如何在iOS中开发移动设备管理应用程序

本文介绍了如何在iOS中开发移动设备管理应用程序的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我的公司里有很多iOS设备，我必须集中管理它们，所以我们尝试使用第三方MDM应用程序，例如：airwatch，但成本非常高。

我们决定不使用它，并考虑从头开始创建MDM。我们尝试了所有在线提供的解决方案但我没有得到任何解决方案任何人都可以帮助我。

解决方案

iOS MDM是无客户端协议。因此，您开发了一个服务器，但是您没有为它开发客户端应用程序。实际上，有一个客户端应用程序，但它是由Apple开发并内置到操作系统中。

因此，您的服务器将发送命令，内置MDM客户端将收到

一般来说，如果你想开发MDM服务器，你需要注册到Enterprise Developer Program并获得MDM文档。

MDM服务器使用APNS发送通知

APNS将其发送到设备

内置MDM客户端连接到MDM服务器

连接时MDM Server将排队的命令发送回客户端，客户端根据MDM服务器发送的命令执行操作并回复对MDM服务器的适当确认

创建简单MDM的步骤

MDM注册

以MDM注册资料开头

在iPCU中，您可以选择MDM有效负载创建新的配置文件

签入URL

这是设备注册的URL。 即在设备上安装配置文件时，MDM客户端会向MDM服务器发送必要的信息，MDM服务器将使用该信息进行身份验证并与设备连接

服务器网址

一次MDM服务器获取注册信息。它可以使用该信息使用APNS连接设备，当MDM客户端唤醒时，它连接到服务器URL中提到的URL，服务器可以将排队的命令发送回MDM客户端

主题

输入将用于MDM的APNS证书的主题。

身份

它可以是Certificate Assistant生成的任何证书，但重要的是它必须由全球信任的CA签名，或者在自签名CA的情况下，CA已安装在设备中。

安装MDM注册资料

您可以使用无线或通过USB 安装此配置文件

尽快在安装时，iOS内置客户端将通过Authenticate请求连接到MDM服务器（Check In URL）

PUT：/ checkin

<？xml version =1.0encoding =UTF-8？> <！DOCTYPE plist PUBLIC - // Apple // DTD PLIST 1.0 // ENwww.apple/DTDs/PropertyList-1.0.dtd\"> < plist version =1.0> < dict> < key> MessageType< / key> < string>验证< / string> < key>主题< / key> < string> com.example.mdm.pushcert< / string> < key> UDID< / key> < string> < / string> < / dict> < / plist>

现在服务器可以接受或拒绝身份验证请求。接受服务器必须用空白plist回复

<！DOCTYPE plist PUBLIC - / / Apple Computer // DTD PLIST 1.0 // ENwww.apple/DTDs/PropertyList-1.0.dtd\"> < plist version =1.0> < dict> < / dict> < / plist>

收到回复后，MDM客户端将发送 TokenUpdate 请求

PUT：/ checkin

<？xml version =1.0encoding = UTF-8 >？; <！DOCTYPE plist PUBLIC - // Apple // DTD PLIST 1.0 // ENwww.apple/DTDs/PropertyList-1.0.dtd\"> < plist version =1.0> < dict> < key> MessageType< / key> < string> TokenUpdate< / string> < key> PushMagic< / key> < string> < / string> < key>令牌< / key> < data> [32字节字符串，base64编码，编辑]< / data> < / data> < key>主题< / key> < string> com.example.mdm.pushcert< / string> < key> UDID< / key> < string> < / string> < key> UnlockToken< / key> < data> [以base64编码的长二进制字符串，编辑] < / data> < / dict> < / plist>

