I'm developing an iOS MDM Server as my project and I have almost completed.
I created all the necessary files manually including the mobileconfig file and installed the profile.
The device polls the URL mentioned in Server URL often with an Idle message.I read that the Idle message indicates that the device is checking the server for commands and we can send plist response as a command.
My question is, if all the devices poll the MDM Server frequently, what is need for .pem file and APNs certificate. Should we send push notification to the device like below like we send push notifications to our iOS apps.
{
"aps": {
"id": 10,
"message": "Hello world!",
"from": "Ram"
}
}
If this is what we should do, what should we send in the payload?
EDIT :
I found out the solution for sending push notifications.
com.notnoop.apns.ApnsService apnsservice = com.notnoop.apns.APNS.newService().withCert(<pushCertStream>,<pushCertPass>).withProductionDestination().build();
apnsservice.push(token, com.notnoop.apns.APNS.newPayload().mdm(pushMagic)).build());
When push notification is sent like this, the device responds with an Idle Message and we can send commands to the device.
Few more doubts :
1) When does apple check the SSL Certificate of the profile? I'm sure it checks during profile installation because my profile installation has failed many times due to wrong SSL Certificat. Does Apple also check the SSL Certificate when sending push notification as I have noticed a class com.notnoop.exceptions.InvalidSSLConfig? Does it check whether the server sending push notification has the SSL Certificate specified in the profile?
EDIT
When server send push notification to the device, the device responds with an Idle Message to the URL specified in Server URL. What happens if the SSL Certificate is invalid at this point. Does it produce an error?
2) Can multiple servers have the same push notification certificate to reduce the load on a single server to send push notification and send commands to devices? Will there be any conflict?
3) Is there any limit to the no. of push notifications sent using a single push notification certificate? If not, can it handle any number of push notifications?
4) Can the Check-in URL and Server URL in the profile be different?
EDIT
Can the Check-in URL and Server URL be of different servers i.e .,
CheckIN URL : https://www.domainone.com/MDM/
Server URL : https://www.domaintwo.com/MDM/
5) First question in this link(Least important) Though the solution talks about expiration of SSL Certificate, it does not say about changing of SSL Certificate.
EDIT 2
When a push notification certificate is renewed, how does a device with profile already installed update the certificate details in the device's profile?
1) When MDM Server sends push notification to the device, the device responds to the Server by contacting the Server URL. The SSL Certificate of the server has to match the SSL Certificate Payload in the profile. If there are any conflicts, there will be an error. So, the SSL Certificate is checked everytime the device contacts Serverl URL. The below error will be produced if there are any conflicts.
Desc : The Server Certificate for "Server URL" is invalid.
Domain : MCHTTPTransactionErrorDomain
2) Yes, multiple servers can have the same push notification certificate. Each server just need to know the password of the certificate.
3) I don't think there is any limit to the no. of push notifications sent. Check below links.
Reference 1
Reference 2
4) Your Server URL and Check-in URL can be different but should be of same host.
5) If the SSL Certificate is changed, the profile has to be deleted and a new profile has to be installed.
1) hmm AFAIK if your server has a SSL certificate then signing the profile with that certificate only verifies it. In terms of functionality I don't think it does anything. However, you do also need a certificate that is related to your server this is the one that goes inside the plist as part of the payload. It'll need to be the same one that server has. (Usually in a .p12 format)
2) Yes you can have multiple servers because essentially sending a push notification is just a request to apple with proper credentials.
3) I don't believe there is a limit to how many push notifications a certificate can send... but more so how frequently you're sending them. (for e.g. flooding apple with push notification requests)
4) Yes I strongly believe so but you should double check this
5) Again SSL certificate only just makes the profile verified AFAIK (if we're strictly talking about mdm). (edit: I forgot that there was another .p12 certificate that you could embed inside the profile. This provides authentication between the device and the server and will need to be the same SSL cert).
Related
I know it's duplicate question , Existing solutions are not working for me, I tried all of them almost now.
What I have done so far.
1) MDM profile is getting installed on Device.
2) I am able to receive Push notification token and push magic string on my localhost server.
My Server and client environment is
1) Server side, I am using Rails, Self signed SSL certificate is used, for Localhost Environment.
2) iOS 10.3 is client side, Device is connected in LAN, MDM profile installation working fine.
References I am following.
To Create MDM payload, and push notification certificate
To Send notification on device, Rails Gem
Source Code for sending notification to device is
apns_p12 = File.read('my_cert.p12')
token = '[device token string]'
payload = { mdm: '[push magic string]' }
AppleShove.notify p12: apns_p12, device_token:token, payload:payload, expiration_date: Time.now + 60*60, priority:5
when above code executes, we receive the response, notification is sent to the device and delivered, but the device never request our server to pull new configuration
Note-
I am able to download certificate from https://identity.apple.com/pushcert/
Once I used only .p12 of downloaded certificate from identity.apple.com.
