[MDM-1] - About Mobile Device Management - Yingyong Mao

https://www.apple.com/support/business/mdm/

Apple《Mobile Device Management Protocol Reference.pdf》

About Mobile Device Management

The Mobile Device Management (MDM) protocol

provides a way for system administrators to send device management commands to managed iOS devices running iOS 4 and later,

OS X devices running OS X 10.7 and later and Apple TV devices running iOS 7 (Apple TV software 6.0) and later.

[Function]:

Through the MDM service, an IT administrator can

1.inspect, install, or remove profiles;

2.remove passcodes;

3.and begin secure erase on a managed device.

The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications.

The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server.

MDM uses the Apple Push Notification Service (APNS) to deliver a “wake up” message to a managed device.

The device then connects to a predetermined web service to retrieve commands and return results.

To provide MDM service, your IT department needs to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to your managed devices.

A managed device uses an identity to authenticate itself to the MDM server over TLS (SSL).

This identity can be included in the profile as a Certificate payload, or can be generated by enrolling the device with SCEP.

Note: For information about about SCEP,

see the draft SCEP specification located at datatrack- er.ietf.org/doc/draft-nourse-scep/ .

The MDM payload can be placed within a configuration profile (.mobileconfig) file distributed using email or web page,

as part of the final configuration profile delivered by an Over-The-Air Enrollment service,

or automatically using the Device Enrollment Program.

Only one MDM payload can be installed on a device at any given time.

Configuration Profiles and Provisioning Profiles installed through the MDM service are called Managed Profiles.

These profiles will be automatically removed when the MDM payload is removed.

Although an MDM service may have the rights to inspect the device for the complete list of configuration profiles or provisioning profiles,

it may only remove apps, configuration profiles, and provisioning profiles that it originally installed.

Accounts installed using managed profiles are called Managed Accounts.

In addition to Managed Profiles, you can also use MDM to install apps.

Apps installed through the MDM service are called Managed Apps.

The MDM service has additional control over how Managed Apps and their data are used on the device.

==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ===

MDM Configure the MDM devices and Third-party apps.

==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ===

Managed Applications

In iOS 5, an MDM server can manage third-party applications from the App Store,

as well as custom in-house enterprise applications.

The server can specify whether the app (and its data) are removed from the device when the MDM profile is removed.

Additionally, the server can prevent managed app data from being backed up to iTunes and iCloud.

In iOS 7 and later,

an MDM server

    can provide a configuration dictionary to third-party apps

    and can read data from a feedback dictionary provided by third-party apps.

See “Managed App Configuration and Feedback” (page 61) for details.

==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ===

一、MDM Configure the MDM devices.

==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ===

Mobile Device Management (MDM) Protocol

The Mobile Device Management (MDM) protocol provides a way to tell a device to execute certain management commands remotely.

The way it works is straightforward.

During installation:

The user or administrator tells the device to install an MDM payload.

The structure of this payload is described in “Structure of MDM Payloads” (page 19).

The device connects to the check-in server.

The device presents its identity certificate for authentication, along with its UDID and push notification topic.

Note: AlthoughUDIDsareusedbyMDM,theuseofUDIDsisdeprecatedforiOSapps.

If the server accepts the device, the device provides its push notification device token to the server.

The server should use this token to send push messages to the device. This check-in message also contains a PushMagic string. The server must remember this string and include it in any push messages it sends to the device.

During normal operation:

The server (at some point in the future) sends out a push notification to the device.
The device polls the server for a command in response to the push notification.
The device performs the command.
The device contacts the server to report the result of the last command and to request the next command.

From time to time, the device token may change. When a change is detected, the device automatically checks in with the MDM server to report its new push notification token.

Note: Thedevicepollsonlyinresponsetoapushnotification;itdoesnotpolltheserverimmediately after installation.

The server must send a push notification to the device to begin a transaction.

2014-05-30 | Copyright © 2014 Apple Inc. All Rights Reserved. 18

==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ===

二、Managed App Configuration and Feedback.

==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ==== ===

Managed App Configuration and Feedback

In iOS 7 and later, an MDM server can use configuration and feedback dictionaries to communicate with and configure third-party managed apps.

The configuration dictionary provides one-way communication from the MDM server to an app.

An app can access its (read-only) configuration dictionary

     by reading the key  com.apple.configuration.managed  using the  NSUserDefaults  class.

A managed app can respond to new configurations that arrive

    while the app is running by observing the  NSUserDefaultsDidChangeNotification  notification.

A managed app can also store feedback information that can be queried over MDM.

An app can store new values for this feedback dictionary

    by setting the  com.apple.feedback.managed  key using the  NSUserDefaults  class.

This dictionary can be read or deleted over MDM.

An app can respond to the deletion of the feedback dictionary

    by observing the  NSUserDefaultsDidChangeNotification  notification.

2014-05-30 | Copyright © 2014 Apple Inc. All Rights Reserved.  61