Mobile Device Management Protocol Reference

1 MobileDeviceManagementProtocolReference DeveloperContents1 |Copyright (EFI) |Copyright |Copyright OpenIn ..1857 |Copyright MDMV endorCSRS igningOverview219 CreatingaCertificateSigningRequest(Custo merAction)..219 SigningtheCertificateSigningRequest(MDMV endorAction)..219 CreatingtheAPNSC ertificateforMDM(CustomerAction).. |Copyright (MDM)protocolprovidesawayforsystemadmini stratorstosenddevicemanagementcommandsto managediOSdevicesrunningiOS4andlater, ,andAppleTVdevicesrunningiOS7( ) ,anITadministratorcaninspect,install,orr emoveprofiles;removepasscodes; ,transportlayersecurity(TLS), (APNS)todelivera wakeup ,yourITdepartmentneedstodeployanHTTPS servertoactasanMDMserver, (SSL). , (.mobileconfig)filedistributedusingemail orawebpage,aspartofthefinalconfiguration profiledeliveredbyanover-the-airenrollme ntservice, ,itmayonlyremoveapps,configurationprofil es, , ,devicesrunningiOS7andlatercanbesupervis edusingtheDeviceEnrollment2019-03-25|Cop yright ,ifanyconfigurationoptionislimitedtosupe rviseddevices, , , , , , , seligibilityforMDMenrollmentandtoinformt heserverthatadevice (main)MDMprotocolusespushnotificationsto tellthemanageddevicetoperformspecificfun ctions, ,followMDMBestPracticesandinstallabasepr ofilethatcontainslittlemorethanthemostba sicMDMmanagementinformation, , ,youcancreateprofiles,updateprofiles,del eteprofiles,obtainalistofdevices, |Copyright ,youmustdownloadan MDMS igningCertificate ,youmustusethatcertificatetosignyourcust omers , , |Copyright seligibilityforMDMenrollmentandtoinformt heserverthatadevice , , , , ,thedevicesendsanHTTPPUT requestinthisformat:PUT /your/url : : 1234 Content-Type.

2 Application/x-apple-aspen-mdm-checkin<?xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST > <plist version= > <dict> <key>MessageType</key> < string >Authenticate</ string > <key>Topic</key> < string >..</ string > <key>UDID</key> < string >..</ string > </dict> </plist>2019-03-25|Copyright (OK)statuscodetoindicatesuccessora401 (Unauthorized) ,thedevicesendsanauthenticatemessagethat containsatleastthreekey-valuepairsinitsp ropertylist:Key Type Thedevice :KeyType ValueOSVersionString Thedevice Thedevice Thedevice sproductname( , iPhone3,1 ).SerialNumberString Thedevice Thedevice sIMEI(InternationalMobileStationEquipmen tIdentity).MEIDS tring Thedevice sMEID(mobileequipmentidentifier).ServerR esponseOnsuccess, , , |Copyright ,pushmagic, :KeyType Thedevice :Thesizeofthedevicepushtokenmayvary, ,whilethesizeofthelargestpushtokenmaycha ngeinfuturereleases, (seebelow).UnlockTokenData , , :AvailableiniOS9andlaterandcanonlybesent byDEP(seeDeviceEnrollmentProgram).

3 , , ,thedeviceshouldnolongerlistentotheforme rrelationship, ;theserver |Copyright ,onlytohavethatpartyre-enrollpeoplepiggy backingonsomeothertopicthat * (andmaydifferinsizefrompreviousvalues).I fdifferent, , *where* , ,iftheCheckOutWhenRemovedkeyintheMDMpayl oadissettotrue, ,thedeviceattemptstosendaCheckOutmessage whentheMDMprofileisremovedregardlessofth evalueofthiskey(oritsabsence).Ifnetworkc onditionsdonotallowthemessagetobedeliver edsuccessfully, :Key Type Thedevice |Copyright (MDM) : , , ,inthefuture,theUDID willnotalwaysbe41characters , , , : Theserver(atsomepointinthefuture)sendsou tapushnotificationtothedevice. Thedevicepollstheserverforacommandinresp onsetothepushnotification. Thedeviceperformsthecommand. , , |Copyright ; scertificate, ,itdoesnotremembertheURLgivenbyHTTP301 (Moved Permanently) ,asitsnameimplies, ,extensionstotheMDMprotocolweredeveloped toidentifyandauthenticatethenetworkuserl ogginginsothatanynetworkuserisalsomanage dbytheMDMserver(viatheiruserprofiles).

