Transcription of Mobile Device Management Protocol Reference
1 MobileDeviceManagementProtocolReference DeveloperContents1 |Copyright (EFI) |Copyright |Copyright OpenIn ..1857 |Copyright MDMV endorCSRS igningOverview219 CreatingaCertificateSigningRequest(Custo merAction)..219 SigningtheCertificateSigningRequest(MDMV endorAction)..219 CreatingtheAPNSC ertificateforMDM(CustomerAction).. |Copyright (MDM)protocolprovidesawayforsystemadmini stratorstosenddevicemanagementcommandsto managediOSdevicesrunningiOS4andlater, ,andAppleTVdevicesrunningiOS7( ) ,anITadministratorcaninspect,install,orr emoveprofiles;removepasscodes; ,transportlayersecurity(TLS), (APNS)todelivera wakeup ,yourITdepartmentneedstodeployanHTTPS servertoactasanMDMserver, (SSL). , (.mobileconfig)filedistributedusingemail orawebpage,aspartofthefinalconfiguration profiledeliveredbyanover-the-airenrollme ntservice, ,itmayonlyremoveapps,configurationprofil es, , ,devicesrunningiOS7andlatercanbesupervis edusingtheDeviceEnrollment2019-03-25|Cop yright ,ifanyconfigurationoptionislimitedtosupe rviseddevices, , , , , , , seligibilityforMDMenrollmentandtoinformt heserverthatadevice (main)
2 MDMprotocolusespushnotificationstotellth emanageddevicetoperformspecificfunctions , ,followMDMBestPracticesandinstallabasepr ofilethatcontainslittlemorethanthemostba sicMDMmanagementinformation, , ,youcancreateprofiles,updateprofiles,del eteprofiles,obtainalistofdevices, |Copyright ,youmustdownloadan MDMS igningCertificate ,youmustusethatcertificatetosignyourcust omers , , |Copyright seligibilityforMDMenrollmentandtoinformt heserverthatadevice , , , , ,thedevicesendsanHTTPPUT requestinthisformat:PUT /your/url : : 1234 Content-Type: application/x-apple-aspen-mdm-checkin<?xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST > <plist version= > <dict> <key>MessageType</key> <string>Authenticate</string> <key>Topic</key> <string>.
3 </string> <key>UDID</key> <string>..</string> </dict> </plist>2019-03-25|Copyright (OK)statuscodetoindicatesuccessora401 (Unauthorized) ,thedevicesendsanauthenticatemessagethat containsatleastthreekey-valuepairsinitsp ropertylist:Key Type Thedevice :KeyType ValueOSVersionString Thedevice Thedevice Thedevice sproductname( , iPhone3,1 ).SerialNumberString Thedevice Thedevice sIMEI(InternationalMobileStationEquipmen tIdentity).MEIDS tring Thedevice sMEID(mobileequipmentidentifier).ServerR esponseOnsuccess, , , |Copyright ,pushmagic, :KeyType Thedevice :Thesizeofthedevicepushtokenmayvary, ,whilethesizeofthelargestpushtokenmaycha ngeinfuturereleases, (seebelow).UnlockTokenData , , :AvailableiniOS9andlaterandcanonlybesent byDEP(seeDeviceEnrollmentProgram).
4 , , ,thedeviceshouldnolongerlistentotheforme rrelationship, ;theserver |Copyright ,onlytohavethatpartyre-enrollpeoplepiggy backingonsomeothertopicthat * (andmaydifferinsizefrompreviousvalues).I fdifferent, , *where* , ,iftheCheckOutWhenRemovedkeyintheMDMpayl oadissettotrue, ,thedeviceattemptstosendaCheckOutmessage whentheMDMprofileisremovedregardlessofth evalueofthiskey(oritsabsence).Ifnetworkc onditionsdonotallowthemessagetobedeliver edsuccessfully, :Key Type Thedevice |Copyright (MDM) : , , ,inthefuture,theUDID willnotalwaysbe41characters , , , : Theserver(atsomepointinthefuture)sendsou tapushnotificationtothedevice. Thedevicepollstheserverforacommandinresp onsetothepushnotification. Thedeviceperformsthecommand. , , |Copyright ; scertificate, ,itdoesnotremembertheURLgivenbyHTTP301 (Moved Permanently) ,asitsnameimplies, ,extensionstotheMDMprotocolweredeveloped toidentifyandauthenticatethenetworkuserl ogginginsothatanynetworkuserisalsomanage dbytheMDMserver(viatheiruserprofiles).
