Mobile Device Management Protocol Reference

Mobile Device Management Protocol Reference

Developer

Contents

1 About Mobile Device Management

7

At a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

The MDM Check-in Protocol Lets a Device Contact Your Server . . . . . . . . . . . . . . . . . . . 8

The MDM Protocol Sends Management Commands to the Device . . . . . . . . . . . . . . . . . . 8

The Way You Design Your Payload Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

The Device Enrollment Program Lets You Configure Devices with the Setup Assistant . . . . . . . . 8

The Volume Purchase Program Lets You Assign App Licenses to Users and Devices . . . . . . . . . 9

Apple Push Notification Certificates Can Be Generated Through the Apple Push Certificates Portal . . 9

See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 MDM Check-in Protocol

10

Structure of a Check-in Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Supported Check-in Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Authenticate Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

TokenUpdate Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

CheckOut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Mobile Device Management Protocol

14

Structure of MDM Payloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Structure of MDM Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

MDM Command Payloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

MDM Result Payloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

MDM Protocol Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

macOS Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Network User Authentication Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

iOS Support for Per-User Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Handling a NotNow Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Request Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

ProfileList Commands Return a List of Installed Profiles . . . . . . . . . . . . . . . . . . . . . . . 30

InstallProfile Commands Install a Configuration Profile . . . . . . . . . . . . . . . . . . . . . . . . 30

RemoveProfile Commands Remove a Profile from the Device . . . . . . . . . . . . . . . . . . . . . 31

ProvisioningProfileList Commands Get a List of Installed Provisioning Profiles . . . . . . . . . . . . 31

InstallProvisioningProfile Commands Install Provisioning Profiles . . . . . . . . . . . . . . . . . . . 32

RemoveProvisioningProfile Commands Remove Installed Provisioning Profiles . . . . . . . . . . . . 32

CertificateList Commands Get a List of Installed Certificates . . . . . . . . . . . . . . . . . . . . . 32

InstalledApplicationList Commands Get a List of Third-Party Applications . . . . . . . . . . . . . . 33

DeviceInformation Commands Get Information About the Device . . . . . . . . . . . . . . . . . . . 35

SecurityInfo Commands Request Security-Related Information . . . . . . . . . . . . . . . . . . . . 40

2019-03-25 | Copyright ? 2019 Apple Inc. All Rights Reserved.

2

DeviceLock Command Locks the Device Immediately . . . . . . . . . . . . . . . . . . . . . . . . 43 RestartDevice Commands Restart Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 ShutDownDevice Commands Shut Down Devices . . . . . . . . . . . . . . . . . . . . . . . . . . 44 ClearPasscode Commands Clear the Passcode for a Device . . . . . . . . . . . . . . . . . . . . . 45 EraseDevice Commands Remotely Erase a Device . . . . . . . . . . . . . . . . . . . . . . . . . . 45 RequestMirroring and StopMirroring Control AirPlay Mirroring . . . . . . . . . . . . . . . . . . . . 45 Restrictions Commands Get a List of Installed Restrictions . . . . . . . . . . . . . . . . . . . . . . 47 Shared iPad User Commands Manage User Access . . . . . . . . . . . . . . . . . . . . . . . . . 49 MDM Lost Mode Helps Lock and Locate Lost Devices . . . . . . . . . . . . . . . . . . . . . . . . 50 Managed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Installed Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Managed Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Managed App Configuration and Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 AccountConfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Firmware (EFI) Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 SetAutoAdminPassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 DeviceConfigured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Software Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Extension Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Support for macOS Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 MCProfileErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 MCPayloadErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 MCRestrictionsErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 MCInstallationErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 MCPasscodeErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 MCKeychainErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 MCEmailErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 MCWebClipErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 MCCertificateErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 MCDefaultsErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 MCAPNErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 MCMDMErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 MCWiFiErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 MCTunnelErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 MCVPNErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 MCSubCalErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 MCCalDAVErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 MCDAErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 MCLDAPErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 MCCardDAVErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 MCEASErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 MCSCEPErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 MCHTTPTransactionErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 MCOTAProfilesErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 MCProvisioningProfileErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 MCDeviceCapabilitiesErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 MCSettingsErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

2019-03-25 | Copyright ? 2019 Apple Inc. All Rights Reserved.

