Wednesday, November 30, 2016

Mobile Device Management(MDM)


Now a days employees are bringing their own devices to work (BYOD) and using these devices to share data  within the office campus, so it is difficult for IT department to monitor and control the devices. In this case Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed mobile devices. By using the MDM service, an IT administrator can inspect, install, or remove profiles; monitor device status e.g. battery status etc. ;remove passcodes; and begin secure erase on a managed device. 
In iOS 4 and above MDM inbuilt client is already there, so for iOS devices there is no need to develop any application to support MDM. But for Android devices to support MDM, MDM client application needs to be installed.

iOS MDM
The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications. The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server.
MDM uses the Apple Push Notification Service (APNS) to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
To provide MDM service, IT department needs to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to managed devices. 
Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,

iOS MDM Implementation


Configure the MDM server

To configure your MDM server you need to follow the below steps
  1. You need to enroll in iOS Developer Enterprise Pragramm.
  2. Try to get a signed Certificate Signing Request (CSR) from your MDM vendor .
  3. Once you have a signed CSR from your vendor, visit identity.apple.com/pushcert and sign in with a verified Apple ID.
  4. Click "Create a Certificate” and agree to the Terms of Use.
  5. Select your signed CSR and click upload. After a moment, your certificate will be available for download.
  6. This certificate can now be uploaded to your MDM server for use with the Apple Push Notification service.
  7. In your MDM Server you need to implement your Profile Manager ,implement your Push server add the SCEP stack.

MDM protocol Implementation :


In order to implement MDM protocol for iOS managed device, there are some commands which can be send to managed devices via MDM Server
The communication between iOS MDM Client and MDM Server is happening in plist format. So all the commands are sent as Apple Property List (.plist) files.

MDM Server to iOS managed device communication format:


<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
     <dict>
           <key>Command</key>
           <dict>
                 <key>RequestType</key>
                 <string>[command name]</string>
                  .
                  .
           </dict>
           <key>CommandUUID</key>
           <string></string>
     </dict>
</plist>

iOS managed device to MDM Server communication format:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 
<plist version="1.0"> 
<dict>
    <key>Status</key> 
    <string>Idle</string> 
    <key>UDID</key> 
    <string> [ redacted ] </string>
</dict> 
</plist>


Important MDM Commands :

ThDevice Lock:This command locks the managed device.
Erase Device : This command can immediately wipes the device memory and resets it to a factory state. 
Clear Passcode:If a passcode is present on the device, this command will clear that passcode. 
Security Information:If this command is send to managed iOS device,then the MDM inbuilt client will send the list of specified security-related settings , including hardware encryption capabilities, and whether a passcode is present. 
Installed Application List: If this command is send to managed iOS device,then the MDM inbuilt client will send the list of all the applications currently installed on the device. 
Device Information: If this command is send to managed iOS device,then the MDM inbuilt client will retrieve a specified general information about the device which includes MAC addresses, IMEI, mobile number, software version, model name and number, serial number and it will send to MDM Server.
Certificate list:If this command is send to managed iOS device,then the MDM inbuilt client will send the list of all all certificates currently installed on the device.
Profile List:This command lists configuration profiles installed on the device. 
Provisioning Profile List:This command lists provisioning profiles installed on the device (similar to the Profile list).
Restrictions List:This command lists restrictions currently in effect on the device. 
Install Profile: This command is used to install the profile on the devise. 
Remove Profile: This command removes the profile from the device.
Install Provisioning Profile:This command installs the profile on the device.
Remove Provisioning Profile:This command removes the provisioning profile from the device, given the profile’s UUID.

Posted by at No comments:
Labels: , , , , , , , , , , ,

iOS MDM Certificate Creation


  • create a CSR using any toolkit, i.e. KeyChain Access on Mac System, then export private key as 'vendor.p12'
  • log in to Apple Member Center, and go to 'iOS Provisioning Portal'
  • select 'Certificates' on the left navigation bar, and click 'Other' tab on the center.
  • follow the instruction on that page, and upload the CSR you created.
  • then the certificate for you as a MDM vendor will be available to download on the 'Other' tab. And download it.
  • download WWDR intermediate certificate.
  • download Apple root certificate.
  • execute below openssl command to convert MDM vendor certificate, WWDR certificate, and Apple root certificate to PEM format one by one :
    openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
    openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
    openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
  • Now you need to generate encoded plist and you need these below mentioned files as input files

          customer.der, vendor.p12, mdm.pem, intermediate.pem, root.pem
          There are few third party web sites also which can help you to generate encoded plist.

  • Now first verify the generated plist.xml format that should match with the sample plist.xml provided in MDM Protocol Reference document.
  • If plist.xml is in appropriate format then upload the encoded_plist to portal . So we need to take care that plist.xml is just for our reference this is not for upload.For upload encoded_plist only. After that download the certificate from portal.

Posted by at 1 comment:
Labels: , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)