A couple of months ago, I discovered that some schools spend a lot of time managing iPads in their classrooms. Teachers have to take time from education to sit and configure new iPads that will be deployed to students.
So I started a little project to analyze if there was a real need, and if such a tool could easily be built.
I did 5 interviews with schools in my area to find out what their needs were. I did find that there was a need. So I moved on to the technical analysis – “What’s technically possible and how difficult is it to build?”.
I can’t publish my interviews with the schools, since that would be unethical. However, I will publish the technical research I did freely here with the hope that someone might find it useful for their purposes.
The reason I can publish it freely like this is that I have decided not to move forward with the project. The reason for that is that I’ve concluded that the Mobile Device Management (MDM) market is mature and in the process of being commoditized. For example, a lot of MDM products are being released and made available to customers for free. Apple has an MDM product built into their OS X Server. Mobile Iron, one of the market leaders, are offering K-12 student licenses for free.
Instead, I will start a new project. What it will be, I can talk about soon 🙂
Free free to download the document, and if you’re interested in asking a question or talking about this, you’re welcome to contact me. I like exchanging ideas freely 🙂
(P.S. – Mind you, this document was never written with the intent of publishing it for others. Thus, I haven’t spent much time on “finishing the edges”, so it might be a little rough. But the information in it is accurate, and references are provided wherever I make a statement.)
(P.S. 2 – I live in a country where Apple’s Device Enrollment Program doesn’t exist, hence one of the focuses of this paper is to understand what central management and device supervision features are possible even without that.)
(P.S. 3 – I have done my absolute best to reference information wherever I have got it from another source. It may be the case that I have forgotten or missed it somewhere. Remember that I originally wrote this for my own purpose, and only after decided to publish it. So if you spot a mistake somewhere, or that I forgot to reference my source in some section, I apologize and ask you to tell me by contacting me here, and I’ll add it immediately.
1. Terminology
1.1. Configuration Profile[1]
Configuration profiles are XML files that contain:
- Security policies and restrictions
- VPN configuration
- Wi-Fi settings
- Email and calendar accounts
- Authentication credentials that permit iOS devices to work with your IT systems.
Distribution:
- Via Over-the-Air Profile Delivery (or via MDM if it’s a managed device[2])
- Via USB connection using Apple Configurator (can do it for unmanaged devices[3])
- Via email or on a web page
Some of the settins you can control with a configuration profile[4]:
- Passcode policies
- Restrictions on device features (disabling the camera, for example)
- Wi-Fi settings
- VPN settings
- Email server settings
- Exchange settings
- LDAP directory service settings
- CalDAV calendar service settings
- Web clips
- Credentials and keys
- Advanced cellular network settings
When an MDM wants to control a device, an MDM profile is created (which tells the device which MDM server to connect to for example). However, MDM profiles can be removed, unless you are using the Device Enrollment Program[5].
1.2. Managed vs. Unmanaged devices[6]
Managed = enrolled in MDM.
2. Mobile Device Management (MDM)[7] [8]
Apple has an MDM framework called Apple MDM Framework, built into each iOS, which enables MDM solutions to wirelessly configure and manage iOS devices.[9] An MDM can be cloud or on-premise.[10]
Apple has their own MDM (OS X Profile Manager), but also enables third party MDM: “iOS has a built-in MDM framework that allows third‑party MDM solutions to wirelessly interact with iOS devices [which] enables IT to select from a wide range of solutions to fit into the environment, with the confidence that all the same features are available to manage the company’s iOS devices.”[11]
3 steps to get started with MDM[12]:
- Select MDM provider
- Request an Apple Push Notification Service (APNs) certificate
- Enroll your organization in the program
The APNs certificate in step 2 is needed for your MDM server to talk to clients[13] over the Internet even if an app isn’t running on the devices[14].
