The MDM protocols are used to send device management commands to manage iPhone, iPad, and iPod Touch devices running iOS4 and later. Through MDM service an IT administrator can inspect, install, remove profiles; remove passcodes and begin secure erase on a managed device.
The MDM protocol is built on top of HTTP, TLS, and push notifications. MDM uses the APNS to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
Lets see the steps that are required to make this whole thing work -
Configure a MDM ServerTypically, MDM services needs to be deployed in an HTTPS server to act as an MDM server. Profiles containing the MDM payload to the managed devices shall be distributed through the HTTPS server. We can use Tomcat Server for this purpose. For the steps to configure Tomcat (HTTPS), please refer this document TomcatAndHttps.doc.
Configure SSL/ HTTPS:
- Distributing the public key
- Verifying the identity of the server so users know they aren't sending their information to the wrong server.
- Procure SSL Certificate from a trusted authority. A SSL certificate can only properly verify the identity of the server when a trusted third party signs it.
- Generate Self-signed SSL certificate. A Self-Signed SSL certificate can also be used in development environment. Self Signed Certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self-signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of the above fact, it's strictly recommended never to use a self signed certificate on a public Java server (i.e. Production environment) that requires anonymous visitors to connect to your system.
Generate .mobileconfig fileThe .mobileconfig file can be generated and exported using iPCU (iPhone configuration Utility). Three most important sections of iPCU for creating .mobileconfig file are:
- MDM Payload
- Profile name: Name of the profile. E.g. AbcMDMProfile
- Identifier: Bundle identifier. Can be of format com.
. . E.g. com.mycompay.mymdmserver
- Organization: Name of the company. E.g. My Company Name Inc.
- Security: Specifies the access level of configuration profile for the device user
- Always: User can remove the profile from the device. This is the preferred option for installing the profile in the device.
- With Authentication: User can delete the profile after giving the password that is given at the time of creating the profile.
- Never: User cannot delete the profile.
Credentials:Specify the X.509 certificate to install on the device. Add the corporate certificate and other certificates necessary to authenticate the device's access to private network. This certificate is used to authenticate the client at the server side and to send/receive the commands / responses/ acknowledgements. In the MDM payload (explained below) this certificate is used as the Identity field that identifies the client to the server.
URL: URL of the MDM server application. E.g. https://
In URL: This URL automatically call by the iOS device using HTTP POST only,
once the profile is installed or uninstalled in the iOS device. E.g. https://
- Topic: The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the com.apple.mgmt as prefix. The Topic field needs to contain the User ID listed in the Subject Name section of the APNS certificate below.
- Identity: This is the Client Authentication Certificate that the device uses to identify itself to the MDM server. This can be added in following two ways:
- Add the certificate to the device using the Credentials pane
Generation of Client Authentication Certificate using OpenSSL
Create APNS CertificateAPNS certificate can only be generated using a MDM Vendor apple enterprise developer account.
- Rename the server.p12 file that has been generated previously to vendor.p12.
- Login in iOS Dev Center https://developer.apple.com using MDM Vendor apple enterprise developer account.
- Navigate to iOS Provisioning Portal > Certificates > Others > Request Certificate > Choose File.
- Upload the server.csr file that has been generated previously.
- Select download to get the mdm.cer file.
- Apple WWDR intermediate Certificate can be downloaded from https://developer.apple.com/certificationauthority/AppleWWDRCA.cer.
- Apple Root Certificate can be downloaded from http://www.apple.com/appleca/AppleIncRootCertificate.cer.
- Covert mdm.cer, AppleWWDRCA.cer, AppleIncRootCertificate.cer to PEM format using following commands
- openssl>x509 –inform der –in mdm.cer –out mdm.pem
- openssl>x509 –inform der –in AppleWWDRCA.cer –out intermediate.pem
- openssl>x509 –inform der –in AppleIncRootCertificate.cer –out root.pem
- openssl>genrsa -des3 -out customerPrivateKey.pem 2048
- openssl>req -new -key customerPrivateKey.pem -out customer.csr
- openssl>req -inform pem -outform der -in customer.csr -out customer.der
- openssl > x509 -noout -in mdm.pem -issuer -subject -dates
- Sample output :
- issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Application Integration Certification Authority subject= /UID=com.apple.mgmt.External.13818cd9-434f-4216-9404-c412d3903eb6/CN=APSP:13818cd9-434f-4216-9404-c412d3903eb6/C=US notBefore=Nov 6 08:44:27 2012 GMT notAfter=Nov 6 08:44:27 2013 GMT
- This UID value (com.apple.mgmt.External.13818cd9-434f-4216-9404-c412 d3903eb6) shall be used in the topic field of MDM payload.
- openssl>rsa –in customerPrivateKey.pem –out Plainkey.pem
- openssl>cat MDM_ company Name_Certificate.pem PlainKey.pem > PlainCert.pem
- openssl>pkcs12 -export -out mdmapnscertificate.pfx -inkey PlainKey.pem –in MDM_companyName_Certificate.pem
Sending MDM Commands to iOS DevicesAn iOS device gets notified that it has to poll for MDM command using Apple Push Notification. Many open source library (e.g. JavaPNS) is available to send push notification. The APNS certificate shall be used to send push notification.
Flow to Send MDM Commands:
The certificate for this server is invalid. You might be connecting to a server that is pretending to be “