We have an app that needs to read from com.apple.configuration.managed when it is installed from our MDM server, JAMF. This works perfectly fine.
The problem scenario is:
The data MDM data persists if a user downloads the app from JAMF, uninstalls, then reinstalls from TestFlight or the AppStore. When the user reinstalls from TestFlight or the AppStore, the app still reads the old data from com.apple.configuration.managed.
Is there a way to check if the device is actually connected to an MDM server? That way it won't read from the configuration profile if it's not
Many of the MDM vendors have iOS SDKs that you can add to your app that will allow the app to communicate with the MDM and verify whether the device is enrolled. I do not have any experience with JAMF and a quick Google search did not return anything promising.
Some of the MDM vendors have gotten creative in how their App SDK communicates with the MDM to identify the device that the app is running on now that iOS 7 makes it impossible for the app to obtain the device's UDID.
That being said, the best solution I can think of would be to have the MDM push down the device's UDID to the app in the managed config (com.apple.configuration.managed) and then use a web service call back to the MDM to query whether the device is currently enrolled.
Then in your app you would simply check for the existence of the managed config, and if it exists pull out the UDID and make a web service call to your MDM to determine whether the device is enrolled.
Related
I wonder if it is possible to force an iOS Device to download an app.
I have a 1 Year Apple Developer Account and i can create Profiles.
I heard that if Users install your Profile Configuration you can do some actions.
Now i thought instead of connecting a Device over USB to PC and Load an IPA to the Device , to Force a Device UDID (with a Installed Profile) to download an App without having it to be connected to pc
You cannot do this with a normal app.
However you may want to look into:
Entreprise apps. If you distribute an enterprise app, and setup MDM (mobile device management) you can push an app to a device
MDM, if you own the set of devices, you can setup mobile device management on them and push app updates.
You could look at solutions like rollout.io which provide a wrapper for the JS bridge into iOS to allow you to deploy simple updates and bug fixes to a live app.
You cannot, force push an app or update to a live app store user.
I asked a question recently about whether I can have parental control over iOS devices.
Link of the question is below :-
Is it possible to write a parental control app for iOS?
A senior developer answered and said this is not possible to do without jailbreak.
But i found an app named "OurPact" and by using that i can control any other device. How they can have parental control if this not possible in iOS?
OurPact use the Mobile Device Management (MDM) protocol, which provides a way to tell a device to execute certain management commands remotely. The way it works is straightforward.
During installation:
The user or administrator tells the device to install an MDM payload.
The device connects to the check-in server. The device presents its identity certificate for authentication, along with its UDID and push notification topic.
If the server accepts the device, the device provides its push notification device token to the server. The server should use this token to send push messages to the device. This check-in message also contains a PushMagic string. The server must remember this string and include it in any push messages it sends to the device.
During normal operation:
The server (at some point in the future) sends out a push notification to the device.
The device polls the server for a command in response to the push notification.
The device performs the command.
The device contacts the server to report the result of the last command and to request the next command
Access Rights
Allow inspection of installed configuration profiles.
Allow installation and removal of configuration profiles.
Allow device lock and passcode removal.
Allow device erase.
Allow query of Device Information (device capacity, serial number).
Allow query of Network Information (phone/SIM numbers, MAC addresses).
Allow inspection of installed provisioning profiles.
Allow installation and removal of provisioning profiles.
Allow inspection of installed applications.
Allow restriction-related queries.
Allow security-related queries.
Allow manipulation of settings. Availability: Available in iOS 5.0 and later.
Allow app management. Availability: Available in iOS 5.0 and later.
About Mobile Device Management
The Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed iOS devices running iOS 4 and later, macOS devices running macOS v10.7 and later, and Apple TV devices running iOS 7 (Apple TV software 6.0) and later. Through the MDM service, an IT administrator can inspect, install, or remove profiles; remove passcodes; and begin secure erase on a managed device.
The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications. The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server.
MDM uses the Apple Push Notification Service (APNS) to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
To provide MDM service, your IT department needs to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to your managed devices.
A managed device uses an identity to authenticate itself to the MDM server over TLS (SSL). This identity can be included in the profile as a Certificate payload or it can be generated by enrolling the device with SCEP.
Ref -
Here the complete guide about How to Create a Verified iOS Mobile Device Management (MDM) profile/certificate.
Official Apple Document about MDM
I'm researching about MDM in iOS, and find out information about Apple’s native iOS mobile device management. Once the device is enrolled into a MDM server, server can manage the device by sending commands. I tested on a MDM server and saw that without installing MDM agent app on device, server can still send profiles and apply policies to the device.
Could anyone help me to address:
Is Apple’s native iOS mobile device management built inside the iOS itself?
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
Do I need an enterprise account to use iOS MDM service?
Where can I find documents about MDM API and how to use it?
