Quite a bit of the work we have undertaken recently involves the MDM Protocol used to managed iOS devices. It’s a fairly simple protocol to use, but there is not a great deal of information on the internet so we’ve put together a few hints that might help you with your MDM implementation.
This document expects you to have a copy of the ’Mobile Device Management Protocol Reference’ document from Apple (from this point, called the MDM Reference). As this document is covered by NDA, this page will not detail elements contained within the MDM document from Apple.
Description of the fields in the iPhone Config Util:
- Server URL – the URL the device will connect to when it recieves an APNS message via Apple
- Check In URL – the URL the device will connect to during MDM enrolment
- Topic – the push queue the device will listen to. This MUST be in the format of com.apple.mgmt.<unique identifier>
- Identity – a p12 certificate, this is used when the device signs the responses to the commands sent by the server
- Sign Messages – sign the messages from the device to the MDM server using the identity certificate
- Check out when removed – when the MDM profile is removed send a ‘check out’ message to the MDM server
- Access rights – what the device is allowed to query.
- Use Development APNS Server – whether or not to use Apple’s development APNS server
If you use the development APNS server, you will have to configure your server send the APNS push messages to the ‘sandbox’ APNS URL.
The process flow is as follows:
The user obtains the configuration profile from somewhere (website/email) and installs it, the device then talks to the server (to the check-in URL if configured) and upload XML; the ‘Authenticate’ and ‘TokenUpdate’ documents detailed in the ‘Mobile Device Management Protocol Reference’ document.
The PushMagic and UnlockToken from the TokenUpdate document should be retained and associated with the UUID for later use. The contents of PushMagic is required to send an APNS message to the device to instigate the MDM process. Once you have the PushMagic, you create a JSON string as per the MDM Reference, this should be signed as per a normal APNS request. There are a number of APNS libraries available to assist with this and the MDM Reference details the steps you will need to take to export your MDM certificate.
Once the device has received the APNS message, it will send an XML document to the URL defined in ‘Server URL’ in your configuration profile. This document is detailed on page 12 of the MDM Reference. From this point, you can send back a single MDM command if there is one for the device. If the command was correctly formatted and accepted by the device, then it will send back a command response. The response is dependent on the command and these are detailed in the MDM Reference.
If there are no more MDM commands for the device, then the server should respond with an empty response.
Some more points
You should be using a HTTPS server for your MDM communication. If you are, life will be considerably easier for you and your users if you use a signed certificate from a Verisign or other signatory. iOS requires a few more steps to use a self-signed SSL certificate or a certificate signed by a private CA.
Keep the iOS console open while you are testing your server, it will help immensely. Use the iPhone Config Util or Xcode to view the console.
MDM configuration cannot be installed within a profile that limits removal. If you have the ‘General/Security’ setting configured to anything other than ‘Always’ then iOS will reject your profile.
Now, unfortunately we cannot be more specific on the details on a blog, however our team are available for MDM consultancy where we can go into more details. Feel free to get in touch using the comments or our contact us form.
2 comments
Jeffrey Smith says:
16/02/2012 at 12:59 am (UTC 0)
Thanks a bunch for the tips, and your web-site truly looks awesome. Just what wordpress design are you employing?
JohnHaselden says:
18/02/2012 at 10:45 am (UTC 0)
It is a custom theme from our designers over at