5 , |Copyright (MDM)payload,asimplepropertylist, :KeyType ://URLscheme,andmaycontainaportnumber(:1 234,forexample).ServerCapabilitiesArray , , ://URLschemeandmaycontainaportnumber(:12 34,forexample).IfthisURLisnotgiven, , |Copyright ContentAccessRightsInteger, : 1:Allowinspectionofinstalledconfiguratio nprofiles. 2:Allowinstallationandremovalofconfigura tionprofiles. 4:Allowdevicelockandpasscoderemoval. 8:Allowdeviceerase. 16:AllowqueryofDeviceInformation(devicec apacity,serialnumber). 32:AllowqueryofNetworkInformation(phone/ SIMnumbers,MACaddresses). 64:Allowinspectionofinstalledprovisionin gprofiles. 128:Allowinstallationandremovalofprovisi oningprofiles. 256:Allowinspectionofinstalledapplicatio ns. 512:Allowrestriction-relatedqueries.
6 1024:Allowsecurity-relatedqueries. 2048 4096 , , , , ( ). , , |Copyright , PayloadDictionaryKeysCommontoAllPayloads ,see ConfigurationProfileKeyReference Payload , , :{ mdm : PushMagicValue }InplaceofPushMagicValueabove, (Theapskeyisusedonlyforthird-partyapppus hnotifications.)Thedevicerespondstothisp ushnotificationbycontactingtheMDMserveru singHTTPPUT overTLS(SSL). , :MDMrequestpayloadexamplePUT /your/url : : 1234 Content-Type: application/x-apple-aspen-mdm; charset=UTF-82019-03-25|Copyright <?xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST > <plist version= > <dict> <key>UDID</key> <string>..</string> <key>CommandUUID</key> <string>9F09D114-BCFD-42AD-A974-371AA7D6256E</string> <key>Status</key> <string>Acknowledged</string> </dict> </plist> : 200 OKContent-Length: 1234 Content-Type: application/xml; charset=UTF-8<?
7 Xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST > <plist version= > <dict> <key>CommandUUID</key> <string>9F09D114-BCFD-42AD-A974-371AA7D6256E</string> <key>Command</key> <dict>..</dict> </dict> </plist> (OK) , , |Copyright (butempty)pushactivityshouldlooklikethis :Wed Sep 29 02:09:05 unknown mdmd[1810] <Warning>: MDM|mdmd Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Network reachability Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Polling MDM server :2001/mdm for commandsWed Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Transaction completed. Status:200 Wed Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Server has no commands forthis Sep 29 02:09:08 unknown mdmd[1810] <Warning>: MDM|mdmd :Key Type ContentCommandUUIDS tring , ContentRequestTypeString ,thecommandisexecutedonlyifthedevicehasa tetherednetworkconnection;otherwiseanMCM DM errorvalueof12081isreturned(seeMCMDME rrorDomain).
8 , |Copyright (ifany). (thereisnostatus).NotNowThedevicereceive dthecommand, , :ErrorChainarraydictionarykeysKeyType ContentLocalizedDescriptionString Descriptionoftheerrorinthedevice , ,forreference, , , |Copyright , ,thereisoneinstanceofanmdmclientagentfor eachlogged-inuser, , ; , : Thedevicewillbemanaged. Thelocaluserthatinstalledtheprofilewillb emanaged. , , , ,userrequestscontainadditionalkeysinthei rrequestplists:<key>UDID</key> <string>23EB7CD8-5567-5E97-827F-06E4E4C456B2</string> <key>UserID</key> <string>F17C470A-3 ADC-47EC-A7CC-D432867F4793</string> <key>UserLongName</key> <string>Jimmy Smith</string> <key>UserShortName</key> <string>jimmys</string> <key>NeedSyncResponse</key> <boolean>true</boolean>Notethefollowingconditionsforincludingth eforegoingkeys: RequestsfromadevicecontainonlytheUDIDkey .