Is Apple’s native iOS mobile device management built inside the iOS itself?
Yes - as of iOS4 devices become MDM-capable.
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
Yes. The only thing an MDM Agent app will get you is the ability to report back on the device's IP address / network information, custom logging, etc. By default iOS does not allow for "tracking" a user's network details.
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
This is what I refer to as "the circle of hell". Your MDM sends command/installation packets to the APNs server, the APNs server tells the device it has a pending command from the MDM, the device reaches out to the MDM for its instructions and acknowledges. My nickname is for the trouble it takes to get firewall permissions setup in large enterprises.
Do I need an enterprise account to use iOS MDM
service? Where can I find documents about MDM API and how to use it?
To use an MDM service you do not need an Enterprise account. To create an MDM service and access its documentation you do need an Enterprise account at $299/year.
Yes.
N/A as the 'agent' is already built in iOS
To manage a device by MDM, the device must be enrolled manually first. During the enrollment process, a configuration file will be installed in the device containing the information of the MDM server. The MDM framework also make use of push notification to communicate with the device.
Yes. In addition, you also need the ability to generate MDM Vendor Certificate on Apple's Developer Portal.
Is Apple’s native iOS mobile device management built inside the iOS
itself?
Yes , Apple has secured mdm-client bundled in each Apple product . We can make use of the client upon enrolling . There is supervised enrollment where mdm-client can perform more privileged task .
Can MDM server manage device (install apps, disable camera, iTunes...)
without installing a MDM agent app?
Yes , Once device is enrolled you can apply restrictions on iOS and macOS , install apps silently using VPP etc . Refer Configuration-Profile-Reference.pdf Page 67 for list of all restrictions
How can the device itself can communicate with MDM server and install
profiles sent from server automatically?
Like iOS apps , mdm-client responds to notifications through APNS . The server in which device is enrolled will have push-magic string,device token and a topic device listens to these helps the server to notify device . Device will then ping the server. I have attached Official MDM guide that you can refer for more details.
Do I need an enterprise account to use iOS MDM service?
Here you have two options , if you want to build your own MDM solution then like i said before you would need to notify device so that it contacts your MDM server upon enrollment . Similar to building iOS app , you need an developer account to create a APNS certificate (refer here) to notify default mdm-client.
Or you you just wish to manage your device , you need not require a developer certificate. MDM vendors would use their certificate for signing, and you would need an apple id account to use upload certificate provided by your MDM to notify devices.
Where can I find documents about MDM API and how to use it?
Refer below links to getting started with MDM . Comment your queries for any help.
1. Setting up MDM and MDM Protocol
2. Restrictions and other MDM profiles
3. Apple business manager
I am trying to develop an enterprise environment where the specified app in the app store gets installed in all the iOS devices connected to the company infrastructure, which has a windows based AD to verify the users.
I went through various materials, and I found over the air profile delivery and few other methods like MDM to push the configuration. But it seems only the configuration can be pushed using these features.
In Apple Configurator and iPhone Configuration Utility, the devices should be connected to the computer physically. I would like to install the app in all the company-owened devices (around 1000 devices) without asking any permission from the user. Is there any way to do this?
You can't take over people's devices without their permission. Nor can you stealth-install an app. You can use MDM to register devices on which you can do this, but they need to be registered first. Apple is currently making MDM features more powerful for the Enterprise environment. As an Enterprise developer, you don't have to use the app store for your app - you can distribute it over your own web server. So even if you go the MDM route, you'll have to register those 1000 devices first. Once you do that, you have a lot more control.
Accessing device uniqueIdentifier is depracated in iOS7. There is Vendor ID as an identifier but it is erased with removal of the last app for that Team ID. Is there anything else used by MDM systems?
Actually, iOS MDM is purely server technology. Meaning that MDM client is integrated in iOS. What you may have seen are some MDM boostratp applications which are installed on iOS device. However, all they do are triggering device configuration (installation of MDM config profile).
However, as part of the MDM protocol, you can get UDID of device (using DeviceInformation command). However, you can get it on the server (not in your iOS app).
Many posts indicate that there is no Apple-approved standard way of doing this anymore. Unique identifier for an iPhone app is a good read about this. However, further down in the answers on that page, there is a notion how the same effect can be achieved using SSKeychain for persisting a self-generated UUID even over the boundaries of app reinstalls and multiple apps.
In AirWatch, devices are enrolled through a identification process on the device. That way, AirWatch gets all the characteristics of the device (Type, OS, Serial Number, UDID, ...)
Your best bet is to leverage your MDM's capabilities to back-feed any purely unique identifier (ie: Serial, UDID) on the device into your app layer. For instance AirWatch allows you to, upon installation/deployment of your app, bundle dynamic identifiers per the device installing the app via Managed App Config. It will send a key to the device containing its own UDID, Serial, etc.