1

I am new to IOS MDM development using the APNs service. We are developing MDM for ios and it is in initial stage. We have a developer account created for Apple recently. I have gone through many websites and links but still is not confident on how to send command to an ios device. Going through the below forum i understood that we need to first check the device status and then send the commands to the device. Sending mdm payload

My query is how to do it. I did not find any code snippet in Java which we actually use to send a command like "DeviceLock" to ios device. Can anyone help me with a small snippet of Java for my proceedings so that I can use the same code to apply policies to the devices as well.

Please Help.. Thanks for reading.

Community
  • 1
  • 1
Samreen
  • 139
  • 1
  • 14
  • Welcome to stackoverflow. It is recommended to go through http://stackoverflow.com/help/how-to-ask – Nagama Inamdar Jul 23 '14 at 09:52
  • Have you completed the implementation.Can you suggest me how server is interacting with the device and device with the server in the form of request.It means in what form you send command from server and how you check that the command is done and send the feedback to the device. – Imran Sep 25 '14 at 14:20
  • 1
    @Imran : Hello, Sorry for a late response, Assuming that you are through the enrollment of the device Answering your questions. Please find below my comments in "Updated". – Samreen Sep 29 '14 at 12:49

2 Answers2

4

Updated:

  1. To send any command to the device we first need to install the MDM Profile into the device profiles which will contain a server-url which will be used by the device to poll for commands whenever the device receives push notification.

  2. Refer http://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf for in detail enrollment also refer "Sending Push Notifications" section and sections following it from the above link for detailed device commands.

  3. To send push notification we need to have an apns push certificate which we can create from apple's identity portal refer: http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning

  4. For mdm, we send push notification payload to APNs as {mdm : "PushMagicToken-of-device"}

  5. When push notification is received by the device it will contact mdm server's server-url for command to be executed.

Answering your questions: (P.S Used Java for communication)

Q1. "Can you suggest me how server is interacting with the device and device with the server in the form of request"

Answer: Device will interact to the server when it receives push notification from APNs. It will contact to the url of key ServerUrl which you provide in the mdm payload.

This is PUT request method type, device sends an Idle status to server in the plist format.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Status</key>
<string>Idle</string>
<key>UDID</key>
<string> [ redacted ] </string>
</dict>
</plist>

All the communication with the device is done using the Plist (Property list format), device understands this format easily.

Q2: "It means in what form you send command from server and how you check that the command is done and send the feedback to the device"

Server too sends command to the device in form of plist. For Example: Below is the plist sent for DeviceLock command from my mdm server when the device sends an Idle status response.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Command</key>
        <dict>
            <key>RequestType</key>
            <string>DeviceLock</string>
        </dict>
        <key>CommandUUID</key>
        <string>ph_mdm_command_uuid</string>
    </dict>
</plist>

Please Note: each command has a CommandUUID field which we can use to check the current commands at server end, it maintains the current session. Whatever command we send to the device with the CommandUUID, device responds back with the status of that command back with the same CommandUUID.

So in response to DeviceLock Command RequestType, device sends back a response:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CommandUUID</key>
    <string>ph_mdm_command_uuid</string>
    <key>Status</key>
    <string>Acknowledged</string>
    <key>UDID</key>
    <string>device_udid</string>
</dict>
</plist>

Here the CommandUUID is similar to the one sent by the server, UDID is the device udid and the status is Acknowledged, which denotes that the command was successfully executed on the device.

Note: All this is sent in the response of Java in form of bytes. If you meant which format i was sending the response to the device.

I assume To send feedback to device means to either send next request or to stop polling: Similar steps are to be followed if you have list of commands to be sent to the device, as currently we can send only one command at a time. If there are no commands to execute and you want the device to stop polling you need to send empty response. Refer iOS MDM - How to close or stop connection after device responds back with valid response for more details.

Hope this cleared the doubts. If you are at the enrollment phase please refer @Victor's comments before following this. Let me know in case of any clarifications. Currently I have an mdm setup running on iOS device successfully.

Thanks.