3

MCChaperoneErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 MCStoreErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 MCGlobalHTTPProxyErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 MCSingleAppErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 MCSSOErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 MCFontErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 MCCellularErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 MCKeybagErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 MCDomainsErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 MCWebContentFilterErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 MCNetworkUsageRulesErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 MCOSXServerErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 MCHomeScreenLayoutErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 MCNotificationSettingsErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 MCEDUClassroomErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 MCSharedDeviceConfigurationErrorDomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4 Device Enrollment Program

96

Device Management Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

DEP Server Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Obtaining a Server Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using DEP Server Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Common Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

5 VPP App Assignment

135

VPP in Apple School Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Supporting VPP in Apple School Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Using Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Service Request URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Providing Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Service Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Retry-After Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

VPP Account Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Initial Import of VPP Managed Distribution Assigned Licenses Using getVPPLicensesSrv . . . . . . . 140

productTypeId Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Managed Apple IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Program Facilitators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

The Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

registerVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

getVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

getVPPUsersSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

getVPPLicensesSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

getVPPAssetsSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

contentMetadataLookupUrl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

2019-03-25 | Copyright ? 2019 Apple Inc. All Rights Reserved.

4

retireVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 manageVPPLicensesByAdamIdSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 associateVPPLicenseSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 associateVPPLicenseWithVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 disassociateVPPLicenseSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 disassociateVPPLicenseFromVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 editVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 VPPClientConfigSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 VPPServiceConfigSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Request to VPPServiceConfigSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Request to getVPPLicensesSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Request to getVPPUsersSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Request to getVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Request to registerVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Request to editVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Request to retireVPPUserSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Request to getVPPAssetsSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Request to VPPClientConfigSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Request to manageVPPLicensesByAdamIdSrv . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

6 Managed Apps and Updates

182

Managing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

iOS 9.0 and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

iOS 7.0 and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

iOS 5.0 and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

iOS 4.x and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Managing OS Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Restricting Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Apple Software Lookup Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Managed "Open In" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

7 Class Rosters

186

Class Roster Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Class Roster Sync Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Person Roster Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Person Roster Sync Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Location Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Location Roster Sync Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Course Roster Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

2019-03-25 | Copyright ? 2019 Apple Inc. All Rights Reserved.

5

Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Course Roster Sync Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Error Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

8 MDM Best Practices

209

Tips for Specific Profile Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Initial Profiles Should Contain Only the Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Managed Profiles Should Pair Restrictions with Capabilities . . . . . . . . . . . . . . . . . . . . . 209

Each Managed Profile Should Be Tied to a Single Account . . . . . . . . . . . . . . . . . . . . . . 210

Provisioning Profiles Can Be Installed Using MDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Passcode Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

OTA Profile Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Device Enrollment Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Vendor-Specific Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

SSL Certificate Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Distributing Client Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Identifying Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Passing the Client Identity Through Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Detecting Inactive Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Using the Feedback Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Dequeueing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Terminating a Management Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Updating Expired Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Dealing with Restores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Securing the ClearPasscode Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Adding MDMServiceConfig Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

9 MDM Vendor CSR Signing Overview

219

Creating a Certificate Signing Request (Customer Action) . . . . . . . . . . . . . . . . . . . . . . . . . 219

Signing the Certificate Signing Request (MDM Vendor Action) . . . . . . . . . . . . . . . . . . . . . . . 219

Creating the APNS Certificate for MDM (Customer Action) . . . . . . . . . . . . . . . . . . . . . . . . 221

Code Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

10 Revision History

225

2019-03-25 | Copyright ? 2019 Apple Inc. All Rights Reserved.

