multiple target for this management.
We have distributed more than 50 iOS applications using a iOS Distribution Certificate (in-house, internal use apps).The apps are in house apps and distributed through our MDM solution. The iOS Distribution Certificate is going to be expire soon. When we checked the expiry of iOS Distribution Certificate in apple documentation, we got following information.
iOS Distribution Certificate (in-house, internal use apps)
Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate
As the apps are used in many stores real time, if we are sign the app with new certificate and then we need to re distribute it and will affect all the internal network. We are thinking to move the update on a nightly time. Can you suggest any solution other than this?
You should talk to your MDM vendor regarding deployment strategy. The topics on Stackoverflow are intended to be more technical in nature. Your vendor will have a lot more experience than you on this and should be able to provide best practices to you. There are many factors involved: network capacity, devices online/offline, etc.
Our company wants to develop 3rd party MDM server to support iOS platform. My question is about the APNs certificates from Apple.
We want to sell our developed MDM server, is that possible? What I could imagine is as following.
1. we enroll as enterprise developer program. Require MDM push notification certificates.
Question: Could I use only one certificate for all of my distributed MDM servers to my customers? Or I need a separate certificate for each MDM server?
Does this violate contrast of Enterprise developer program? If so, how could I archive this kind of stuff?
Actually, all my question is about to distribute our developed MDM server to 3rd party customers, is that possible and how? Sorry for my bad English.
Thanks, Paulw11, that make sense now. My understand is as the following:
apply one Enterprise developer account. Request to be a vendor of MDM.
develop the MDM server, and distribute to customers.
Customer generate CSR and I use vendor certificate to sign it, and then customer use the signed file (plist format) to generate push certificate on the URL you paste above.
customer deploy the certificate on the distributed MDM server our company developed.
Am i correct? Just one more question, if i am correct, do the customer need to enroll iOS developer program to generate the certs?
I'm in charge of developing an application for my company. It'll only be used by my company. I found the Enterprise Program.
I read
iOS Developer Enterprise Program
but I also read something about MDM iOS that I need to implement.
Is MDM needed to distribute my app? Also, how will my coworkers be able to download the app? How does Apple know they are authorized, and not some random guy who found the link on Google?
You don’t need to do MDM for the enterprise program as far as I know. As for preventing people from downloading the app, I think you just have to keep the link private, or put it behind a URL that can only be accessed on your company network or VPN. And of course, require login, so someone can’t access your internal information just by downloading the app! Presumably, Apple will revoke your enterprise privileges if they find you are abusing them.
Source: I worked at a company that used enterprise distribution for internal beta distribution, among other things.
One of my clients has 30 iPads that are used with an in-house developed app. The "Ad Hoc" distribution model is easy to implement if the number of deployed devices is less than 100. This approach is sometimes described as a "Beta test" approach, but that's just one common use for it.
See these pages:
https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/TestingYouriOSApp/TestingYouriOSApp.html
Ad-hoc Deployment
We want to develop apps for a variety of separate clients for use on their iPads/iPhones.
Right now we have a developer license and and provision UUIDs manually and distribute the app OTA via a web server.
This limits us to 100 devices per license and leaves us paying for upkeep of the license.
Some of our clients may also be interested in using an MDM software package.
What is the best way for us to provision and push apps to many clients and more that 100 devices? Would each client need to pay for their own enterprise license?
Any input is appreciated.
Thanks.
Would each client need to pay for
their own enterprise license?
It looks like it, according to the terms and conditions available here: http://developer.apple.com/programs/ios/enterprise/
More specifically, from this page:
I am a developer who wants to create an in house app for my client.
Can I join the iOS Developer
Enterprise Program to do that?
The iOS Developer Enterprise Program should be used to develop and
distribute proprietary in-house
applications to your own employees
within your own company. As such, your
company would not qualify for direct
Program enrollment in this situation.
We would suggest that your client
apply for enrollment in the Program,
and, once enrolled in the Program,
your client may add the appropriate
developers from your company to their
iOS Development Team.