4 , |Copyright (MDM)payload,asimplepropertylist, :KeyType ://URLscheme,andmaycontainaportnumber(:1 234,forexample).ServerCapabilitiesArray , , ://URLschemeandmaycontainaportnumber(:12 34,forexample).IfthisURLisnotgiven, , |Copyright ContentAccessRightsInteger, : 1:Allowinspectionofinstalledconfiguratio nprofiles. 2:Allowinstallationandremovalofconfigura tionprofiles. 4:Allowdevicelockandpasscoderemoval. 8:Allowdeviceerase. 16:AllowqueryofDeviceInformation(devicec apacity,serialnumber). 32:AllowqueryofNetworkInformation(phone/ SIMnumbers,MACaddresses). 64:Allowinspectionofinstalledprovisionin gprofiles. 128:Allowinstallationandremovalofprovisi oningprofiles. 256:Allowinspectionofinstalledapplicatio ns. 512:Allowrestriction-relatedqueries. 1024:Allowsecurity-relatedqueries. 2048 4096 , , , , ( ). , , |Copyright , PayloadDictionaryKeysCommontoAllPayloads ,see ConfigurationProfileKeyReference Payload , , :{ mdm : PushMagicValue }InplaceofPushMagicValueabove, (Theapskeyisusedonlyforthird-partyapppus hnotifications.)

5 Thedevicerespondstothispushnotificationb ycontactingtheMDMserverusingHTTPPUT overTLS(SSL). , :MDMrequestpayloadexamplePUT /your/url : : 1234 Content-Type: application/x-apple-aspen-mdm; charset=UTF-82019-03-25|Copyright <?xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST > <plist version= > <dict> <key>UDID</key> < string >..</ string > <key>CommandUUID</key> < string >9F09D114-BCFD-42AD-A974-371AA7D6256E</ string > <key>Status</key> < string >Acknowledged</ string > </dict> </plist> : 200 OKContent-Length: 1234 Content-Type: application/xml; charset=UTF-8<?xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST > <plist version= > <dict> <key>CommandUUID</key> < string >9F09D114-BCFD-42AD-A974-371AA7D6256E</ string > <key>Command</key> <dict>..</dict> </dict> </plist> (OK) , , |Copyright (butempty)pushactivityshouldlooklikethis :Wed Sep 29 02:09:05 unknown mdmd[1810] <Warning>: MDM|mdmd Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Network reachability Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Polling MDM server :2001/mdm for commandsWed Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Transaction completed.

6 Status:200 Wed Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Server has no commands forthis Sep 29 02:09:08 unknown mdmd[1810] <Warning>: MDM|mdmd :Key Type ContentCommandUUIDS tring , ContentRequestTypeString ,thecommandisexecutedonlyifthedevicehasa tetherednetworkconnection;otherwiseanMCM DM errorvalueof12081isreturned(seeMCMDME rrorDomain). , |Copyright (ifany). (thereisnostatus).NotNowThedevicereceive dthecommand, , :ErrorChainarraydictionarykeysKeyType ContentLocalizedDescriptionString Descriptionoftheerrorinthedevice , ,forreference, , , |Copyright , ,thereisoneinstanceofanmdmclientagentfor eachlogged-inuser, , ; , : Thedevicewillbemanaged. Thelocaluserthatinstalledtheprofilewillb emanaged. , , , ,userrequestscontainadditionalkeysinthei rrequestplists:<key>UDID</key> < string >23EB7CD8-5567-5E97-827F-06E4E4C456B2</ string > <key>UserID</key> < string >F17C470A-3 ADC-47EC-A7CC-D432867F4793</ string > <key>UserLongName</key> < string >Jimmy Smith</ string > <key>UserShortName</key> < string >jimmys</ string > <key>NeedSyncResponse</key> <boolean>true</boolean>Notethefollowingconditionsforincludingth eforegoingkeys: RequestsfromadevicecontainonlytheUDIDkey .