9 , , ,theclientblocksthetransactiononlyuntilt heserversendsanemptyresponsetoanIdle/ |Copyright ,itindicatesthatthemacOSclientistryingto obtainuser-specificsettingswhileinSetupA ssistantduringDeviceEnrollment(seeDevice EnrollmentProgram).AfteramacOSclientobta insdevice-specificsettings, , ,itstartsanormalIdle/ ,nothingtheclientreceivespersists,becaus etheuseraccounthasn (anemptybody) ,theclientinitiatesanewseriesofIdle/ , , ,iftheuserisanetworkuserorhasamobilehome , , , :Key Type Localuser sGUID,ornetworkuser sGUID fromOpenDirectoryRecord(seebelow).Ifthem acOSdevicebeingenrolledhasanowner, ,anX-MDM-is-ownedheaderisaddedtotherespo nsetoallrequeststothecheckinURL, ; :KeyType ContentDigestChallengeStringStandard HTTP |Copyright , ,witha200responseandDigestChallengevalue thatisnon-empty,theclientgeneratesadiges tfromtheuser sshortname,theuser sclear-textpassword, , , ,however, :KeyType User :Key Type ContentAuthTokenString , :KeyType ValueUDIDS tring GUID attributefromtheuser Recordnamefromuser Fullnamefromuser , :// UserAuthenticate request from client to server:2019-03-25|Copyright <dict> <key>MessageType</key> <string>UserAuthenticate</string> <key>UDID</key> <string>23EB7CD8-5567-5E97-827F-06E4E4C456B2</string> <key>UserID</key> <string>16C0477E-EB2F-4B5E-AAFD-92B2B91C4B16</string> </dict>// Server sends challenge.
10 <dict> <key>DigestChallenge</key> <string>Digest nonce= 8 BrAkk4 GZgrG//2 XaDLMSSSo89 VenjV5E8Se73z98 RvSW7Rs ,realm= <string> </dict>// Client sends response:<dict> <key>DigestResponse</key> <string>Digest username= net1 ,realm= ,nonce= 8 BrAkk4 GZgrG2 XaDLMSSSo89 VenjV5E8Se73z98 RvSW7Rs ,uri= / ,response= 84db40bbaf5e0d49cabb0ef7d8cac369 </string> <key>MessageType</key> <string>UserAuthenticate</string> <key>UDID</key> <string>23EB7CD8-5567-5E97-827F-06E4E4C456B2</string> <key>UserID</key> <string>16C0477E-EB2F-4B5E-AAFD-92B2B91C4B16</string> </dict>// Server responds with AuthToken for client session:<key>AuthToken</key> <string>uEOcQRJrXGbMJUDAkDZSCny5e90=</string>// From this point on, all user requests from that network user will include anAuthToken key:<dict> <key>AuthToken</key> <string>uEOcQRJrXGbMJUDAkDZSCny5e90=</string> <key>Status</key> <string>Idle</string> <key>UDID</key> <string>23EB7CD8-5567-5E97-827F-06E4E4C456B2</string> <key>UserID</key> <string>16C0477E-EB2F-4B5E-AAFD-92B2B91C4B16</string> <key>UserLongName</key> <string>Net One</string> <key>UserShortName</key>2019-03-25|Copyright <string>net1</string> </dict>Forpushnotifications, , AuthToken ,anditslogged-inusers,canbemanagedindepe ndentlyasaSharediPad, ,thefollowingtypesofMDMcommandscanbesent ontheuserchannel.
