MDM Agent on iOS

Question

I worked on MDM in Android, and used the API's to lock, wipe etc when I receive a C2DM push message from the server.

When I was trying to explore more on the iOS part of it, I was a bit confused. I got a feeling that, we don't need to code a agent for the MDM to work on iPhone.

So is it completely managed from the server? Or do I have to have an agent application too? If yes, can you help me with a sample of the agent programming?

Thanks.

score 8 · Accepted Answer · edited May 23 '17 at 12:22

8

For complete MDM control of the iPhone, you either need to look at profile management as sent out from Mac OS X Lion Server (they added this into this OS version) or a third-party solution (MobileIron, Tarmac, etc). There is some good background, slightly dated information here too: How to configure/install MDM server for iPhone and iPad

EDIT

There is no need of a separate agent application - it's handled by iOS itself.

edited May 23 '17 at 12:22

Community

1
1

answered Apr 06 '12 at 10:50

Scott Corscadden

2,831
1
25
43

No, my question was if there is a need of an agent too? – nithinreddy Apr 06 '12 at 11:28
Thanks for the reply. So there is no additional stuff to do on the device side at all? Is it just the certificates (MDM profiles) which needs to be taken care in the server? – nithinreddy Apr 06 '12 at 15:03
1

Pretty much - it's how Apple (and other MDM third party server tools) can give the full "Enterprise Control" experience. You BYOD to work, they say "to use our systems, you have to install this profile - it's the rules", which then allows them later to remote wipe, find, etc - all without requiring them to build a separate agent application. – Scott Corscadden Apr 07 '12 at 11:23
@Scott, are there any updates to iOS meanwhile, where you need a client on iOS device to enable extra capabilities? Because every MDM/MAM/EMM company have their own iOS clients. Also, how do they support remote control support when iOS MDM does not support it. – Trident Feb 05 '16 at 22:16
@Krish, not sure I understand the question there. This might be a whole new question here on SO. Apple's Profile Manager (which you get using Server) does support Out Of Band enrolment, push, etc - but I doubt they'll ever let something like "Remote Control Support" be a part of it. Their continued credo appears to be that the end-user should be the ultimate arbiter, not a headend in the sky. This is all conjecture and my idle musings though, nothing more. – Scott Corscadden Feb 08 '16 at 21:52
@Scott, If you check Apperian website you can see few videos, they are able to control all the managed apps pushed by them, I think app wrapping allows them to do so. – Trident Feb 08 '16 at 22:00
Ah, right - they hook their own APIs "around" your application, proxying their functionality on top. Ok, that makes sense then. – Scott Corscadden Feb 12 '16 at 17:55

score 6 · Answer 2 · answered May 20 '12 at 04:03

If you not using Lion Server,you can implement your own MDM sever and for that you need iOS Enterprise developer account.

To implement MDM Server follow these as below.

This pdf https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf is very much helpful.
server url should start with "https" only and that url should exit and these details you have to provide while generating mobileconfig profile using IPCU.
This page also you can to refer:http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning and then verify few thingsas remove the passphrase from customerPrivateKey.pem using this command

openssl rsa -in customerPrivateKey.pem -out PlainKey.pem

Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command

cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem

Now this PlainCert.pem file can be used in your server as APNS/MDM certificate.

are there any updates to iOS meanwhile, where you need a client on iOS device to enable extra capabilities? Because every MDM/MAM/EMM companies have their own iOS clients. — Trident, Feb 05 '16 at 22:13

score 1 · Answer 3 · answered Jun 19 '12 at 05:29

1

Answer-

Guys yes. I'm sure most of you have had this question. With experience after developing MDM on iOS too, we don't need a client to be coded separately in iOS. iOS takes care of it completely.

So you may need the client only for the purpose of pointing out a link to the server having the configuration profile (so you can actually keep a record of who and how many installed the application using a key or an ID in the URL), and if you have to manage things which aren't provided by MDM, like location updates, etc.

answered Jun 19 '12 at 05:29

nithinreddy

6,167
4
38
44

I generated push certificate for MDM. Its got a valid subject/topic. When viewed in keychain store it says "This certificate was signed by an unknown authority". There's also no private key associated with it. Any idea whats wrong? – Sahil Khanna Sep 05 '12 at 09:08
@nithinreddy , are there any updates to iOS meanwhile, where you need a client on iOS device to enable extra capabilities? Because every MDM/MAM/EMM companies have their own iOS clients. – Trident Feb 05 '16 at 21:52
I don't think so. The configuration profile is mandatory, and that itself is good enough for all major MDM operations. – nithinreddy Feb 07 '16 at 02:36

MDM Agent on iOS

3 Answers3