2.1. Overview – setting up and managing devices[15]
Set-up
- Corporate-owned 1:1 devices:
- Manually – configure each device before giving to user
- Provide instructions or configuration profiles (XML files containing various settings) for users to apply themselves
- Enroll into MDM, which enables wireless and more fine-grained management – and separate the “corporate” environment from the personal one
- Corporate owned 1:n devices:
- Supervised with Apple Configurator and enrolled into MDM, so they can be reset (no personal settings)
Configure and manage
- Using MDM:
- Enroll with MDM server using “enrollment configuration profile”.
- By user directly
- Automatically using Device Enrollment Program
- When admin does something through the MDM, the device receives an Apple Push Notification Service (APNs) if it has a network connection anywhere in the world.
- Enroll with MDM server using “enrollment configuration profile”.
2.2. How it works
How APNs works works[16]
The communication workflow between the MDM server and the clients (and APNs) looks like this:
The above picture comes from another MDM solution. It likely represents the standard MDM workflow looks. The MDM server communicates with both the iOS devices, and with APNs which in turn communicates with the devices.
How MDM communication protocol works[17]
During enrollment, the device provides unique identifying information to that server, which is used by the server to send messages through the Apple Push Notification Service. Long term connections from server to client, or client to server, do not exist with the design of MDM — only the connection to APNS. This long-term APNS connection is part of the Push Notifications framework supporting multiple iOS applications, not just MDM.
After enrollment, each interaction between client devices and the MDM server consists of four elements:
- Server requests push notification through Apple
- Apple pushes notification to device
- Device connects to server
- Server and client exchange commands and responses
How to get an APNs certificate[18]
It seems like the easiest way to get an APNs certificate is to request it from the OS X server, which includes the ability to get this, then extracting it from there. To do this:
- Within the OS X’s Server app, request and install APNs certificate
- Extract the certificate itself from the keychain. To do this, use the Keychain Access program, find the APNs certificate (likely named “APSP:<uuid>”), export it to a .p12 file.
- Now, convert the .p12 file (which is the certificate code that you extracted) to a .pem file using the ‘openssl pkcs12’ command from within a terminal window (the full command may look like this for example: ‘openssl pkcs12 -in YourCert.p12 -out YourCert.pem’ (it will ask you to set a password to protect the .pem file)
- Since you have password protected this .pem file, it will prompt for a pw each time you want to send a push notification. You can create an un-encrypted file to avoid this problem, but it should not be used in production. How to do that is described in the chapter “Setting up APNs” in 2011 the ios mdm protocol.
How to manually enroll a device by creating the first connection to the MDM server[19]
Using the iPhone Configuration Utility (which is a tool to create and install configuration profiles on i-devices[20] [21]), create a configuration profile that instructs the device on how to connect to the MDM server and which also contains an identity certificate for the device itself. How to do this is described in 2011 the ios mdm protocol, chapter “MDM Enrollment Profile”.
Now, install this profile on your i-devices in a number of ways[22]:
- Through a URL
- Mass-enroll through Apple Configurator (which also lets you install Supervision features – read about Apple Configurator in that chapter)
- From an app that installs this profile
- By sending SMS or email invitation
When you install this profile into your device, the device will contact the MDM server (as per the profile instructions), and exchange information needed so that they can communicate with each other in the future (to see exact information exchanged, see 2011 the ios mdm protocol chapter “The Enrollment Exchange”).
Now that the MDM server has information needed about the device, it can contact the APNs server at any time to request a connection, the APNs server will ask the device to connect to the server, and the server can send the commands that the protocol allows, over the air.
Over-the-air enrollment[23]
The above chapter generally describes how enrollment works. It is possible to manually enroll devices in this way using USB cables. But it is also possible to build a more advanced over-the-air enrollment server. How do this is described in Over-the-Air Profile Delivery and Configuration, chapter “Creating a Profile Server for Over-The-Air Enrollment and Configuration”.
