Mobile device management (MDM) for iOS

Let’s take a overview of this client-less protocol

Published in

The Startup

6 min readMar 19, 2019

From last few weeks I am studying and searching about MDM. So here is what I have got to share with the audience about this. MDM has become a hot topic as organisations are pressured to bring security into their organisation. Mobile devices are invading every level of corporate society, making the need to remotely manage and control them increasingly urgent. Apple has provided some enterprise management features, first via over-the-air configuration profiles, and beginning in 2010, full MDM support.

Why MDM is needed? 🤔

To understand this let us take an example, consider a scenario where you have many iOS devices in your company and you have to manage them centrally, so what will you do to achieve this ? Either you will try to use a third party MDM applications for eg: Air-watch but it is very costly 💰or you will try to implement Apple own Enterprise Deployment method i.e “MDM”. So i would prefer the second one 👍.

Let’s understand what actually MDM is ?

The Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed iOS devices running iOS 4 and later. Through the MDM service, an IT administrator can inspect, install, or remove profiles, remove passcodes, and begin secure erase on a managed device.

According to apple documentation:

The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications. The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server.
MDM uses the Apple Push Notification Service (APNS) to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.

So basically what i understand is that to provide a MDM service, we need to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to the managed devices.

Key feature 🏷 : it allows administrators to push profiles to the device without any manual intervention.

Basics

The MDM service essentially consists of three elements:
1. The device being managed (iPhones, iPads, iPod Touches) 📱
2. The server doing the management (various MDM servers) ⚙
3. A method by which the server wakes up the device (APNS)🤨

The MDM payload can be placed within a configuration profile (.mobileconfig) file distributed using email or a webpage, as part of the final configuration profile delivered by an over-the-air enrollment service, or automatically using the Device Enrollment Program (DEP).

Only one MDM payload can be installed on a device at any given time.Once you have registered the MDM server, secure communication is enabled between the MDM server and the Apple Portal. This is used to synchronize the details of devices, purchased using Apple DEP portal.

When you find the devices synced from Apple portal, you can assign it to users. Whenever the devices are activated, all restrictions and configurations imposed using MDM are automatically installed on all your devices Over The Air (OTA). By configuring DEP, you can ensure all the devices purchased under DEP, are managed by MDM by default as soon as they are activated. Take a look of how it works with server below in this blog post. 🎉

After Enrollment 🤷

Each interaction between client devices and the MDM server consists of four elements :
1. Server requests push notification through Apple
2. Apple pushes notification to device
3. Device connects to server
4. Server and client exchange commands and responses

In addition to managed profiles, you can also use MDM to install apps. Apps installed through the MDM service are called managed apps. The MDM service has additional control over how managed apps and their data are used on the device. 😎

Caution ⚠️
An APNS certificate must be acquired. This is what allows the MDM server to communicate with the client, and without it the MDM service will not work.

Some tremendous features of MDM are here :

Over-the-air distribution
Support for multiple mobile OS
Security mechanism
Enterprise level application management

MDM Command Cycle 🌐

The main purpose of MDM protocol is to send commands to iOS devices and process the results. MDM protocol is based on HTTPS (secure HTTP) which is used for exchanging XML messages called property lists (plists). For more information on plists, see here.

In MDM protocol, the server does not push commands to the device. Instead, the server uses Apple Push Notification Service (APNS) to notify the device that the new commands are available.

Once device receives push notification, it queries MDM server for commands, executes them and sends the results back to MDM server.

Device Enrollment Process DEP ✍

Devices enroll in MDM when the server delivers a special configuration profile to the device. This profile contains:

MDM Payload

This is a special payload that tells the device that it will be managed by the MDM server. It contains server URL, push notification topic and other attributes. For more details on MDM payload, see MDM Protocol Reference.

Device Identity Certificate

Mobile Server needs to authenticate connected devices. Since MDM is done automatically without user interaction, a usual user name/password authentication will not work. Mobile Server (as MDM Server) authenticates devices by their identity certificates. This is called Client Certificate Authentication and is done in the server’s SSL layer.

This is not the end take a look at the official document of DEP and you will come to know that it will contains “A LOT MORE”. 😳.

Creating a Simple MDM Server

>> REQUIREMENTS 📝

APNS
Python
Network connectivity

To send push, the server needs to communicate with Apple’s APNS server. This requires outbound TCP connectivity to gateway.push.apple.com on port 2195. Finally, the device needs to be able to contact the MDM server itself on whatever port is defined in the MDM enrolment profile.

At a Glance 🌟

The MDM Check-in Protocol lets a device contact your server.
The MDM Protocol sends management commands to the device.
The way you design your payload matters.
DEP lets you configure devices with the setup assistant.
Apple Push Notification Certificates can be generated through the Apple Push Certificates Portal.

Final thoughts 🏁

That’s all covered up in a short way to know about MDM. I hope this post has motivated you to know more about iOS MDM or has taught you something new. Applaud hearty!!👏. I will leave a list of links at the end of the page, feel free to comment or send me any other helpful videos or links you might have found. If I’ll come back in the following days/weeks/months i will showcase what I learnt more about it. More drafts to cover 😎 Catch you soon! 👋

Helpful Resources 🔖

Apple Deployment Programs: deploy.apple.com
iOS Deployment Reference: help.apple.com/deployment/ios
macOS Deployment Reference: help.apple.com/deployment/macos
Business IT Resources: www.apple.com/business/resources
Business Device Enrollment Program: www.apple.com/business/dep
Business Support: www.apple.com/support/business
Troubleshooting Push Notifications: https://developer.apple.com/library/archive/technotes/tn2265/_index.html
https://medium.com/@JoshuaAJung/managing-your-mobile-devices-in-the-cloud-using-apples-own-mdm-solution-8a588d9724b6
https://medium.com/@pradeep.misra/mobile-device-management-mdm-6466d4ca665