7 , , ,theclientblocksthetransactiononlyuntilt heserversendsanemptyresponsetoanIdle/ |Copyright ,itindicatesthatthemacOSclientistryingto obtainuser-specificsettingswhileinSetupA ssistantduringDeviceEnrollment(seeDevice EnrollmentProgram).AfteramacOSclientobta insdevice-specificsettings, , ,itstartsanormalIdle/ ,nothingtheclientreceivespersists,becaus etheuseraccounthasn (anemptybody) ,theclientinitiatesanewseriesofIdle/ , , ,iftheuserisanetworkuserorhasamobilehome , , , :Key Type Localuser sGUID,ornetworkuser sGUID fromOpenDirectoryRecord(seebelow).Ifthem acOSdevicebeingenrolledhasanowner, ,anX-MDM-is-ownedheaderisaddedtotherespo nsetoallrequeststothecheckinURL, ; :KeyType ContentDigestChallengeStringStandard HTTP |Copyright , ,witha200responseandDigestChallengevalue thatisnon-empty,theclientgeneratesadiges tfromtheuser sshortname,theuser sclear-textpassword, , , ,however, :KeyType User :Key Type ContentAuthTokenString , :KeyType ValueUDIDS tring GUID attributefromtheuser Recordnamefromuser Fullnamefromuser , :// UserAuthenticate request from client to server:2019-03-25|Copyright <dict> <key>MessageType</key> < string >UserAuthenticate</ string > <key>UDID</key> < string >23EB7CD8-5567-5E97-827F-06E4E4C456B2</ string > <key>UserID</key> < string >16C0477E-EB2F-4B5E-AAFD-92B2B91C4B16</ string > </dict>// Server sends challenge:<dict> <key>DigestChallenge</key> < string >Digest nonce= 8 BrAkk4 GZgrG//2 XaDLMSSSo89 VenjV5E8Se73z98 RvSW7Rs ,realm= < string > </dict>// Client sends response.

8 <dict> <key>DigestResponse</key> < string >Digest username= net1 ,realm= ,nonce= 8 BrAkk4 GZgrG2 XaDLMSSSo89 VenjV5E8Se73z98 RvSW7Rs ,uri= / ,response= 84db40bbaf5e0d49cabb0ef7d8cac369 </ string > <key>MessageType</key> < string >UserAuthenticate</ string > <key>UDID</key> < string >23EB7CD8-5567-5E97-827F-06E4E4C456B2</ string > <key>UserID</key> < string >16C0477E-EB2F-4B5E-AAFD-92B2B91C4B16</ string > </dict>// Server responds with AuthToken for client session:<key>AuthToken</key> < string >uEOcQRJrXGbMJUDAkDZSCny5e90=</ string >// From this point on, all user requests from that network user will include anAuthToken key:<dict> <key>AuthToken</key> < string >uEOcQRJrXGbMJUDAkDZSCny5e90=</ string > <key>Status</key> < string >Idle</ string > <key>UDID</key> < string >23EB7CD8-5567-5E97-827F-06E4E4C456B2</ string > <key>UserID</key> < string >16C0477E-EB2F-4B5E-AAFD-92B2B91C4B16</ string > <key>UserLongName</key> < string >Net One</ string > <key>UserShortName</key>2019-03-25|Copyright < string >net1</ string > </dict>Forpushnotifications, , AuthToken ,anditslogged-inusers,canbemanagedindepe ndentlyasaSharediPad, ,thefollowingtypesofMDMcommandscanbesent ontheuserchannel: ProfileList InstallProfile RemoveProfile Restrictions InviteToProgram DeviceInformationToindicatethatanMDMserv ersupportsbothdeviceanduserconnections, , , ,userrequestsmustcontainadditionalkeys:K eyType ContentUserIDString , , |Copyright ,however, , , HandlingaNotNowResponse, below, ,andneverreturnNotNow.