Community
  • 1
  • 1
Samreen
  • 139
  • 1
  • 14
  • Thanks for the response and sorry for late reply as I was on leave.What if I have to write the MDM server in ASP.NET. What difference basically you think it will have in the server setup if I go with your process and MDM server in ASP.NET. – Imran Oct 10 '14 at 07:00
  • @Imran: I am unaware of ASP.NET as a technology, but as far as iOS device communication and the request and response is concerned it will always be in plist format irrespective of what server technology we are using. It would rather be similar to Java MDM Server as per my knowledge. – Samreen Oct 10 '14 at 11:40
  • @Imran : You just need to follow what the document says. Each and every step. It is not dependent on the technology you use. Python code is just for reference. The theoretical part is what you have to follow and write the server code in you specific server technology. – Samreen Oct 20 '14 at 08:16
  • Hi Samreen. Thanks for the help you did.I have tested all the commands and those are working fine for me but there is a big issue in between.When I am installing the profile to the device then its working fine and just after installation I am sending command (say lock) to the device using the path between server and device created at the time of profile installation.So I checked all the commands at the time of profile installation.But when I try to connect the mdm server to the device through APNS then its not responding.I am stuck at the end.Can you please suggest what can be wrong? – Imran Jan 02 '15 at 09:14
  • Hello Imran, I would like to know whether after installation of the profile on the device did you receive any Token, PushMagic, UnlockToken. Whenever we want to connect to the device using APNS we need to send the Token and PushMagic along with the apns certificate and the password – Samreen May 06 '15 at 11:36
  • Hi Samreen,sorry for the delay...During the process of installation of MDM profile on the device, the Device first pings to the MDM server with an "Authenticate" plist which contains the UDID(Unique Device Identifier) which we need to save in our database, after which the Device pings to MDM Server with an "TokenUpdate" plist which contains the UDID, PushMagic ,Token and UnlockToken. – Imran May 09 '15 at 04:40
  • Hey Imran, Absolutely right.. Use the Token and PushMagic to send commands to APNS. APns will internally send a command to your device and device will contact your mdm- serverUrl which you had provided while installation of the profile on the device. You can use IPcu to check whether your device is receiving commands or no.. If it receives a command in the iPCu console logs you will see something like this "MDM: Polling MDM server https: you-serverUrl for next command." serverUrl will always be https and the device should have the server's certificate. Let me know your output? – Samreen May 11 '15 at 04:59
  • Hi Samreen,Are you able to see MDM: Polling MDM server https: you-serverUrl for next command.If yes, then put some logs on the serverURL to check the request which is coming from the device, the device basically requests with a Status "Idle" plist along with the UDID.BTW which output you are referring to? – Imran May 11 '15 at 07:17
  • Hello Imran, We have a full-fledged working MDM system implemented for iOS device. Device will send the current status to mdm. for first time it will send "Idle" status. In response to this you have to send your current command which has to be sent. This coding you have to do on your side i.e. MDM. Your implementation based on your system.. solely dependent on your application.. Output i meant was about the console logs.. – Samreen May 12 '15 at 09:47
  • Which console log. iPhone or MDM Server? – Imran May 13 '15 at 04:49
  • Hi Samreen. Did'nt get the 4th point. How do we send push notification payload to APNs as {mdm : "PushMagicToken-of-device"} ? Sorry I am right now at initial stage. How do we receive the idle status of the device ? – sau Jun 05 '15 at 13:54
  • Hello sau, have you successfully installed mdm profile on your device?? When we send the mdm configuration payload to device we send a Topic field which is the "UID" in format like "com.apple.mgmt.External.ebad...." obtained from the apple's identity portal. After the profile is installed on the device. Device sends Push magic token and deviceToken to mdm server which is used to send to APNS in the {mdm : "PushMagic"} format. Please revert in case of issues which you have found.. To receive IDle status is still far to be implemented if you are at initial stage. – Samreen Jun 08 '15 at 05:58
  • Hi Samreen. Pleased to get response from you. Thank you so much. I have done all the certificates part from here https://github.com/project-imas/mdm-server. But i am not able to code. Will you please tell me all the initial steps for which i need to write code for MDM server in PHP. I have read all of your documentation on stackoverflow. I will read it again. I have understood few theoretical parts. But not able to start coding parts. – sau Jun 08 '15 at 07:23
  • Hello sau, good to hear that certificate creation was done.. I am completely naive to PHP. Talking how to implement it refer this blog: http://avibirnale.blogspot.in/2013/05/mdm-development-configuration-for-ios.html it helps a lot. – Samreen Jun 09 '15 at 07:49
  • @Samreen..Hi,which server you are using for MDM?Initially we used dedicated server but now we are transferring to Microsoft Azure.So the profile installation is failing when we are installing it (Profile Installation Failed).May be the azure has issue with the PUT request what I got to know till now.Do you gave any idea about it?Do we need to create fresh Certificates? – Imran Jun 25 '15 at 07:38
  • @Samreen...It worked.It was a little different issue in azure.We had to configure PUT request on top of IIS for all web applications on Azure, since we are using SNI for our applications. i.e removing WebDAV from handlers and WebDAVModule from modules in webcofig file.Thanks for all your help. – Imran Jun 29 '15 at 06:48
1

