I am currently using 8191 for the 'AccessRights' variable required for the MDM payload (com.apple.mdm).
Now when using this the users gets the following message:
The administrator may collect personal data, add/remove accounts and
restrictions, list, install and manage apps, and remotely erase data
on your iPhone
Telling him/her the MDM-server are allowed to wipe the device remotely. Now I don't want the MDM-server to be able to do this at all.
When I change the AccessRights to 4161 for instance, the message changes into:
The administrator may collect personal data, and list, install and
manage apps on your iPhone
Now I can't find ANY reference to this AccessRights variable and its values. Can anyone enlighten me on what the value actually represents?
Here is the table that describes all flags for access rights:
You can mix these values to configure necessary list of access rights.
In your particular cases:
8191 - is a combination of all above values.
4161 - is a combination of 4096, 64 and 1.
Update:
Visput's printscreen of "Mobile Device Management Protocol Reference" provides the desired numerical values for AccessRights . However this answer will remain for context, the lessons learned along the way and the mention that said material may be subject to NonDisclosure Agreements due to the nature of the Apple confidential material.
For clear understanding of the answer's scope as well as for the sake of explaining to novices i will provide a little context.
Context
First off Mobile Device Management (MDM) provides you with features which are organized into a collection of settings called configuration profiles - features like real management capabilities, including convenient configuration, self-service tools, and enhanced protection etc.
These profiles are just XML file that allow you to distribute configuration information.
Configuration profiles are in property list format.
From the document that describes the keys in a configuration profile and provides examples of the resulting XML payloads, PayloadContent is one of the keys. It is also the one you meant that contains the AccessRights property.
PayloadContent[optional] is an Array of payload dictionaries (payload objects). Not
present if IsEncrypted is true.
The docs specify that these are the Payload Dictionary Keys Common to All Payloads: PayloadType,PayloadVersion,PayloadIdentifier,PayloadUUID,PayloadDisplayName,PayloadDescription,PayloadOrganization.
In addition to the standard payload keys above, each payload type contains keys that are specific to that payload type.
You are working with PayloadType "com.apple.mdm" and are looking for payload-specific keys for the MDM payload.
Conclusion
I have looked long and hard for all references of mdm payload keys. All i could find where a couple of AccessRights values, there is none in the official documentation available to the public.
The closest i could find was Inside the mdm protocol (pdf). A project with the goal of not creating a simple, turn-key, stand-alone MDM server, nor probing the protocol for weaknesses or hidden features, but simply to document as much of the protocol as possible.
From this document:
Unfortunately, documentation of the underlying protocol has never been
freely available. Obviously, third parties selling MDM servers were
provided access to the documentation by Apple, but it’s not been
available for researchers or smaller development shops. This
hampers risk analysis for enterprises making use of MDM. In order to aid such risk
assessments, and to enable and encourage future research, this project was born.
Now i consider the document to be very useful for understanding MDM. On access rights it provides an image page 8 representing a print screen of a GUI tool which presents access rights as check boxes. As for generated values, your best chance is to google anything like:
<key>AccessRights</key>
<integer>8191</integer>
I've also found the value 2047 somewhere.
I've also found mentions of access rights in this Security Configuration Recommendations from the NSA for Apple iOS devices. On page 16 you have Access Rights for Remote Administrators:
The following settings control what an MDM server is permitted to
query from an iOS device. For an enterprise-owned,
enterprise-controlled device, permitting the enterprise administrator
to query as much information as possible is appropriate. Some MDM
products may simply include these access rights by default and offer
options to retrieve less information from the device.
And it goes on to actually list the check boxes which where also illustrated in the previous guide. No correspondence to xml generated data/ids.
The closest i got to the actual id's was in this mdm-settings.xml which enumerates the access rules along with some other data used on the device for iOS6.
Your best change is to contact apple support and ask for details.
The info you are looking for may be subject to NonDisclosure Agreements due to the nature of the Apple confidential material. The document above was based on data available in Developer Preview
Related
I am developing an application which I need to register an OID (Object Identifier) for monitoring purposes. However I am not familiar with OIDs and how to get this created/registered/assigned. Can I create a custom one?
If I have the Company parent OID, would that help in creating custom one? Should be that be registered officially with the certifying authority? could someone help provide some insight on how to create and register an OID?
You can get a free one instantly here
This will give you an OID from the branch 1.3.6.1.4.1.54392.4.*
Full disclosure: I created this service.
You can't just create a custom OID yourself, you have to apply for one. It can take a week or three, but the registration is free. You don't necessarily have to be an organisation - I applied for, and was granted, one for my own personal use a few years ago without any problem.
There are OID branches where you can essentially create your OID without any registration. See 2.25. Simply generate a new UUID/GUID, treat it as a 128-bit number, and use it as an identifier in the subtree.
UUIDs are octet strings of 16 octets (128 bits) which can be interpreted as an integer that can be used as a child OID of {joint-iso-itu-t uuid(25)} without formal registration (in particular in this OID repository). This enables users to generate OIDs without registering them with a registration authority.
It however also warns that some software may not support such large OIDs. I have managed to find another branch, 1.2.840.113556.1.8000.2554 from Microsoft, which uses the individual components instead.
You can create any OID you want under your enterprise number. Outside of your enterprise branch, you cannot.