9 DeviceInformation ProfileList DeviceLock EraseDevice ClearPasscode CertificateList ProvisioningProfileList InstalledApplicationList RestrictionsThemacOSMDM clientmayrespondwithNotNowwhen: ThesystemisinPowerNap(darkwake)andacomma ndotherthanDeviceLockorEraseDeviceisrece ived. AnInstallProfileorRemoveProfilerequestis madeontheuserconnectionandtheuser ,theclientmayrespondwithNotNowifitisbloc kingtheuser sloginwhileitcontactstheserver,andifthes erversendsarequestthatmaytakealongtimeto answer(suchasInstalledApplicationListorD eviceInformation).2019-03-25|Copyright sresponsetothepreviouscommandsenthasasta tusofNotNow,yourserverhastworesponsechoi ces: , ,itmustsendthecommandagainwhenthedevicep ollstheserver. Itmaysendanothercommandonthesameconnecti on,butifthisnewcommandreturnsanythingoth erthanaNotNowresponse, , |Copyright , , |Copyright ,theserversendsadictionarycontainingthef ollowingkeys:Key Type ContentRequestTypeStringProfileListThede vicereplieswithapropertylistthatcontains thefollowingkey:Key Type ContentProfileListArray , ,followtheserules: ThenewMDMprofilemustbesignedwiththesamei dentityastheexistingprofile.

10 YoucannotchangethetopicorserverURLofthep rofile. ,theserversendsadictionarycontainingthef ollowingkeys:Key |Copyright ,thePayloadisoftypeData,meaningthattheen tirePayloadmustbebase64-encoded, UnderstandingXMLP ropertyLists , ,theserversendsadictionarycontainingthef ollowingkeys:Key Type ,theserversendsadictionarycontainingthef ollowingkeys:Key Type :KeyType ContentProvisioningProfileListArray :Key Type ContentNameString |Copyright ,theserversendsadictionarycontainingthef ollowingkeys:KeyType ContentRequestTypeStringInstallProvision ingProfileProvisioningProfileData ,theserversendsadictionarycontainingthef ollowingkeys:Key Type ContentRequestTypeStringRemoveProvisioni ngProfileUUIDS tring ,theserversendsadictionarycontainingthef ollowingkeys:Key Type ContentRequestTypeStringCertificateList2 019-03-25|Copyright :CertificatedictionarykeysKey Type ContentCommonNameString , , , :2019-03-25|Copyright :InstalledApplicationListdictionarykeysK eyType ContentIdentifierString Theapplication Theapplication Theapplication Theapplication Theapp sstaticbundlesize, Thesizeoftheapp sdocument,library,andotherfolders, Iftrue, ,it Iftrue, , Theapplication , ,notethattheversioninthestoremaynotbeava ilableforinstallationonthedeviceforavari etyofreasons,includingthatthedevice Iftrue, ,fordevice-basedVPPapps, Iftrue, Iftrue, Iftrue, Iftrue, , |Copyright ,theserversendsadictionarycontainingthef ollowingkeys:Key ,Deviceinformationqueries, ,Deviceinformationqueries, :GeneralqueriesQueryReplyType CommentUDIDS tring Theuniquedeviceidentifier(UDID) ( )andlater,onAppleTVonlyOrganizationInfoD ictionary Thecontents(ifany) |Copyright CommentAwaitingConfigurationBoolean Iftrue, :AvailableiniOS9andlaterandtheresponseis onlygeneratedbydevicesenrolledinMDMviaDE P(seeDeviceEnrollmentProgram).