The available commands in MDM
The list of available commands below are taken from Appendix A in 2011 the ios mdm protocol:
Control Commands
- Device Lock
- Erase Device
- Clear Passcode
Device Queries
- Security Information
- Installed Application List
- Device Information
- Certificate List
- Profile List
- Provisioning Profile List
- Restrictions List
Device Configuration
- Install Profile
- Remove Profile
- Install Provisioning Profile
- Remove Provisioning Profile
Device to Server Commands
- Authenticate
- Token Update
One of the most interesting aspects that an MDM can control seems to be the profile. With profiles, some of the more interesting things an MDM can control are (information from an earlier chapter in this document):
- Email and calendar accounts (install Google Apps domain on all devices, or their own unique Apple IDs)
- Restrictions on device features (disabling the camera, for example)
- Email server settings
- Exchange settings
- Web clips
- Credentials and keys
2.3. Device supervision
You can, in addition to MDM, enable supervision of devices your organization owns. Then you get more control (full list of features below).
Supervision only possible if you use Apple’s Device Enrollment Program (DEP) or Apple Configurator[24]. There is no other way to use over-the-air supervision outside of DEP[25]. A logical way to enable device supervision would be during the enrollment process. You use Apple Configurator to mass-distribute your MDM Profile to devices, while simultaneously enabling device supervision. After this, there is no need to touch your devices again – they can here-on after be managed over the air with supervision through MDM server.
However, note that enabling supervised mode will initiate a factory reset on the device, and so should not be enabled on personally-owned devices.[26]
Supervision enables the following features[27]:
- Enable and manage Single App Mode (typical for kiosk devices).
- Configure Accessibility settings.
- Allow or disable access to iMessage.
- Allow or disable access to Game Center.
- Allow or or prevent users from deleting apps.
- Allow or disable access to iBooks Store.
- Prevent access to ebooks flagged erotica in the iBooks Store.
- Enable or disable Siri’s Profanity Filter.
- Allow or or prevent manual install of configuration profiles (including unauthorized or malicious profiles).
- Configure a global proxy server for all installed web browsers.
- Allow or prevent host pairing (iTunes).
- Allow or or prevent pairing with computers for content sync.
- Restrict AirPlay connections with a whitelist of acceptable device and enter a passcode for those devices. This allows users access to those devices without needing to know the passcode.
- Allow or disable access to AirDrop.
- Allow or prevent users from modifying account information.
- Allow or prevent users from changing cellular data settings.
- Allow or disable access to Find My Friends (if installed).
- Enable or disable access to Activation Lock.
- Allow silent or background install or update of apps without user interaction.
2.4. Device Enrollment Program (DEP)
DEP is used to deploy institution-owned iOS devices. Requires an Apple Customer Number[28] and available only to businesses and educational institutions in US that purchase devices directly from Apple.[29]
Enables following features in your OS X or 3rd party MDM solution[30] [31]:
- Device supervision
- Automatic MDM enrollment of devices without touching or prepping them
- Mandatory configuration / MDM profile
- Lockable MDM settings
- Skipping steps in the Setup Assistant
Steps to get started[32] [33]:
- At deploy.apple.com, create a DEP account (input your institutions details, verify that you are allowed to do enrollment)
- Apple manually calls and checks institution head (for example principal), then approves
- You get admin access to deploy.apple.com, create a dedicated Apple ID for managing this institution’s devices, access a virtual server, and link it to your MDM server (MDM server must be known to Apple).
- Apple verifies and authorizes your MDM server.[34]
- This allows you to assign devices and user profiles to your MDM servers by Apple order number (search old order numbers on Apple.com) or serial number. (Here’s probably where you need to have purchased them directly from Apple and in US.)
- In your MDM server, assign user profiles to the programme (so that when these users complete initial setup, the settings you have specified are auto-set on those devices).
2.5. Apple Configurator vs. MDM
Apple Configurator is designed to manage multiple (up to 30) devices simultaneously via USB connection to a Mac[35]. Features include: activate devices, define and apply configurations, supervise, install apps, and update devices to the latest iOS. It can also turn on or off Device Supervision[36].
