I'm trying to setup a basic mdm server. Until now I configured the devices using a usb cable, but now I'd like to try an OTA installation of the mdm profile. I found some instructions here: https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf
What I would like to know is if there is some way to skip step 2, that is avoiding using SCEP during the enrollment (since this is just for testing, the idea would be to insert step two later).
The closest answer I could get was this: Enrollment Challenge to retrieve UDID from iPhone
but it isn't clear in the comments wheter the SCEP step can be avoided altogheter.
Apparently, for what I was trying to do it was enough to send out the response to the enrollment with Content-type: application/x-apple-aspen-config header set and the profile in the body of the response. The profile then just installs itself on the device, enabling mdm if configured accordingly.
Related
I'm trying to implement a server side solution to remotely control permissions in and iOS device, on demand.
From what I've read it is possible using the MDM protocol and MDM push notifications, which allow my server to remotely change restrictions in an iOS device, for instance, or even lock the device, on demand.
I know that the iOS device must install an MDM configuration profile to be able to be remotely managed. I also know that the server must have an APNS certificate with MDM permissions.
My question is: do I have to be an MDM vendor and/or join the Apple Developer Enterprise Program in order to generate the APNS certificate with MDM permissions ?
Thanks in advance.
Yes, you need to have a company developer account registered with a DUNS number before you can be accepted into the MDM program.
You need to have Apple Developer Enterprise Program if you want implement MDM server by yourself. There is no need of Developer enterprise program to generate APNS certificate. You can generate APNS certificate from any apple id.
I don't believe you have to do anything to write your own personal MDM server except register for and receive an APNS certificate and follow the protocols.
If you want to sell your server and have it authorized by Apple, then you need to register obviously. I would certainly not buy one which wasn't.
You need an APNS (Apple Push Notification Service) certificate in order to connect to the APNS Servers to have your MDM server work. You use the certificate to validate who you are before you are allowed to send Push Notification messages. This requires an Apple Id.
Your MDM server also needs to be running on an TLS secured server and you use that certificate to sign the MDM profile you install on a device which you want to manage.
Yes, you will need Apple Developer Enterprise Account. Only Apple Account will not work. Contact Apple Support and ask them to provide you MDM Vendor rights.
In order to send MDM commands you will require Push Certificate Signed by MDM Vendor certificate.
This MDM Vendor tutorial will help you.
I am looking for an API which will allow me to check whether MDM profile is installed on a device.
It won't be submitted to AppStore, so private API are fine with me. However, it should work on jailed phone (so jailbreak solutions aren't applicable).
Update 1
I am looking for a way to determine on iOS device whether this device is enrolled (vs checking from MDM server what devices are enrolled).
One solution that I can think of is installing the application through the MDM server (using the ChangeManagementState option to take control of an already install application). This will allow you to set managed app configuration options on the MDM server which the application can read from UserDefaults.
You can see how to do this here: https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf#b3
If you need to verify that the correct MDM server is managing the device and not some random MDM server, you can create some type of signed document that is unique to the device (include the UDID) and signed by a private key unique to the server. The app can then verify this signature with the public key (probably shipped in the app binary since this seems to be a private thing) and determine if the app and device are managed.
The easiest option would probably be something like JSON Web Tokens. There are other options that exist as well: pkcs7, SMIME, CMS, etc.
For example, in the body of the JWT token, you could include the server domain, and the device UDID. This way the device can verify that this signed token is intended for this device and not simply being copied and reused from another legitimately managed device. You could also include a timestamp (and/or expiration) value to require that the token be reissued by the MDM server over some set time interval to ensure that it's recent.
{
"sub": "SOME-DEVICE-UDID",
"iat": 1516239022,
"iss": "mdm.example.com"
}
There are many ways to do this, I am just most familiar with JWT tokens. There are existing JWT libraries for Swift and Objective-C which could be used within your app to verify this token. Then you could be reasonably sure that the device is managed and managed by the intended server.
Did a lot of research on this. Saw several opinions, few say I need a Apple Enterprise account, few say I don't.
Having a MAC server would help? Do I need to have an enterprise account to be a MDM vendor. Any pointers would be great.
I saw the technical business document provided by MDM, but it was not explaining anything about the internal implementation of the server.
Any help would be great!
To become an MDM vendor, you need:
1) An Apple Enterprise account
2) Contact Apple (https://developer.apple.com/contact/submit.php) and ask to be an MDM vendor.
They should enable you as an MDM vendor and you will have a "Other" tab in your "Certificates" section to send a Cert. Signing Request for MDM purposes.
You do need an enterprise account, but I'm not sure whether you need to specifically request to be a vendor also. You don't need a Mac server.
As for the details of your request - are you talking about signing your 'customers' certificate signing request which is a required step now in order to be a vendor or actually setting up and running an MDM service?
After research, we need to have a Enterprise Developer account from Apple, and we need to send MDM payload, from the web server, using Apple's push notification server.
I realize there was a question about allowing multiple servers to send Push Notifications to the same application using the same SSL Certificate, but my question is different.
Suppose that the developer of a single iOS application would like to allow multiple providers to send Push Notifications to his application, but wants to control which providers have the authority to send APNs to his App (and to be able to revoke that privilege from any one of them).
If all the providers have the same certificate, in order to block one of them from sending APNs, he has to block them all (by revoking the Push SSL Certificate, and getting a new one).
Is it possible to get from Apple multiple Push SSL Certificates for the same Application?
That would make it possible to assign a unique certificate for each provider, which would allow to block a single provider without blocking the rest.
On the Apple Provisioning Portal there doesn't seem to be a possibility to create more than one Push SSL Certificate for the same Application and the same environment (Development/Production), but I wanted to be sure whether it can't be done.
Since no one answered my question, I'll answer it myself.
The answer to that question used to be no but it seems that Apple made some changes in the provisioning portal (which is now called Certificates, Identifiers & Profiles), and now it's possible to define multiple certificates for the same application and the same environment.
Actually you can create only 2 apple push certificates for one App ID and no more.
Apple developer center does not allow me to create more then two and same experience has my friend.
I don´t see how your task can be solved now. In my opinion Apple does not want to support such products. Maybe you can do more with Enterprise Developer account but I don´t have one. So maybe anyone else can tell us if it allows to create more push certificates for on iOS application.
NOTE: This question is NOT related to the keys and certificates used for iOS development/provisioning.
I would like to use TLS client certificates for authentication of iOS devices running my app. In order to achieve this securely, it would be ideal if the device generated its private key itself and requested a certificate from our in-house CA.
I can't find an API in the docs for doing this, but I can see that iOS supports TLS client certificate authentication, so it seems logical that it would be possible. Can anyone point me in the right direction?
Actually there is objective-c wrapper of Open SSL available. Which can be some help to you. https://github.com/aidansteele/SSCrypto.
You can also use mycrypto( https://bitbucket.org/snej/mycrypto/wiki/Home ) a high level objective-c wrapper for many cryptographic tasks.