Deploying iPhone Configuration Profile - ios

I developed a MDM setup where I could able to push apps into the iOS devices. My main bottleneck here is giving the URL to the user via e-mail and asking them to install configuration profile. I want to automate this process. At once the user login with his Enterprise Wifi's username and password the configuration profile should be installed into the devices.

You question is kind of controversial.
You say "where I could able to push apps into the iOS devices" and literally next sentence " via e-mail and asking them to install configuration profile".
It's not clear whether you are sending emails and asking users to install an app or you are pushing an app (meaning that users doesn't have to do anything).
Couple of notes:
1) As I remember, you can't completely automatically it (install apps without a user intervention).
The small caveat - it's possible for supervised devices.
2) If you want to semi-automate it. You can use MDM protocol. As soon as a device is enrolled into MDM server, MDM server can issue install application command and a user will be prompted to install an application. However, ultimately, he/she will decide whether to install it or not
3) Making all of these happen on a user logging to Enterprise WiFi could be even more trickier. I would say, you will need to have a captive portal. You will prompt a user to enroll into MDM on it when he/she connects to this WiFi. And as soon as a user is enrolled, you can install applications + setup client certificate authentication for Enterprise WiFi to distinguish devices which was and wasn't enrolled in MDMD.

Related

Send command to iPhone under Mobile Device Managment

Currently, our client's app is in the AppStore, but they want to distribute it to schools and universities. Also, they want the student when opens app first time would be already logged in.
There are tons of info on the internet but it's hard for me to compile it into something clear. As far as I understood first they should enroll in Apple School Manager and rise their own Mobile Device Management. Then devices should be registered on that server. After that server will be sending those commands link. Is that correct?
Also what concerns silent login. The only way to implement it that comes into my mind is to at the app launch send request with some specific data(but what?) and if this is the device under Apple School Manager then return token.
P.S. I hope this is the correct place to ask this kind of question.

Why iOS MDM is the way it is?

I am developing an MDM Server for my office(around 20-25) so that we can push our company's IOS apps(only 2) to users devices. We will not be managing the devices.
There are around 20-25 sub-offices around the globe and each has their own server(hosted only in intranet) and set of users. None of them intervene with one another.
The APNs Certificate way of MDM looks convenient to me.
I have looked at few MDM providers. They ask each customer to create their own APNs certificate in the Apple Certificate Portal. Why can't the MDM providers have their own APNs certificate and use it to manage the devices of customers?
Can there be a centralized MDM Server which provides its SSL Certificate details, APNs Certificate details and Profile details for the .mobileconfig and also take care of profile and app installation
so that users will connect to the centralized server and download the .mobileconfig but the individual servers should decide on who should download the .mobileconfig and see the status of installtion of apps on those particular devices?
Is this solution possible?
My company uses Airwatch and there is very little user setup. We download the Agent, tech department sends a qr code to email, user scans it, puts in their username and email for our network, and it just does all the setup. Then they can go to a catalog and download our applications. I develop these applications and have enrolled maybe a hundred devices and haven't had to do much of anything on the client side.
What you are saying would work if you change the phones OS to check into this central MDM server. This would actually break Apples streamlined way of doing this. Hate it or love it, APNS makes it so there is only one way of doing things.
iOS does not allow it but Android does.
You have to think like Apple to see why the MDM vendors have you make an APNS push certificate to give them. Say one day, your MDM server goes absolutely bonkers and starts sending commands every second to devices that makes them unusable for users (constantly locking the screen or erasing devices every day). How can Apple prevent your rampant abuse of the MDM protocol that is ruining customer experience? Well, if they revoke the APNS certificate, you can't command your devices any more as the devices will never get notified there are new MDM commands, and the users will no longer be affected.
If there was a MDM vendor who had one APNS certificate for hundreds or thousands of different companies, the abuse by a single company could lead to Apple revoking the APNS certificate and now all those other companies are unable to use their MDM because of one abuser.

Is there a pre-built "push" iOS developer app in the app-store?

I'm building a server-side "push" notification capability for various (specific) iOS apps my company makes. I'm not a mobile developer. I understand there's a "p12" certificate I'd need, and that the mobile client must provide the "token" I use to initiate the push from the server.
Does anyone know if there's a pre-built developer/test iOS app in the store that will display a token, has a downloadable cert, etc., and will accept push notifications? I'd like to build the server-side out a bit before I try to plug in the real tokens/certs for my companies apps.
No there isn't, but there are 2 separated environments one for test and one for production.
Usually the app developer team should provide the certificates to the back end developer team.
Once you have your certificates you can integrate them in the backend.
Pay attention that certificates are app specific, they work only for a given identifier.
During test both the team should work together to see if everything work as expected.
Token can be track in a different way, in debug mode using real device by printing them in the console log or by using a particular configuration file, in both cases the device must be connected to Xcode.
You should ask the dev team if they can provide you a sample app that print the token on the device screen and that just send the token to the server to make your experiments.

Install IOS app from itunes by clicking an URL

I have a requirement where user will tap a link ( iTunes link of free App ) which he receives in an email on iPad.The App should get installed on iPad, provided that the user is logged in iTunes.
Please let me know, how to go about this.
If you pass a link to a user and they select it on their iPad (for example, in the format of https://itunes.apple.com/us/app/appname/id364304764?mt=8), they will be forwarded on to the App Store app, with the Application information page presented to them. The user will have to explicitly press "Free" then "Install" to install the application. At this point, they will probably have to enter their iTunes password to continue.
There is no way to circumvent this, everyone has to go through the same procedure to install an application; through the App Store*.
*Unless it's an Enterprise application, but they shouldn't be distributed to clients, as that'll break the enterprise service agreement.

How does TestFlightApp know what device I'm using via the web?

We use TestFlight to test our iOS App binaries internally and with beta testers.
When TestFlight sends out an email alert to a user that a test binary is available, the web page it sends them to automatically knows if the user is using a registered device, but it seems to figure this out while in Safari. How is it doing this?
It has to match up UDIDs that we've supplied to their tool (via their website), but I was under the impression that websites could not grab data like UDIDs. How is TestFlight figuring that out?
When registering a device with an account and installing the testflight profile. It then will store the UDID information it received via the profile installation process in a session (and probably a cookie) which then can be accessed from the same website URL. So whenever you go back to the website it checks for the stored information.
This is roughly how it is done, detailed implementation can only be answered by the developers.

Resources