Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configure MDM Server for iPhone

Tags:

iphone

mdm

It may seem to be asked several times, but I could not find answers to my doubts.

  1. As one needs to setup an MDM server, what are the things that need to be available or installed on this server. Is there a specific configuration?
  2. Is SCEP (which I think needs to be available on the server) required to setup MDM. If yes, how to go about with it.

When I set the Server URL inb the MDM config profile to any of the servers I have, the profile fails to install with the error in console as "The identity certificate for com.abc.mdm.mdm1 could not be found."

It'll be helpful if anyone could redirect me to the detailed steps to setup MDM server. I could not find any such thing in Apple's WWDC 2010 video.


Edit: Some more stuff I've tried

I'm trying to configure MDM server for iPhone and have tried the following steps till now.

  • I have installed a trial certificate from RapidSSL. When I open my site as https://example.com, I can see a lock at the address bar - hence I believe that the certificate is valid and working.
  • In iPCU, I create a credentials payload and select my certificate from the list.
  • In the MDM payload, when I try to select an Identity, the dropdown list is disabled with a message as Add credentials in the credentials payload.

In the credentials payload when I select any other certificate from the list - VeriSign for example - in the MDM payload I get the Identity dropdown list enabled and can select the configured credential, but this is an Invalid certificate.


Edit: Images added

Certificate visible on website


Credentials - iPCU


MDM - iPCU


Edit: Moved further more With some hits here and there, I'm now able to get the 'Identity' field enabled. But when I try to install the profile, I get an error as 'Profile failed to install' with the message in console as

Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MDM|Cannot Authenticate. Error: NSError 0x1ddb8f50:
Desc   : A transaction with the server at https://example.com has failed with the status 405.
US Desc: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCHTTPTransactionErrorDomain
Code   : 23001
Type   : MCFatalError
Params : (
"https://example.com",
405
)
Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MC|Cannot install MDM com.example.ota.mdm2. Error: NSError 0x1ddb9120:
Desc   : The payload com.example.ota.mdm2 could not be installed.
Sugg   : A transaction with the server at https://example.com has failed with the status 405.
US Desc: The payload com.example.ota.mdm2 could not be installed.
US Sugg: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCInstallationErrorDomain
Code   : 4001
Type   : MCFatalError
Params : (
"com.example.ota.mdm2"
)

Edit: Continuing after a long break

Here's a summary of what I've done till now.

  • Configured a Windows 2008 server with an SSL certificate from a CA. ie. The server can be accessed as https://example.com
  • Hosted a .Net webservice that listens to PUT.
  • Generated an MDM certificate from the iOS Developer portal.
  • Generated a Push certificate from Apple. The topic is something like com.apple.mgmt.External.035e7xxxxx
  • Added the server certificate to the Credentials payload of iPCU. This was done by - Exporting the server side SSL as a .pfx file - Adding this file to the Windows Certificate store - Selecting this certificate in the credentials payload.

I've hosted this profile on the server. When I download it on the device, I'm presented with Profile Installation on the device. When I install this profile, I end up with an error saying "The profile MDM could not be installed". On looking at the device logs, I found

<Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
    Desc   : A transaction with the server at “https://example.com” has failed with the status “400”

IMP: I noticed that the Push certificate generated says "This certificate was signed by an unknown authority". There's also no private key associated with it.

I suspect something wrong is selecting the certificate in the Credentials payload (Step 5).

Also when the Profile Installation screen is presented, I get "Not Verified" just below the the profile name.


Solved

For the "unknown authority" issue I installed Apple's Application Integration certificate. I'm now able to execute the MDM commands.


Complete Steps

https://drive.google.com/file/d/0B9vJDmfd2qb9RmdGNlp4OUR3eVk/view?usp=sharing https://drive.google.com/file/d/0B9vJDmfd2qb9eGlkUk44ajZrWjg/view?usp=sharing

like image 718
Sahil Khanna Avatar asked Oct 17 '11 10:10

Sahil Khanna


People also ask

What is MDM configuration is on iPhone?

MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device, whether they're owned by the user or your organization. MDM capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices.

How do I get an Apple MDM Server?

In Apple Business Essentials, an MDM server is automatically created for you when you purchase a plan. All MDM servers can be found under Preferences > Your MDM servers. Organizations can have multiple MDM servers, and it's possible to have an Apple Business Essentials MDM server as well as third-party MDM servers.

Is Apple MDM Server free?

ManageEngine MDM is a free Apple MDM solution, with support for all Apple devices such as iPods, iPhones, iPads, Apple TVs and Mac machines. It provides end-to-end support for managing all Apple devices right from installing apps to securing its communications, thus making it a comprehensive free Apple MDM solution.


1 Answers

You need just 3 things

1) mdm payload with mdm url starting with https://
2) certificate which you download using apple developer portal. This is detailed on apple site
3) Link this certificate (.p12) file in the identity section of the mdm payload

Your server needs to have the necessary ports open - this is also documented. The server needs to listen on PUT method and not GET or POST.

If you do above - you will see that your device sends the deviceToken, pushMagic etc.

like image 55
Ashutosh Avatar answered Oct 03 '22 04:10

Ashutosh