MDM Development Configuration for iOS devices - Step by step

This article aims to provide understanding to developers about the steps for developing a MDM solution for iOS. This article does not contain any source code for implementation. Information n this article is based on the white paper and work performed by Endeavour team (Especially Anindya Sen), Technology Competency Group.

The MDM protocols are used to send device management commands to manage iPhone, iPad, and iPod Touch devices running iOS4 and later. Through MDM service an IT administrator can inspect, install, remove profiles; remove passcodes and begin secure erase on a managed device.

The MDM protocol is built on top of HTTP, TLS, and push notifications. MDM uses the APNS to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.

Lets see the steps that are required to make this whole thing work - 

Configure a MDM Server

Typically, MDM services needs to be deployed in an HTTPS server to act as an MDM server. Profiles containing the MDM payload to the managed devices shall be distributed through the HTTPS server. We can use Tomcat Server for this purpose. For the steps to configure Tomcat (HTTPS), please refer this document TomcatAndHttps.doc.

Configure SSL/ HTTPS:

Note that, configuring a HTTPS server needs a SSL certificate. SSL certificate serves two essential purposes - 

• Distributing the public key

• Verifying the identity of the server so users know they aren't sending their information to the wrong server.

A SSL certificate can be arranged in following ways:

1. Procure SSL Certificate from a trusted authority. A SSL certificate can only properly verify the identity of the server when a trusted third party signs it.
2. Generate Self-signed SSL certificate. A Self-Signed SSL certificate can also be used in development environment. Self Signed Certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self-signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of the above fact, it's strictly recommended never to use a self signed certificate on a public Java server (i.e. Production environment) that requires anonymous visitors to connect to your system. 

Configuring FQDN:

A MDM server can be identified and reached by iOS only by FQDN (Fully Qualified Domain Name). Hence FQDN must be configured in the MDM server.

Generate .mobileconfig file

The .mobileconfig file can be generated and exported using iPCU (iPhone configuration Utility).  Three most important sections of iPCU for creating .mobileconfig file are:

• General
• Credentials
• MDM Payload

Important fields of the above three sections discussed below.

General:

1. Profile name: Name of the profile. E.g. AbcMDMProfile
2. Identifier: Bundle identifier. Can be of format com... E.g. com.mycompay.mymdmserver
3. Organization: Name of the company. E.g. My Company Name Inc.
4. Security: Specifies the access level of configuration profile for the device user
1. Always: User can remove the profile from the device. This is the preferred option for installing the profile in the device.
2. With Authentication: User can delete the profile after giving the password that is given at the time of creating the profile.
3. Never: User cannot delete the profile.

Credentials:

Specify the X.509 certificate to install on the device. Add the corporate certificate and other certificates necessary to authenticate the device's access to private network. This certificate is used to authenticate the client at the server side and to send/receive the commands / responses/ acknowledgements. In the MDM payload (explained below) this certificate is used as the Identity field that identifies the client to the server.

MDM Payload:

1. Server URL: URL of the MDM server application. E.g. https:///iOSMdm
2. Check In URL: This URL automatically call by the iOS device using HTTP POST only, once the profile is installed or uninstalled in the iOS device. E.g. https:// /iOSMdm/checking
3. Topic: The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the com.apple.mgmt as prefix. The Topic field needs to contain the User ID listed in the Subject Name section of the APNS certificate below.
4. Identity: This is the Client Authentication Certificate that the device uses to identify itself to the MDM server. This can be added in following two ways:
1. Add the certificate to the device using the Credentials pane
2. Use SCEP Settings to provide instructions for the device to obtain the certificate using SCEP.

Please refer subsequent sections for the detail step to generate CA certificate.

Generation of Client Authentication Certificate using OpenSSL

Using following steps one can generate CA certificate – Execute the below command(s) in sequential order -

set OPENSSL_CONF=\openssl.cfg

E.g. for windows environment

set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg

Navigate to the OpenSSL dir and execute the below command

openssl.exe

E.g. for windows environment

cd C:\OpenSSL-Win32\bin

C:\OpenSSL-Win32\bin>openssl.exe

OpenSSL>genrsa -out server.key 2048

OpenSSL> req -new -key server.key -out server.csr

Following are the description of Details:                

COUNTRY:  

STATE:                  

CITY:

ORGN:                                                     

OU:           

CN:    

Email:                                                   

PSW:

OpenSSL>x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

OpenSSL>pkcs12 -export -in server.crt -inkey server.key -name ""   -out server.p12

This server.p12 file shall be used as CA Certificate. Also this server.p12 file shall be used to configure HTTPS in the MDM server (explained earlier).

Create APNS Certificate

APNS certificate can only be generated using a MDM Vendor apple enterprise developer account.