6

About Mobile Device Management

The Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed iOS devices running iOS 4 and later, macOS devices running macOS v10.7 and later, and Apple TV devices running iOS 7 (Apple TV software 6.0) and later. Through the MDM service, an IT administrator can inspect, install, or remove profiles; remove passcodes; and begin secure erase on a managed device. The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications. The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server. MDM uses the Apple Push Notification Service (APNS) to deliver a "wake up" message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results. To provide MDM service, your IT department needs to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to your managed devices. A managed device uses an identity to authenticate itself to the MDM server over TLS (SSL). This identity can be included in the profile as a Certificate payload or it can be generated by enrolling the device with SCEP.

Note For information about about SCEP, see the draft SCEP specification located at draft-nourse-scep/.

The MDM payload can be placed within a configuration profile (.mobileconfig) file distributed using email or a webpage, as part of the final configuration profile delivered by an over-the-air enrollment service, or automatically using the Device Enrollment Program. Only one MDM payload can be installed on a device at any given time. Configuration profiles and provisioning profiles installed through the MDM service are called managed profiles. These profiles are automatically removed when the MDM payload is removed. Although an MDM service may have the rights to inspect the device for the complete list of configuration profiles or provisioning profiles, it may only remove apps, configuration profiles, and provisioning profiles that it originally installed. Accounts installed using managed profiles are called managed accounts. In addition to managed profiles, you can also use MDM to install apps. Apps installed through the MDM service are called managed apps. The MDM service has additional control over how managed apps and their data are used on the device. Devices running iOS 5 and later can be designated as supervised when they are being prepared for deployment with Apple Configurator 2. Additionally, devices running iOS 7 and later can be supervised using the Device Enrollment

2019-03-25 | Copyright ? 2019 Apple Inc. All Rights Reserved.

7

Program. A supervised device provides an organization with additional control over its configuration and restrictions. In this document, if any configuration option is limited to supervised devices, its description notes that limitation. Unless the profile is installed using the Device Enrollment Program, a user may remove the profile containing the MDM payload at any time. The MDM server can always remove its own profile, regardless of its access rights. In macOS v10.8 and later and iOS 5, the MDM client makes a single attempt to contact the server with the CheckOut command when the profile is removed. In earlier OS versions, the device does not contact the MDM server when the user removes the payload. See MDM Best Practices for recommendations on how to detect devices that are no longer managed. A profile containing an MDM payload cannot be locked unless it is installed using the Device Enrollment Program. However, managed profiles installed through MDM may be locked. All managed profiles installed through MDM are removed when the main MDM profile is removed, even if they are locked.

At a Glance

This document was written for system administrators and system integrators who design software for managing devices in enterprise environments.

The MDM Check-in Protocol Lets a Device Contact Your Server

The MDM check-in protocol is used during initialization to validate a devices eligibility for MDM enrollment and to inform the server that a devices device token has been updated.

The MDM Protocol Sends Management Commands to the Device

The (main) MDM protocol uses push notifications to tell the managed device to perform specific functions, such as deleting an app or performing a remote wipe.

The Way You Design Your Payload Matters

For maximum effectiveness and security, follow MDM Best Practices and install a base profile that contains little more than the most basic MDM management information, then install other profiles to the device after it is managed.

The Device Enrollment Program Lets You Configure Devices with the Setup Assistant

The HTTP-based Device Enrollment Program addresses the mass configuration needs of organizations purchasing and deploying devices in large quantities, without the need for factory customization or pre-configuration of devices prior to deployment. The cloud service API provides profile management and mapping. With this API, you can create profiles, update profiles, delete profiles, obtain a list of devices, and associate those profiles with specific devices.

2019-03-25 | Copyright ? 2019 Apple Inc. All Rights Reserved.

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download