Once I used of downloaded certificate from identity.apple.com.
Once I used, cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem , with passphrase and without passphrase.
my app use apns to send notifications, after one year, the cert file had expired,
but my CSR(.certSigningRequest) cannot been found, here is the question.
If i create a new CSR file, and new ios aps_distribution, do i need submit a new
app to AppStore?
No you don't.
You certificate is only used to access Apple's APNS from your server (or your PUSH service provider's). Your app will not expire.
Edit:
i use javapns-2.2 to send notification to my app, when use
aps_development cert, i can receive the message, but when i use the
new created aps_distribution, it shows send success, but my app cannot
receive msg, do you know why? or do you know how to test production
push?
As Aanabidden stated, don't forget that you can't use a production certificate for development and a development certificate for production. Apple's servers are separated for those schemes and an invalid certificates won't work.
Recently our Azure Notification Hub became a very mysterious entity. When Apple devices register we can see them in Service Bus Explorer and as soon as we try sending any notifications (from SBE or Azure Portal) we get a "Notification Successful" message, but nothing appears on the device. Refreshing registration list uncovers the fact that the registrations were deleted.
We are not removing them anywhere in code, and the TTL has not expired.
Any suggestions?
Notification hub cleans up registrations with invalid tokens during the send flow. Looks like for some reasons APNS rejects your tokens and NH just removes registrations. Make sure:
you are getting token from physical device (not emulator);
APNS certificate uploaded to NH is not expired;
APNS certificate uploaded to NH corresponds APNS endpoint you are
using in application (sandbox or production).
Turns out the front end guys were unsubscribing too eagerly. Removing the unsubscribe code sorted out the issue. Also there was a problem with the APNS certificate, in order to run the front end app in debug it requires a sandbox certificate, not a production one, for the messages to be delivered properly.
We had this exact error, but it turned out we were accidently using a "distribution" provisioning profile with a "development"/ sandbox push notification certificate. After switching to a development provisioning profile, push notifications worked!
After reading and searching, apple MDM client - MDM server interaction seems to be:
When Server wants do sth on devices, it sends a notify to APNS (with device token & AppID for APNS to know which devices and application need to receive notification).
APNS send notify to provided app on provided device
when receive notify from APNS, Apple-MDM-client will connect to server, get command and do the command task on devices.
My questions are:
The application that registered for APNS is my application (MY_APP, not Apple-MDM-client). That means the one which receive notification is my MY_APP. Then how Apple-MDM-client know about the notification in order to connect to MDM server?
The solution can be: MY_APP receive notification, then connect to server, get command and push received commands to Apple-MDM-client, tell Apple-MDM-client do the task. If this approach is correct, how MY_APP can communicate to Apple-MDM-client?
There must be API for that purpose but I can not find it via google...
Please take a look at my answer for your original question:
How does MDM in IOS really work?
MDM is clientless protocol. Your MY_APP is not involved in MDM protocol.
What happens is:
Your server send push notification using device token, topic and PushMagic.
This is a little bit unusual push notification, because you don't specify AppID
(Check "Structure of MDM Messages" section in the MDM documentation
This push message goes directly built-in MDM client
MDM client will go and talk to server (to get new commands)
As you can see your app isn't involved in MDM at all.
I would like to enforce Victors answer(because answers to Apple's MDM are so few on the internet)!
Again, in MDM protocol the is no application that has to subscribe to Apple's push notification service, the iOS is the client here. He will be dealing with handling the requests from APNS, but for this to happen the device must have a special kind of configuration profile installed, named an enrollment profile, which is like a normal configuration profile with two payloads in it: an MDM payload, and a Certificate payload, and thats it! After the user install is, the iOS client is ready to receive requests from APNS.
Am attempting to add push notifications to an application that I have created. I followed the apple guide and am able to register the device for post notifications receiving a devicetoken value from APNS. The trouble occurs when I attempt to send data to the APNS to send, I always have my connection refused.
The only thing that i have done that is non standard is that the private key for the push notification certificate was created by a non-team agent (but through the Team agents account). Does anyone know if the team agent has to generate the private key for the push notification?
If you are using Ad Hoc prov. profile, don't use sandbox apns, use the production server.
Both team agents and admins should have their private keys on their machines, they should be able to create the necessary certificates.
Is there a reason that you want to setup your own push notification server? You can just use Urbanairship which provides free push notification services.
If you still need to set up your own server, info on generating your certificates can be found here. Make sure that you're connecting to the right push server on Apple's side. There are different server's for debugging and production purposes.