再次服务器需要发送普通plist来完成注册过程

MDM服务器必须在服务器中存储以下密钥

PushMagic

服务器必须将此附加到它发送给连接MDM客户端的所有推送通知

令牌

标识设备到APNS的唯一ID

UnlockToken

用于清除设备密码的密钥。

管理设备

现在，服务器必须通过将 Token 传递给Token for Push通知库和 Pushmagic 的Payload作为密钥 MDM

{mdm：996ac527-9993-4a0a-8528-60b2b3c2f52b}

请参阅此有效负载中 aps

一旦设备收到推送通知MDM客户端联系服务器URL 而不是签入URL 状态空闲

PUT：/ server

<？xml version =1.0encoding =UTF-8？> <！DOCTYPE plist PUBLIC - // Apple // DTD PLIST 1.0 // ENwww.apple/DTDs/PropertyList-1.0.dtd\"> < plist version =1.0> < dict> < key>状态< / key> < string> Idle< / string> < key> UDID< / key> < string> < / string> < / dict> < / plist>

服务器随后会响应它为设备排队的任何命令。

让我们看一个设备锁的例子

服务器必须用这样的命令响应客户端请求 <？xml version =1.0encoding =UTF-8？> <！DOCTYPE plist PUBLIC - // Apple Computer // DTD PLIST 1.0 // ENwww.apple/DTDs/PropertyList-1.0.dtd\"> < plist version =1.0> < dict> < key>命令< / key> < dict> < key> RequestType< / key> < string> DeviceLock< / string> < / dict> < key> CommandUUID< / key> < string>< / string> < / dict> < / plist>

当MDM客户端因其发送的状态空闲请求收到此消息时它将立即锁定设备并以下列标准确认响应服务器

<？xml version =1.0编码= UTF-8 >？; <！DOCTYPE plist PUBLIC - // Apple // DTD PLIST 1.0 // ENwww.apple/DTDs/PropertyList-1.0.dtd\"> < plist version =1.0> < dict> < key> CommandUUID< / key> < string>< / string> < key>状态< / key> < string> Acknowledged< / string> < key> UDID< / key> < string> < / string> < / dict> < / plist>

你可以在这里找到一些命令列表

这就是全部。这种方法可以做一个简单的演示。

注意：

我会尝试微调或添加更多内容以便于理解

I have many iOS devices in my company and I have to manage them centrally, so we tried to use third party MDM applications for eg: airwatch but it is very costly.

We decided not to use it and are thinking of creating a MDM from scratch. We tried all solutions available online but I didn't get any solution. Can anyone please help me with this.

解决方案

iOS MDM is clientless protocol. So, you develop a server, but you don't develop a client application for it. Actually, there is a client app, but it's developed by Apple and built into operation system.

So, your server will send a command, built-in MDM client will receive and execute it.

Generally speaking, if you want to develop MDM server, you need to register into Enterprise Developer Program and get MDM documentation.

A documentation here it'll help you create your own mdm solution from scratch I believe

Reference

Some other helpful links on developing mdm server Ref 1, Ref 2

Here is the link to MDM tag in stack overflow browsing this will help you get answer for most of the FAQ

If you want any clarification in getting this done comment below here. I'm ready to help you

Update

Overview

• In order to manage device we can configure it manually using iOS Settings app

  But it has scalability problem and its a lot of work configuring every device manually and it requires physical access

• so apple introduced iPCU(iPhone Configuration Utility) tool using which we can create configuration profiles(.moibleconfig) and we can install it Over USB or OTA(Over the Air)

  But it requires User interaction

• so apple introduced MDM services for iOS it does not require user interaction we can do so many things very easily without user consent such as remote lock, unlock,wipe,configuring mail etc...

  MDM is basically a protocol using which you can manage devices remotely.