I don't think there is a way to answer your question. It's not clear what is your problem and it's impossible to explain whole MDM here on stackoverflow.

I would recommend to read three documents (at least couple of times):

Generally speaking, it's impossible to develop MDM without deep understanding of at least first two documents.

There are couple of open source implementation which you can take a look:

  • Profile manager (included in OS X Server). it's in some mix of ruby + binary

  • WSO2

I can swear that I saw Java open source implementation of MDM, but I can't find it now.

Victor Ronin
  • 22,758
  • 18
  • 92
  • 184
  • Thanks Victor.. I have been through all these documents earlier and also referred the WSO2 code for initial understanding. The WSO2 code base has most of the db and device interaction written in javascript (jQuery precisely).. I am sorry i could not make myself clear. My only problem is. How will my java MDM server interact with the IOS device. We have implemented this java for Android device having an android client at the device side we could handle interactions to Java MDM server. But as IOS has inbuilt MDM which can directly interact to our third party MDM server. – Samreen Jul 24 '14 at 04:26
  • My query is: Referring WSO2 code i found the PushNotification to APNS server using below code ApnsService service = APNS.newService().withCert(AppConfigurations.getConfigEntry(AppConfigurations.APNS_PUSH_CERT_PATH),AppConfigurations.getConfigEntry(AppConfigurations.APNS_PUSH_CERT_PASSWORD)).withProductionDestination().build(); service.start(); service.testConnection(); String mdmPayload = APNS.newPayload().mdm(pushMagicToken).build(); service.push(deviceToken, mdmPayload); here the deviceToken and pushMagicToken were obtained while enrollment of the IOS device i suppose. – Samreen Jul 24 '14 at 04:49
  • This code is used for sending push notifications to APNS server( to check device status) and not to the IOS device . I need the actual code which shows how to send the actual command for example DeviceLock command to the IOS device which I could not find in any of the posts. All the documents refer only what we can send to the device but not how. I need the how implementation for a startup. Please help. – Samreen Jul 24 '14 at 04:50
  • 1
    Oh... got it. The idea is following. You device will give you deviceToken and pushMagicToken (as you mentioned). You will send a push notification to APNS when you have outstanding commands on the server. APNS will forward this push notification to a device (to the inbuilt MDM client which you mentioned). And this MDM client will contact your server. It will do GET on ServerURL which was defined in MDM payload which was installed while enrollment. This way you can think about a push notification as a "call home" request which you send through APNS to a device. – Victor Ronin Jul 24 '14 at 16:00
  • Alright!! Thanks Victor.. These statements have almost cleared my doubts. So we have a server url which we pass while enrolling and this url will help do most of the talking for the device to MDM server. WSO2 code does have some config mentioned for the url ios-enroll-url, ios-profile-url, ios-checkin-url, ios-server-url ( so this will be used for future interactions) Thanks a lot most of my starting doubts are clear.. May be some more would be coming as I start implementing..It was great help Victor. :) – Samreen Jul 25 '14 at 05:19
  • I believe in their case enroll and profile URL is for OTA enrollment, checkin is for MDM enrollment and server url is for main communication. – Victor Ronin Jul 25 '14 at 15:19
  • Yes thats correct... enroll and profile would be used only while enrolling a device.. checkin url will help for mdm interactions like when the token updation happens and server url is for main communication. – Samreen Jul 28 '14 at 05:34