You can liken it to an MDM solution with device supervision but without over the air capabilities (own analysis).
MDM enables over the air features. If you have an MDM, one of the benefits of also using Apple Configurator is that it somewhat automates the enrollment process. Instead of pushing out the MDM profiles to devices one by one, you can mass-push out 30 configurations at once. However, you still need to physically connect those devices to a Mac which has Apple Configurator on it. The other main benefit is that Apple Configurator can enable the device supervision features for the MDM.[37]
After doing the initial MDM enrollment and enabling supervised mode through Apple Configurator, there is no need to connect it back again[38] (unless you want to use some of the separate, non-MDM Apple Configurator features which are not relevant to what we are trying to achieve).
2.6. OS X Server Profile Manager[39]
In addition to supporting 3rd party MDM products, Apple has its own MDM product built into OS X Server. Features include web-based admin, and self-service user portal for enrolling devices/ downloading configuration profiles.
In Apple’s own words: “[Apple] supports third party MDM solutions [which] offer support for a variety of server platforms, management consoles, workflow options, and pricing structures [so] whether your institution is looking for a cloud‑hosted solution or a server that’s installed on‑premise, you [can choose].”[40]
2.7. Volume Purchase Program (VPP)[41]
VPP allows:
- Purchase apps in volume
- Use 3rd party MDM to distribute to many devices centrally, incl. notification messages asking them to install apps purchased for them, configure, and remove apps.
However, the VPP not yet available in Sweden – and no info about if and when it will be.[42]
2.8. Full list of MDM features
http://www.enterpriseios.com/wiki/Comparison_MDM_Providers
3. Q&A
3.1. Can you push apps silently over the air?
Can you push install apps OTA with MDM on supervised devices (if you have activated supervision via Apple Configurator, not using DEP)? Meraki Whitepaper (Deploying Apple iOS in Education, chapter 10) says that on “[s]upervised devices [you] must be re-connected to Apple Configurator for app updates and […] to remove any unsanctioned apps on the device.”
Yes. Meraki’s whitepaper is wrong. Meraki themselves responded on a support question from me asking the above: “Apps can be installed over the air without enrolling in the Device Enrollment Program with Apple, you only need to create a Systems Manager network and enroll your devices to push apps over the air.”
The question was also asked in other forums, and here are some excerpts from responses:
“Over the air app installation is part of the MDM specification. On unsupervised devices, the device user is prompted with a confirmation dialog (and often for Apple ID and password). On supervised devices, there is no confirmation (assuming the Apple ID has been set up already).
It does not matter how the device was supervised. We’ve been doing this for a year, long before DEP was introduced. I don’t know why Meraki is confused.”[43]
“The Apple device enrollment program will not keep you from distributing applications with the MaaS360 web portal. You will have the ability to distribute any free iOS application from the portal to Apple devices. If you would like to distribute paid for applications you will need the Volume Purchase Program to associate paid apps with licenses.”[44]
4. Analysis
In order to do what we want to do for schools, devices need to be supervised, which means that for schools in Sweden (since Apple’s Device Enrollment Program, which is a way to enable device supervision over the air, isn’t available in Sweden), we have to enroll the devices into our MDM using Apple Configurator, while simultaneously enabling supervised mode. They won’t have to be configured with Apple Configurator again – just once, because here-on after, we will have access to all the supervision features that Apple provides, which is enough to do all we want to do with the school’s devices.
In order to create an MDM solution for clients, we actually only need the an MDM server which can create an MDM profile according to Apple’s standards.
For each device that installs this profile, the server will be able to see and communicate with those devices centrally.
We don’t have to do anything on the school’s network. The only thing required is that they have internet. We can easily create a cloud server. No infrastructure needed. Just a web portal for logging in to that server, and a user interface to manage those devices.
