Mobile Device Management (MDM)
Now a days employees are bringing their own devices to work (BYOD) and using these devices to share data within the office campus, so it is difficult for IT department to monitor and control the devices. In this case Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed mobile devices. By using the MDM service, an IT administrator can inspect, install, or remove profiles; monitor device status e.g. battery status etc. ; remove passcodes ; and begin secure erase on a managed device.
iOS MDM
The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications. The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server.
MDM uses the Apple Push Notification Service (APNS) to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
To provide MDM service, IT department needs to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to managed devices.
iOS MDM implementation
Configure the MDM server
To configure your MDM server you need to follow the below steps
- You need to enroll in iOS Developer Enterprise Pragramm.
- Try to get a signed Certificate Signing Request (CSR) from your MDM vendor .
- Once you have a signed CSR from your vendor, visit identity.apple.com/pushcert and sign in with a verified Apple ID.
- Click “Create a Certificate” and agree to the Terms of Use.
- Select your signed CSR and click upload. After a moment, your certificate will be available for download.
- This certificate can now be uploaded to your MDM server for use with the Apple Push Notification service.
In your MDM Server you need to implement your Profile Manager ,implement your Push server add the SCEP stack.
MDM protocol Implementation :
In order to implement MDM protocol for iOS managed device, there are some commands which can be send to managed devices via MDM Server
The communication between iOS MDM Client and MDM Server is happening in plist format. So all the commands are sent as Apple Property List (.plist) files.
Important MDM Commands : There are few important MDM commands as below.
ThDevice Lock: This command locks the managed device.
Erase Device : This command can immediately wipes the device memory and resets it to a factory state.
Clear Passcode: If a passcode is present on the device, this command will clear that passcode.
Security Information: If this command is send to managed iOS device,then the MDM inbuilt client will send the list of specified security-related settings , including hardware encryption capabilities, and whether a passcode is present.
Installed Application List: If this command is send to managed iOS device,then the MDM inbuilt client will send the list of all the applications currently installed on the device.
Device Information: If this command is send to managed iOS device,then the MDM inbuilt client will retrieve a specified general information about the device which includes MAC addresses, IMEI, mobile number, software version, model name and number, serial number and it will send to MDM Server.
Certificate List: If this command is send to managed iOS device,then the MDM inbuilt client will send the list of all all certificates currently installed on the device.
Profile List: This command lists configuration profiles installed on the device.
Provisioning Profile List: This command lists provisioning profiles installed on the device (similar to the Profile list).
Restrictions List: This command lists restrictions currently in effect on the device.
Install Profile: This command is used to install the profile on the devise.
Remove Profile: This command removes the profile from the device.
Install Provisioning Profile: This command installs the profile on the device.
Remove Provisioning Profile: This command removes the provisioning profile from the device, given the profile’s UUID.