  Overview

  Changes we make in iOS settings app are stored in /var/mobile/Library/ConfigurationProfiles as .plist files along with the profiles(.plist) installed by iPCU and MDM

  Lets say we are turning off the App Store app installation in the device so to do that we'll go Settings->Restrictions and turn off the App Store installation so allowAppInstallation would be turned to false in its configuration(.plist) lets say we are configuring the app installation using iPCU as well as MDM then iOS we'll take most restrictive one when conflict comes between the configuration profiles of iOS settings app profile,iPCU profile and MDM profile.

  iOS creates a profile called ProfileTruth.plist by merging all this profiles and iOS works with respect to this plist

  MDM basically consists of these things

  • iOS Device

    It can be any device that runs using iOS.All iOS device has a inbuilt MDM client.It will act upon the instruction fed by MDM server

  • MDM Server

    Its basically a application that is hosted on application or web server and it feeds the command to MDM client that is hosted on iOS Device

  • Signalling

    This a mechanism that invokes the mdm client from Server in our case it is APNS

Herewith I have attached MDM workflow

MDM server sends notification using APNS

APNS delivers it to device

Built in MDM client connects to MDM Server

Upon connection MDM Server sends back the commands queued up to the client and client acts upon the commands sent by MDM server and replies with appropriate acknowledgement to the MDM server

Steps to create simple MDM

MDM Enrolment

It starts with MDM enrolment profile

In iPCU you can create a new profile choosing MDM payload

Check In URL

The is the URL where enrolment of the device happens. i.e upon installation of profile on the device MDM client sends necessary information to the MDM server which MDM server will use to authenticate and connect with the device

Server URL

Once the MDM server got the enrolment information.It can use the information to connect the device using APNS and when MDM client wakes up it connects with the URL mentioned in Server URL and Server can send back the queued commands to MDM client

Topic

Enter the subject of APNS certificate that's going to be used for MDM.

Identity

It can be any certificate generated by Certificate Assistant but important thing is it has to be signed by globally trusted CA or in the case of self signed CA the CA has be installed in the device.

Install the MDM Enrolment Profile

You can install this profile using Over the Air or Over the USB

As soon as it installs, iOS Built-in client will connect to MDM server(Check In URL) with Authenticate request

PUT: /checkin

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "www.apple/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MessageType</key> <string>Authenticate</string> <key>Topic</key> <string>com.example.mdm.pushcert</string> <key>UDID</key> <string> [ redacted ] </string> </dict> </plist>

Now server can either accept or reject the Authenticate request.In order to accept the server has to respond with blank plist

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "www.apple/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> </dict> </plist>

Upon receiving the response MDM client will send TokenUpdate request

PUT: /checkin

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "www.apple/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MessageType</key> <string>TokenUpdate</string> <key>PushMagic</key> <string> [ redacted uuid string ] </string> <key>Token</key> <data> [ 32 byte string, base64 encoded, redacted ] </data> </data> <key>Topic</key> <string>com.example.mdm.pushcert</string> <key>UDID</key> <string> [ redacted ] </string> <key>UnlockToken</key> <data> [ long binary string encoded in base64, redacted ] </data> </dict> </plist>

Again server needs to send a plain plist to complete the enrolment process

MDM server has to store the following keys in server

PushMagic

Server has to attach this to all the Push notification it sends to connect MDM client

Token

A unique id that identifies the device to APNS

UnlockToken

A key used to clear the passcode of the device.

Managing the Device

Now the server has to send push notification by passing above Token to Token for Push notification library and Payload of Pushmagic as value for the key MDM

{"mdm":"996ac527-9993-4a0a-8528-60b2b3c2f52b"}

See aps is not present in this payload

Once the device receives the push notification the MDM client contacts the Server URL instead of Check In URL with status idle

PUT: /server

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "www.apple/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Status</key> <string>Idle</string> <key>UDID</key> <string> [ redacted ] </string> </dict> </plist>

The server then responds with whatever command it has queued for the device.

Lets see a example for Device Lock

The server has to respond with command like this to the client request <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "www.apple/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>RequestType</key> <string>DeviceLock</string> </dict> <key>CommandUUID</key> <string></string> </dict> </plist>

When the MDM client receives this for its status idle request that was sent earlier.It'll immediately lock the device and respond the server with following standard acknowledgement

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "www.apple/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string></string> <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string> [ redacted ] </string> </dict> </plist>

You can find some list of Commands here

That's all.This approach would do a simple demo thing.

Note:

I will try to fine tune or add more content here for easier understanding