(By the way, check out this cool product: www.innervare.com)
[1] “iOS Deployment Technical Reference – Apple.” 2014. 25 May. 2014 <http://images.apple.com/ipad/business/docs/iOS_Deployment_Technical_Reference_EN_May14.pdf>
[2] “iOS Enterprise Deployment Overview Get started … – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/iOS_Enteprise_Deployment_Overview_EN_Feb14.pdf>
[3] “iOS Enterprise Deployment Overview Get started … – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/iOS_Enteprise_Deployment_Overview_EN_Feb14.pdf>
[4] “Over-the-Air Profile Delivery and Configuration – Apple …” 2014. 31 May. 2014 <https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/iPhoneOTAConfiguration.pdf>
[5] “7 questions answered about AirWatch and DEP from Apple.” 31 May. 2014 – comments section where an Airwatch representative responds to a question <http://blogs.air-watch.com/2014/02/7-questions-answered-airwatch-device-enrollment-program-apple/>
[6] “iOS Enterprise Deployment Overview Get started … – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/iOS_Enteprise_Deployment_Overview_EN_Feb14.pdf>
[7] “Apple – iPhone in Business – IT Center – Deployment.” 2014. 24 May. 2014 <https://www.apple.com/iphone/business/it/deployment.html>
[8] 2013. Apple – iPhone in Business – IT Center – Mobile Device …https://www.apple.com/iphone/business/it/management.html.
[9] “iOS Enterprise Deployment Overview Get started … – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/iOS_Enteprise_Deployment_Overview_EN_Feb14.pdf>
[10] 2013. Apple – iPhone in Business – IT Center – Mobile Device …https://www.apple.com/iphone/business/it/management.html.
[11] 2013. Apple – iPhone in Business – IT Center – Mobile Device …https://www.apple.com/iphone/business/it/management.html.
[12] “Apple – iPhone in Business – IT Center – Mobile Device …” 2013. 25 May. 2014 <https://www.apple.com/iphone/business/it/management.html>
[13] “iOS Deployment Technical Reference – Apple.” 2014. 25 May. 2014 <http://images.apple.com/ipad/business/docs/iOS_Deployment_Technical_Reference_EN_May14.pdf>
[14] ali hafizji. “Apple Push Notification Services in iOS 6 Tutorial: Part 1/2 …” 2013. 27 May. 2014 <http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1>
[15] “iOS Enterprise Deployment Overview Get started … – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/iOS_Enteprise_Deployment_Overview_EN_Feb14.pdf>
[16] “Mobile Device Management Workflow – BitDefender.” 2013. 28 May. 2014 <http://www.bitdefender.com/support/mobile-device-management-workflow-1138.html>
[17] “2011 THE IOS MDM PROTOCOL – Black Hat.” 2011. 29 May. 2014 <https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf>
[18] “2011 THE IOS MDM PROTOCOL – Black Hat.” 2011. 31 May. 2014 <https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf>
[19] “2011 THE IOS MDM PROTOCOL – Black Hat.” 2011. 31 May. 2014 <https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf>
[20] “iPhone Configuration Utility 3.6.2 for Windows – Apple Support.” 2012. 31 May. 2014 <http://support.apple.com/kb/dl1466>
[21] “2011 THE IOS MDM PROTOCOL – Black Hat.” 2011. 31 May. 2014 <https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf>
[22] “Getting Started with Cisco Meraki Systems … – YouTube.” 31 May. 2014 – video explaining how you can create a certificate signing request from Meraki’s website, upload it to Apple’s website and get the actual certificate, then upload it again on Meraki’s website <http://www.youtube.com/watch?v=zbq6d5v7xRc>
[23] “Over-the-Air Profile Delivery and Configuration – Apple …” 2014. 31 May. 2014 <https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/iPhoneOTAConfiguration.pdf>