If you want to create one under your enterprise number, you probably need to coordinate with the cognizant individual in your company who is responsible for managing that, but anything under your enterprise number remains totally under your company's purview.
I'd like to build a Backbone/Rails Journal App that supports many Users.
How would you persist a journal Entry for a given User, while respecting that User's privacy (the User can store sensitive info in that Entry)? I was thinking of using something like BCrypt, but that wouldn't work since you can't invert the process. Any thoughts?
In this case, I'm trying to keep the app as lightweight as possible, so answers that don't rely on external libraries would be preferred (not sure if that's an unreasonable requirement though).
If you trust the server to send you encryption code, you trust it with the way it handles your data. That's mostly the issue with client-side encryption.
If the user doesn't know how to use their own encryption tools, then they're trusting you with the tools you send them.
That said, if you're still pretty gung-ho about it, maybe consider a web-based version of PGP: https://webpg.org/
I'm using trying to interface with Quickbooks Online for an internal application that will push and pull transactions using qbXML. My problem is that I can't figure out which message I need to send in order to list and add the items listed under the "Banking" > "Registers" page. I've gone through the messages listed in the Onscreen Reference for Intuit Software Development Kits and none of them seem to give me this information.
Also, does anyone know of a list that explains what each message does?
If you're in a bank account register, you're writing checks. There are 3 kinds of checks in QuickBooks:
Expense checks - if you added a check directly in the register window, you would be adding an expense check.
Bill payment checks - these appear in a check register, but you can only add them with a bill payment operation.
Payroll checks - these appear in the check register, but they can only be added using the Intuit Payroll Service or by enabling manual payroll (almost no one does manual payroll in actual practice, but it is good to know about for testing purposes).
The first 2 types of checks have their own message type: the Add/Mod Check and Add/Mod BillPayment messages respectively. Payroll checks can't be added by the SDK. You can query all 3 types using a Transaction query message. I should also mention that it's possible to add an entry in any register using a journal entry, but that's not a good idea unless you are certain you know what you're doing.
I hate to tell you this, but the best reference for QuickBooks messages is the one you're already using. There are also XML files in the <sdk root>\docs directory that describe SDK operations. But there is really no substitute for understanding how QuickBooks operates from a user's perspective.
If you're going to be working with QuickBooks integration, it's a good idea to make friends with one or more QuickBooks Pro Advisors so you can run these kinds of issue by them. The relationship is generally mutually beneficial, since QuickBooks Pro Advisors often find it handy to have access to an SDK programmer.
I use my app to download file then I save into IsolatedStorage.
Can someone hack and get my files or folders from my app?
I do not know how IsolatedStorage protects its data? Do we have another ways to protect data in IsolatedStorage?
Yes your data is vulnerable.
If this data contains user details, like emails, passwords or even personal information then this should be made secure.
If you are storing information about a user's favourite colour or favourite car then this CAN be deemed as "not sensitive" and you will then have to decide whether you want to protect this.
Always assume that people can get at your data. It's just a matter of time before they can access it (just look at how people have jailbroken the iPhone and a vast array of other smart phones for that matter).
Remember Security is not obtained through Obscurity
The following link has good answers in relation to Isolated Storage on Windows...
https://security.stackexchange.com/questions/5660/how-secure-is-isolated-storage-on-windows
From within a managed application it's not going to be possible to access the Isolated Storage of another application. However from native code that's another matter, and WP8 has support for native code...
http://msdn.microsoft.com/en-us/library/windows/apps/jj681687(v=vs.105).aspx
Plus The following article asserts that there's only a registry in the way of a hacker who wants to get unmanaged code on to WP 7.1...
http://www.wpcentral.com/let-hacking-begin-how-windows-phone-7-can-run-native-unmanaged-code
So on WP7 it's pretty clear your app shouldn't store any sensitive data in isolated storage on WP and on WP8 it's even clearer. If you can avoid putting sensitive data in isolated storage do so, otherwise you'll need to encrypt the data, and then of course you need to consider the security of the encryption and the keys used to decrypt and encrypt the data. The following looks like a good guide on how to do that best...
http://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx
At the end of the day security is nothing more than a series of hurdles for a hacker, ultimately they'll probably get access to the data if they're really determined and have the skills and resources available to do so.
i've used contentproviders with DB.it has some data in it.i need to make those data available to all other applications.How? Usually the main use of content provider is to store and retrieve data and make it accessible to all applications. They’re the only way to share data across applications; there’s no common storage area that all Android packages can access.I used the code from below link..
http://ashwinrayaprolu.wordpress.com/2011/03/16/custom-content-provider-in-android/
Distribute your Content URI and define your API.
Provide the string of your Content Authority and the paths you recognize. Explain to your users how the tables in your DB map to your paths. Document what the columns in your tables are. Users with your content URI can read and write your databases using standard calls to ContentResolver and the insert/delete/update/query calls.
Provide access control in your <provider> tag in your AndroidManifest.xml. Look at The documentation especially with regard to android:exported, android:grantUriPermissions, android:permission, android:readPermission and android:writePermission. You'll need to decide how to use those based on your use cases. Also, the <grant-uri-permission> tag will give you even more fine-grained control.
Write other apps to use those calls you just documented and allowed permissions for.