IOS MDM (1) – detailed and thorough acquaintance

About MDM is divided into the following steps to introduce:

  • IOS MDM (1) – detailed and thorough acquaintance
  • IOS MDM detailed explanation (2) – certificate making
  • IOS MDM explains (3) – generates the mobileconfig configuration file
  • IOS MDM details (4) – installing the mobileconfig configuration file
  • IOS MDM detail (5) – send instructions to the device

I. Introduction of MDM

MDM – Moblie Device Management mobile device management, the purpose is to enable enterprises to facilitate the management of iPhone, Pad and other mobile devices.

When a large number of enterprises using mobile devices office or involves some security restrictions when the equipment management effect will be obvious, the safety equipment in the enterprise environment can be registered through MDM IT personnel doors, wireless configuration and update settings, compliance with the supervision of company policy, but also a remote wipe or lock managed devices. (for example, many electronics factory employees during the work not to take mobile phone, afraid of criminals to take pictures leaked product information, if the introduction of MDM can work during prohibit employees from mobile phone camera applications, the other does not affect the use of mobile phone).

The following actions can be achieved through MDM:

The application list application to install and remove a description file to install and remove a configuration file for the installed description file to obtain a list of the installed configuration file to obtain a list of installed certificate to obtain a list of the installed third party installation and delete access to device information (UDID, Languages, DeviceID, BatteryLevel etc.) to obtain safety related the information device lock screen, restart, shutdown, clear the password, data acquisition erase enabled the constraint list, has lost lock positioning equipment related settings management, equipment name, wallpaper, mobile network settings such as the installed application attribute can update the information of system to install a file or books

Wait, there are many other subtle features that aren’t all listed. Do you feel MDM’s function is very powerful? If you haven’t known it before, you’ll be surprised O (a _ U) is O, MDM is so powerful, so play an important role in the enterprise application deployment and equipment management.

Although the function of MDM so much, we in the actual application is related to the lock screen password and delete, delete, APP installation and configuration files to install and remove, access to information has been installed APP list and other related equipment, that is to say the common operation is that several.

Two, about

Just begin to contact the MDM I also face Meng force, don’t know where to start. Looking at the net 00 spread information relates to is not whether they really reduced to fragments, the specific operation? Did you actually run? Anyway, the major forums are also turned around, some people may have understood, done, but written is also the same, and the real steps in accordance with the operation is also a group of paste. No way, I can only rely on the official information, because other useful information is too little information.

After a few months of learning and understanding, MDM awareness is gradually clear a lot. So far, our management platform has also run through, is planning to deploy to the enterprise internal use. So I want to make a good summary of the done, thought, and problems encountered step by step down the record, perhaps to help you better understand the MDM, the rapid use of MDM.

Three 、 MDM workflow

A picture from the official website:

IOS MDM (1) - detailed and thorough acquaintance
MDM workflow

As you can see from the above figure, the MDM service needs to involve the apple push server APNs, its own or third party MDM server, the managed device. In practice, three of them communicate with each other through HTTPS, so push and ordinary APP push must have push certificate. Without operation, all connections are not connected except for the connection between the device itself and the APNs. Their function in the system is as follows:

  • MDM server: for the device, through which it sends instructions to manage the equipment, access to relevant information and operations, response, response, device operation. For APNs, APNs to send a command to take the initiative to wake up the device connected to the MDM server, reports its current state is idle (if the device is free, the MDM server will continue to the next step of operation such as start sending instructions).
  • APNs: as a messenger between the other two, the main thing is to forward the MDM server instructions to the device, meaning that the device starts to connect to the server.
  • Equipment: first through the Safari access server to install a configuration description file (described below) and registered to become a managed device, when the APNs received instructions, according to the installed configuration file URL to connect to the MDM server and report its status, and then accept the next command such as the command DeviceInformation (such as equipment information query ModelName, BatteryLevel, WiFiMAC), received XML format instruction and then transmitted to the server and its related information query, if you do not need to send a command, the server closes the connection.

In addition MDM server equipment and data transmission are based on XML format, the PUT request method, so the server to send instructions, instructions packaged into a XML file at the same time to achieve the PUT request processing operation. APNs sends only an identifier associated with the device itself, with no other commands to wake up the device to connect to the MDM server.

Four, the operation to do and the problems I have encountered

Through the above understanding can be seen, in order to achieve a complete MDM service, we need to make APNs push certificate, equipment installation and configuration files, HTTPS communication, MDM protocol, MDM protocol and the use of learning related commands, a MDM server (here is not to own narrative, because these are related we have the background to do). So the next time, I’m going to do the following tasks in turn.

  • IOS MDM (1) – detailed and thorough acquaintance
  • IOS MDM detailed explanation (2) – certificate making
  • IOS MDM explains (3) – generates the mobileconfig configuration file
  • IOS MDM details (4) – installing the mobileconfig configuration file
  • IOS MDM detail (5) – send instructions to the device

The above is the MDM service in a few key operations, and other minor aspects of the operation after slowly finishing.

Normally, I ran into the following problems:

Problem 1, the mobileconfig configuration file installation failed

The device has been prompted for failure during installation! When I want to use `Charles` capture tool view even when installed successfully, close the software installation again failed, speculation may because `Charles` agent can also connect to the MDM network in Server, if published to the network should be able to avoid this problem (there is no verification? ).

Problem 2. The MDM server failed to establish a connection with APNs, causing the push to fail all the time

When pushing the command, the Java always reported errors in the background. The *`javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found`* was later upgraded to SKD and the error was lifted.

Then Software caused connection abort: recv error failed after investigation is connected to the development environment of the original address, mobileconfig configuration in this configuration option is the default generation environment, through the identity.apple.com/pushcert application push certificate only generate environmental certificate, which I was silly to think and push it all the same generation.

Problem 3. When the command is pushed successfully, the device is not responding, or very slow

Command successfully push sometimes did not respond, most are between MDM Server and APNs, to estimate the equipment is not awakened or did not receive instructions between APNs and equipment due to push not so in a timely manner so there will be some delay.

When the device is connected to the Sever, the sending command is quickly answered. But sometimes after a few operations, the response will be slow, speculation that the device itself has not yet had time to deal with, but also in the study.

Problem 4, want to achieve the silent installation of APP

Since we are enterprise application distribution, we publish an application that wants all controlled devices to be forcibly installed, that is, there is no need to prompt the user to click on the confirmation operation. But it hasn’t been implemented yet. It seems like Android can, and iOS is still working on it.

Five, summary

The above is a brief introduction and understanding of MDM. If you are familiar with MDM, there is an inappropriate place. Thank you for your guidance. If you are not familiar with it, I hope it will help. Next, I will install the above steps and proceed to the next step.