The MDM protocols are used to send device management commands to manage iPhone, iPad, and iPod Touch devices running iOS4 and later. Through MDM service an IT administrator can inspect, install, remove profiles; remove passcodes and begin secure erase on a managed device.
The MDM protocol is built on top of HTTP, TLS, and push notifications. MDM uses the APNS to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
Lets see the steps that are required to make this whole thing work -
Configure a MDM Server
Typically, MDM services needs to be deployed in an HTTPS server to act as an MDM server. Profiles containing the MDM payload to the managed devices shall be distributed through the HTTPS server. We can use Tomcat Server for this purpose. For the steps to configure Tomcat (HTTPS), please refer this document TomcatAndHttps.doc.Configure SSL/ HTTPS:
Note
that, configuring a HTTPS server needs a SSL certificate. SSL certificate
serves two essential purposes -
- Distributing the public key
- Verifying the identity of the server so users know they aren't sending their information to the wrong server.
A
SSL certificate can be arranged in following ways:
- Procure SSL Certificate from a trusted authority. A SSL certificate can only properly verify the identity of the server when a trusted third party signs it.
- Generate Self-signed SSL certificate. A Self-Signed SSL certificate can also be used in development environment. Self Signed Certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self-signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of the above fact, it's strictly recommended never to use a self signed certificate on a public Java server (i.e. Production environment) that requires anonymous visitors to connect to your system.
Configuring FQDN:
A MDM server can be identified and reached by iOS only by
FQDN (Fully Qualified Domain Name). Hence FQDN must be configured in the MDM
server.
Generate .mobileconfig file
The .mobileconfig file can be generated and exported using iPCU (iPhone configuration Utility). Three most important sections of iPCU for creating .mobileconfig file are:- General
- Credentials
- MDM Payload
General:
- Profile name: Name of the profile. E.g. AbcMDMProfile
- Identifier: Bundle identifier. Can be of format com.
. . E.g. com.mycompay.mymdmserver - Organization: Name of the company. E.g. My Company Name Inc.
- Security: Specifies the access level of configuration profile for the device user
- Always: User can remove the profile from the device. This is the preferred option for installing the profile in the device.
- With Authentication: User can delete the profile after giving the password that is given at the time of creating the profile.
- Never: User cannot delete the profile.
Credentials:
Specify the X.509 certificate to install on the device. Add the corporate certificate and other certificates necessary to authenticate the device's access to private network. This certificate is used to authenticate the client at the server side and to send/receive the commands / responses/ acknowledgements. In the MDM payload (explained below) this certificate is used as the Identity field that identifies the client to the server.MDM Payload:
- Server
URL: URL of the MDM server application. E.g. https://
/iOSMdm - Check
In URL: This URL automatically call by the iOS device using HTTP POST only,
once the profile is installed or uninstalled in the iOS device. E.g. https://
/iOSMdm/checking - Topic: The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the com.apple.mgmt as prefix. The Topic field needs to contain the User ID listed in the Subject Name section of the APNS certificate below.
- Identity: This is the Client Authentication Certificate that the device uses to identify itself to the MDM server. This can be added in following two ways:
- Add the certificate to the device using the Credentials pane
Generation of Client Authentication Certificate using OpenSSL
Using following steps one can generate CA certificate
– Execute the below command(s) in sequential order -
set OPENSSL_CONF=\openssl.cfg
E.g. for windows environment
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
Navigate to the OpenSSL dir and execute the below command
openssl.exe
E.g. for windows environment
cd C:\OpenSSL-Win32\bin
C:\OpenSSL-Win32\bin>openssl.exe
OpenSSL>genrsa -out server.key 2048
OpenSSL> req -new -key server.key -out server.csr
Following are the description of Details:
COUNTRY:
STATE:
CITY:
ORGN:
OU:
CN:
Email:
PSW:
OpenSSL>x509 -req -days 365 -in server.csr -signkey
server.key -out server.crt
This server.p12 file shall be used as CA Certificate. Also
this server.p12 file shall be used to configure HTTPS in the MDM server
(explained earlier).
Create APNS Certificate
APNS certificate can only be generated using a MDM Vendor apple enterprise developer account.- Rename the server.p12 file that has been generated previously to vendor.p12.
- Login in iOS Dev Center https://developer.apple.com using MDM Vendor apple enterprise developer account.
- Navigate to iOS Provisioning Portal > Certificates > Others > Request Certificate > Choose File.
- Upload the server.csr file that has been generated previously.
- Select download to get the mdm.cer file.