1. Rename the server.p12 file that has been generated previously to vendor.p12.
2.  Login in iOS Dev Center https://developer.apple.com using MDM Vendor apple enterprise developer account.
3. Navigate to iOS Provisioning Portal  >  Certificates  >  Others  >  Request Certificate  >  Choose File.
4. Upload the server.csr file that has been generated previously.
5. Select download to get the mdm.cer file.
6. Apple WWDR intermediate Certificate can be downloaded from https://developer.apple.com/certificationauthority/AppleWWDRCA.cer.
7. Apple Root Certificate can be downloaded from http://www.apple.com/appleca/AppleIncRootCertificate.cer.
8. Covert mdm.cer, AppleWWDRCA.cer, AppleIncRootCertificate.cer to PEM format using following commands
• openssl>x509 –inform der –in mdm.cer –out mdm.pem
• openssl>x509 –inform der –in AppleWWDRCA.cer –out intermediate.pem
• openssl>x509 –inform der –in AppleIncRootCertificate.cer –out root.pem
9. Generate MDM certificate for MDM server as a customer using following commands
• openssl>genrsa -des3 -out customerPrivateKey.pem 2048
• openssl>req -new -key customerPrivateKey.pem -out customer.csr
• openssl>req -inform pem -outform der -in customer.csr -out customer.der
10. Java program to generate encoded plist can be downloaded from http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning.  This program requires alias of vendor.p12 file generated in step 1. To generate the alias execute the command: "keytool -list -keystore vendor.p12 -storepass 123456 -storetype PKCS12 –v" This keytool command will give you the alias use the password of vendor.p12 in place of 1233456. The files customer.der, intermediate.pem, mdm.pem, root.pem and vendor.p12 are needed to generate encoded plist. Place all these files beside the downloaded Test.class file.
11. Run the downloaded code shall generate two files viz. plist.xml and plist_encoded.txt beside the scr folder.
12. The plist_ecoded.txt file shall be uploaded into https://identity.apple.com/pushcert/. plist.xml is just for reference. To upload plist_ecoded.txt navigate to Create a Certificate  > Accept terms and conditions by clicking check box  > Choose File  > Upload the plist_endcoded.txt
13. Once the upload is completed, download the APNS certificate, which shall have the name as MDM_ _Certificate.pem
14. View the details of this MDM__Certificate.pem file using below openssl command. 
• openssl  >  x509 -noout -in mdm.pem -issuer -subject -dates
• Sample output :
• issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Application Integration Certification Authority subject= /UID=com.apple.mgmt.External.13818cd9-434f-4216-9404-c412d3903eb6/CN=APSP:13818cd9-434f-4216-9404-c412d3903eb6/C=US notBefore=Nov  6 08:44:27 2012 GMT notAfter=Nov  6 08:44:27 2013 GMT
• This UID value (com.apple.mgmt.External.13818cd9-434f-4216-9404-c412 d3903eb6) shall be used in the topic field of MDM payload.
15. Remove the passphrase from customerPrivateKey.pem file using below command: 
• openssl>rsa –in customerPrivateKey.pem –out Plainkey.pem
16. Merge the APNS in PEM format and Plainkey.pem using below command
• openssl>cat MDM_ company Name_Certificate.pem PlainKey.pem > PlainCert.pem
17. To convert PalinCert.pem to .pfx using below command
• openssl>pkcs12 -export -out mdmapnscertificate.pfx -inkey PlainKey.pem –in MDM_companyName_Certificate.pem
18. Double tapping on the PFX file shall add it to the Keychain Access.  From keychain access it can be exported to p12 format.

Either the PFX file or the p12 file can be used as APNS certificate to send push notification to the iOS device.

Sending MDM Commands to iOS Devices

An iOS device gets notified that it has to poll for MDM command using Apple Push Notification. Many open source library (e.g. JavaPNS) is available to send push notification. The APNS certificate shall be used to send push notification.

Typical Architecture

Flow to Send MDM Commands:

Troubleshooting:

During the installation of .mobileconfig file to the device following errors can be occurred. The errors and its solution is described below:

Error #1:
The certificate for this server is invalid. You might be connecting to a server that is pretending to be “” which could put your confidential information at risk. If the server’s certificate cannot be verified using a trusted root authority, you must install the “Trust Profile” for the server.

Solution: This error can be resolved by converting the .p12 file to .jks file and use this .jks file to configure Https as explained. Below command can be used to convert .p12 file to .jks file

keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Error #2:

Invalid Profile: A profile containing an MDM payload must be removable.

Solution: In the general settings for the .mobileconfig, change the security level to “Always”, so that the profile can be deleted by the user of iOS device.

References:

• http://avibirnale.blogspot.com/2010/06/apples-ios-4-iphone-and-enterprise.html
• https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf
• http://help.apple.com/iosdeployment-ipcu/win/1.1/
• http://stackoverflow.com/questions/10898018/mdm-server-certificate-to-be-used-for-ssl-handshake-with-iphone-device
• http://www.apple.com/iphone/business/integration/mdm/
• http://stackoverflow.com/questions/8501039/apple-mdm-vendor-csr-signing/
• http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning