1

How does MDM and MAM capabilities work on iOS. Do we need a third party client running on iOS devices to receive MDM/MAM commands from the https server. How does the enrollment happen and I am sure that iOS depends on push notifications to receive commands, so I am assuming that third party MDM client should be available on the device in spite iOS having inbuilt MDM agent running all the times. What's the difference between MDM/MAM for iOS.

Trident
  • 810
  • 9
  • 20

1 Answers1

3

MDM is device-level configuration for device control and security. MAM is the same thing but at the app level. The commonality is that each configuration element is delivered through a configuration payload defined by Apple. Check out https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html.

The best way to understand this ecosystem is just know what has to be done and the role each party plays:

  1. Apple provides an MDM/MAM interface in the form of configuration file format and code interfaces (Obj-C/Swift) to vendors (AirWatch, MobileIron,..). Features that you hear announced at WWDC each year are added to this list.
  2. The vendor implements tooling to provide enterprises that enable the corresponding features (e.g. a MDM console for basic config params, an SDK to code against,..)
  3. Apple provides the underlying runtime implementation of the feature (e.g. present only MDM-compliant options for setting lock timeout, providing the code hooks for enterprise single sign,...)

Yes you're going to have the devices go through the enrollment process. For AirWatch there is an agent app that they run through to enroll.

Dave Cotton
  • 64
  • 6
  • Thanks for the detailed explanation. I understand the concept of configuration profiles, how they are used to send commands, polling options from the device, enrolling options and the flow defined by Apple. What I don't understand in your answer is, does Apple provide obj-C interface to leverage additional capabilities from the agent app or MAM enabled apps, I never came across such an interface. Is this some kind of partnership program that Apple chooses to share with or the access to this interface is limited? – Trident Mar 06 '16 at 17:15
  • 1
    Hey Krish. I see what you are asking. There is no "app developer" interface for you to code against. The two main features that Apple added into MAM are accomplished through hooks under URLSession. For Per-App VPN, calls to a URL run through a hook that checks the Per-App VPN payload in the configuration and transparently redirects to through the VPN client on the device. Enterprise AuthN and SSO work similarly - when you call a secured endpoint that challenges for credentials, the underlying iOS framework pops a user/password form and then responds. No Obj-C or Swift API in either case. – Dave Cotton Mar 08 '16 at 04:58