- Apple WWDR intermediate Certificate can be downloaded from https://developer.apple.com/certificationauthority/AppleWWDRCA.cer.
- Apple Root Certificate can be downloaded from http://www.apple.com/appleca/AppleIncRootCertificate.cer.
- Covert mdm.cer, AppleWWDRCA.cer, AppleIncRootCertificate.cer to PEM format using following commands
- openssl>x509 –inform der –in mdm.cer –out mdm.pem
- openssl>x509 –inform der –in AppleWWDRCA.cer –out intermediate.pem
- openssl>x509 –inform der –in AppleIncRootCertificate.cer –out root.pem
- Generate MDM certificate for MDM server as a customer using following commands
- openssl>genrsa -des3 -out customerPrivateKey.pem 2048
- openssl>req -new -key customerPrivateKey.pem -out customer.csr
- openssl>req -inform pem -outform der -in customer.csr -out customer.der
- Java program to generate encoded plist can be downloaded from http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning. This program requires alias of vendor.p12 file generated in step 1. To generate the alias execute the command: "keytool -list -keystore vendor.p12 -storepass 123456 -storetype PKCS12 –v" This keytool command will give you the alias use the password of vendor.p12 in place of 1233456. The files customer.der, intermediate.pem, mdm.pem, root.pem and vendor.p12 are needed to generate encoded plist. Place all these files beside the downloaded Test.class file.
- Run the downloaded code shall generate two files viz. plist.xml and plist_encoded.txt beside the scr folder.
- The plist_ecoded.txt file shall be uploaded into https://identity.apple.com/pushcert/. plist.xml is just for reference. To upload plist_ecoded.txt navigate to Create a Certificate > Accept terms and conditions by clicking check box > Choose File > Upload the plist_endcoded.txt
- Once
the upload is completed, download the APNS certificate, which shall have the
name as MDM_
_Certificate.pem - View
the details of this MDM_
_Certificate.pem file using below openssl command. - openssl > x509 -noout -in mdm.pem -issuer -subject -dates
- Sample output :
- issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Application Integration Certification Authority subject= /UID=com.apple.mgmt.External.13818cd9-434f-4216-9404-c412d3903eb6/CN=APSP:13818cd9-434f-4216-9404-c412d3903eb6/C=US notBefore=Nov 6 08:44:27 2012 GMT notAfter=Nov 6 08:44:27 2013 GMT
- This UID value (com.apple.mgmt.External.13818cd9-434f-4216-9404-c412 d3903eb6) shall be used in the topic field of MDM payload.
- Remove the passphrase from customerPrivateKey.pem file using below command:
- openssl>rsa –in customerPrivateKey.pem –out Plainkey.pem
- Merge the APNS in PEM format and Plainkey.pem using below command
- openssl>cat MDM_ company Name_Certificate.pem PlainKey.pem > PlainCert.pem
- To convert PalinCert.pem to .pfx using below command
- openssl>pkcs12 -export -out mdmapnscertificate.pfx -inkey PlainKey.pem –in MDM_companyName_Certificate.pem
- Double tapping on the PFX file shall add it to the Keychain Access. From keychain access it can be exported to p12 format.
Sending MDM Commands to iOS Devices
An iOS device gets notified that it has to poll for MDM command using Apple Push Notification. Many open source library (e.g. JavaPNS) is available to send push notification. The APNS certificate shall be used to send push notification.Typical Architecture
Flow to Send MDM Commands:
Troubleshooting:
During
the installation of .mobileconfig file to the device following errors can be
occurred. The errors and its solution is described below:
Error #1:The certificate for this server is invalid. You might be connecting to a server that is pretending to be “
Solution: This error can be resolved by converting the .p12 file to .jks file and use this .jks file to configure Https as explained. Below command can be used to convert .p12 file to .jks file
keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Error #2:
Invalid Profile: A profile containing an MDM payload must be removable.
Solution: In
the general settings for the .mobileconfig, change the security level to
“Always”, so that the profile can be deleted by the user of iOS device.References:
- http://avibirnale.blogspot.com/2010/06/apples-ios-4-iphone-and-enterprise.html
- https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf
- http://help.apple.com/iosdeployment-ipcu/win/1.1/
- http://stackoverflow.com/questions/10898018/mdm-server-certificate-to-be-used-for-ssl-handshake-with-iphone-device
- http://www.apple.com/iphone/business/integration/mdm/
- http://stackoverflow.com/questions/8501039/apple-mdm-vendor-csr-signing/
- http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning