2

I'm going to attend a MDM project in iOS (client side) but after searching, I still don't know how MDM really works. Can anyone explain something for me?

Problem:

My server needs to control the list of applications are installed on devices (install and remove app).

Expected Solution:

  • There need an app installed on devices which plays the role of client (MY APP).
  • When needed, server will push a notification to client via Apple push notification server.
  • After receiving notification, client app will connect to server to get server command (ex: installing app A)
  • After getting command, MY APP automatically download A and install it.

My question: Is that the way MDM work?

  • If yes, how MY APP can install another app when it has no right to do it (due to sandbox) and whether server can config the access right for an app on devices. If possible, anyone can give me an example of code for MDM client side to clear my stuff things?

  • If no, it means that the server will be the one who install app A on device (instead of MY APP). In that case, how server can do that?

demongolem
  • 9,474
  • 36
  • 90
  • 105
meaholik
  • 440
  • 5
  • 19

2 Answers2

10

iOS MDM is clientless protocol. So, you develop a server, but you don't develop a client application for it. Actually, there is a client app, but it's developed by Apple and built into operation system.

So, your server will send a command, built-in MDM client will receive and execute it.

Generally speaking, if you want to develop MDM server, you need to register into Enterprise Developer Program and get MDM documentation.

There is some reverse engineered documentation here: http://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf

And iOS MDM protocol support Install/Remove application command.

Victor Ronin
  • 22,758
  • 18
  • 92
  • 184
  • Thank Victor Ronin for your answer. It's really helpful. I have some more questions: If some devices are used for work, it means devices will have some data areas (eg: folders containing data, or specific site...) and some apps needed for work. - Can server server restrict the right to access company's data, only allow managed device to access. YES or No and how? - Can server assign access right to a normal app on device (eg: server make my normal app enable to install/remove another app, see and access company's data while other app can not...). YES or No and how? – meaholik Jun 05 '14 at 01:52
  • Let me answer second question first. The server can't add any serious privileges to an app. There are couple of things which MDM can do to allow small additional functionality, but nothing as drastic as allowing an app to install another app. However, your app can send a request to your server and it can trigger app installation. Answering first question - it's complicated. I am not sure what is your specific case, but there are 2-3 different known method to protect server side data and give the access (through VPN, WiFi config profiles and couple of other methods). – Victor Ronin Jun 05 '14 at 03:52
  • Again, I would really recommend to read official MDM documentation and https://developer.apple.com/library/ios/featuredarticles/iphoneconfigurationprofileref/introduction/introduction.html This should answer 80% of common questions. – Victor Ronin Jun 05 '14 at 03:53
  • **Generally speaking, if you want to develop MDM server, you need to register into Enterprise Developer Program and get MDM documentation** so having a enterprise account is enough to do MDM no more rights or entitlement is required .... Correct me If I am wrong @VictorRonin – sathishkumar_kingmaker Dec 03 '16 at 14:30
  • @sathishkumar_kingmaker The best place to check would be Apple. I could be mistaken about details. Also, these details tend to change over the time (2 years already passed from the moment when I wrote this answer). As I know, Enterprise developer program is enough. You don't need any add additional rights. Entitlements aren't applicable here, because MDM are purely server side technology (iOS MDM client is written by Apple and built into iOS). – Victor Ronin Dec 04 '16 at 05:39
  • @VictorRonin - I don't understand what is the need of Enterprise program ... we'just need to have APNS right ! Even the normal 99$ account also has APNS ... Why not use that ? – sathishkumar_kingmaker Dec 04 '16 at 05:59
  • @sathishkumar_kingmaker You are correct. You need APNS. However, MDM requires special certs to use APNS for MDM needs. You will need enterprise program to create a certificate which is used to sign this MDM APNS certificate request. The whole certificate management for MDM is conveluted. However, all of it starts in Enterprise Developer proram under "MDM CSR certificate request". – Victor Ronin Dec 04 '16 at 16:57
-1

MDM means Mobile Device Management. This is same concept used in many corporations have been using for desktops and laptops. They installs some softwares on PCs that allows to monitor activities on those PCs. Same way in MDM they installs applications on your mobile device that allows to monitor activities on mobile devices.

You can refer some MDM provider to get batter idea. e.g. http://www.air-watch.com/

kkumpavat
  • 452
  • 2
  • 10
  • Yep I've already visited that site but still be in a mess. You mean for my question, the answer is YES (MY APP is the one which install app A on device). How can MY APP get the right to do it? I dont think a normal app have the right to install another app – meaholik Jun 04 '14 at 16:35