[24] “iOS Enterprise Deployment Overview Get started … – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/iOS_Enteprise_Deployment_Overview_EN_Feb14.pdf> – Chapter: “Supervised Devices”
[25] “7 questions answered about AirWatch and DEP from Apple.” 31 May. 2014 <http://blogs.air-watch.com/2014/02/7-questions-answered-airwatch-device-enrollment-program-apple/>
[26] “7 questions answered about AirWatch and Apple Configurator.” 31 May. 2014 <http://blogs.air-watch.com/2013/12/apple-configurator-airwatch-whats-difference/>
[27] “Why Apple’s new Device Enrollment Program is a game …” 27 May. 2014 <http://www.citeworld.com/mobile/23045/apple-device-enrollment-program-supervision-mdm-emm-setup-deployment>
[28] “iOS Deployment Technical Reference – Apple.” 2014. 25 May. 2014 <http://images.apple.com/ipad/business/docs/iOS_Deployment_Technical_Reference_EN_May14.pdf>
[29] “Device Enrollment Program Guide – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/DEP_Business_Guide_EN_Feb14.pdf>
[30] “iOS Deployment Technical Reference – Apple.” 2014. 25 May. 2014 <http://images.apple.com/ipad/business/docs/iOS_Deployment_Technical_Reference_EN_May14.pdf>
[31] “Apple – Education – IT – Device Enrollment Program.” 2014. 25 May. 2014 <https://www.apple.com/education/it/dep/>
[32] “Device Enrollment Program Guide – Apple.” 2014. 25 May. 2014 <https://www.apple.com/iphone/business/docs/DEP_Business_Guide_EN_Feb14.pdf>
[33] “Apple – Education – IT – Device Enrollment Program.” 2014. 25 May. 2014 <https://www.apple.com/education/it/dep/>
[34] “Apple Deployment Programs.” 2014. 25 May. 2014 <https://deploy.apple.com/> – step 2, “Link to your MDM solution”
[35] “7 questions answered about AirWatch and Apple Configurator.” 31 May. 2014 <http://blogs.air-watch.com/2013/12/apple-configurator-airwatch-whats-difference/>
[36] “7 questions answered about AirWatch and Apple Configurator.” 31 May. 2014 <http://blogs.air-watch.com/2013/12/apple-configurator-airwatch-whats-difference/>
[37] “7 questions answered about AirWatch and Apple Configurator.” 31 May. 2014 <http://blogs.air-watch.com/2013/12/apple-configurator-airwatch-whats-difference/>
[38] “7 questions answered about AirWatch and Apple Configurator.” 31 May. 2014 – Reply by Scott Solomon, an Airwatch rep, to a comment question. <http://blogs.air-watch.com/2013/12/apple-configurator-airwatch-whats-difference/>
[39] “iOS Education Deployment Overview – Apple.” 2014. 25 May. 2014 <http://images.apple.com/education/docs/EDU_Deployment_Overview_EN_Mar14.pdf>
[40] “Apple – IT.” 2007. 25 May. 2014 <http://www.apple.com/education/it/>
[41] “Apple – iPhone in Business – IT Center – Deployment.” 2014. 24 May. 2014 <https://www.apple.com/iphone/business/it/deployment.html>
[42] Facebook group and problem interviews done
[43] “Can MDM push-install apps over-the-air? | Enterprise iOS.” 2014. 2 Jun. 2014 <http://www.enterpriseios.com/forum/topic/Can_MDM_push_install_apps_over_the_air>
[44] Maas360 support ticket response in email
3 responses to “Analysis: Apple MDM Framework – building iPad management tool for schools”
MDM (mobile device management),after reading this post I got very clear idea in MDM implementation.This is really very materialitic informative post.Thankyou for sharing this post.
Thanks for this post! Apple seems to be a bit secretive of their MDM functionality and this clears a lot of things up!
Thanks, I’m happy you like it! It’s a bit old now so I’m sure a lot has changed, but hopefully a lot of it is still relevant.