Transcription of Mobile Device Management Protocol Reference - Apple …
1 MobileDeviceManagementProtocolReference DeveloperContents1 |Copyright (EFI) |Copyright |Copyright OpenIn ..1857 |Copyright MDMV endorCSRS igningOverview219 CreatingaCertificateSigningRequest(Custo merAction)..219 SigningtheCertificateSigningRequest(MDMV endorAction)..219 CreatingtheAPNSC ertificateforMDM(CustomerAction).. |Copyright (MDM)protocolprovidesawayforsystemadmini stratorstosenddevicemanagementcommandsto managediOSdevicesrunningiOS4andlater, ,andAppleTVdevicesrunningiOS7( ) ,anITadministratorcaninspect,install,orr emoveprofiles;removepasscodes; ,transportlayersecurity(TLS), (APNS)todelivera wakeup ,yourITdepartmentneedstodeployanHTTPS servertoactasanMDMserver, (SSL).
2 , (.mobileconfig)filedistributedusingemail orawebpage,aspartofthefinalconfiguration profiledeliveredbyanover-the-airenrollme ntservice, ,itmayonlyremoveapps,configurationprofil es, , ,devicesrunningiOS7andlatercanbesupervis edusingtheDeviceEnrollment2019-03-25|Cop yright ,ifanyconfigurationoptionislimitedtosupe rviseddevices, , , , , , , seligibilityforMDMenrollmentandtoinformt heserverthatadevice (main)MDMprotocolusespushnotificationsto tellthemanageddevicetoperformspecificfun ctions, ,followMDMBestPracticesandinstallabasepr ofilethatcontainslittlemorethanthemostba sicMDMmanagementinformation, , ,youcancreateprofiles,updateprofiles,del eteprofiles,obtainalistofdevices, |Copyright ,youmustdownloadan MDMS igningCertificate ,youmustusethatcertificatetosignyourcust omers , , |Copyright seligibilityforMDMenrollmentandtoinformt heserverthatadevice , , , , ,thedevicesendsanHTTPPUT requestinthisformat:PUT /your/url : : 1234 Content-Type: application/x- Apple -aspen-mdm-checkin<?
3 Xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -// Apple //DTD PLIST > <plist version= > <dict> <key>MessageType</key> <string>Authenticate</string> <key>Topic</key> <string>..</string> <key>UDID</key> <string>..</string> </dict> </plist>2019-03-25|Copyright (OK)statuscodetoindicatesuccessora401 (Unauthorized) ,thedevicesendsanauthenticatemessagethat containsatleastthreekey-valuepairsinitsp ropertylist:Key Type Thedevice :KeyType ValueOSVersionString Thedevice Thedevice Thedevice sproductname( , iPhone3,1 ).SerialNumberString Thedevice Thedevice sIMEI(InternationalMobileStationEquipmen tIdentity).MEIDS tring Thedevice sMEID(mobileequipmentidentifier).ServerR esponseOnsuccess, , , |Copyright ,pushmagic, :KeyType Thedevice :Thesizeofthedevicepushtokenmayvary, ,whilethesizeofthelargestpushtokenmaycha ngeinfuturereleases, (seebelow).
4 UnlockTokenData , , :AvailableiniOS9andlaterandcanonlybesent byDEP(seeDeviceEnrollmentProgram). , , ,thedeviceshouldnolongerlistentotheforme rrelationship, ;theserver |Copyright ,onlytohavethatpartyre-enrollpeoplepiggy backingonsomeothertopicthat * (andmaydifferinsizefrompreviousvalues).I fdifferent, , *where* , ,iftheCheckOutWhenRemovedkeyintheMDMpayl oadissettotrue, ,thedeviceattemptstosendaCheckOutmessage whentheMDMprofileisremovedregardlessofth evalueofthiskey(oritsabsence).Ifnetworkc onditionsdonotallowthemessagetobedeliver edsuccessfully, :Key Type Thedevice |Copyright (MDM) : , , ,inthefuture,theUDID willnotalwaysbe41characters , , , : Theserver(atsomepointinthefuture)sendsou tapushnotificationtothedevice.
5 Thedevicepollstheserverforacommandinresp onsetothepushnotification. Thedeviceperformsthecommand. , , |Copyright ; scertificate, ,itdoesnotremembertheURLgivenbyHTTP301 (Moved Permanently) ,asitsnameimplies, ,extensionstotheMDMprotocolweredeveloped toidentifyandauthenticatethenetworkuserl ogginginsothatanynetworkuserisalsomanage dbytheMDMserver(viatheiruserprofiles). , |Copyright (MDM)payload,asimplepropertylist, :KeyType ://URLscheme,andmaycontainaportnumber(:1 234,forexample).ServerCapabilitiesArray , , ://URLschemeandmaycontainaportnumber(:12 34,forexample).IfthisURLisnotgiven, , |Copyright ContentAccessRightsInteger, : 1:Allowinspectionofinstalledconfiguratio nprofiles.
6 2:Allowinstallationandremovalofconfigura tionprofiles. 4:Allowdevicelockandpasscoderemoval. 8:Allowdeviceerase. 16:AllowqueryofDeviceInformation(devicec apacity,serialnumber). 32:AllowqueryofNetworkInformation(phone/ SIMnumbers,MACaddresses). 64:Allowinspectionofinstalledprovisionin gprofiles. 128:Allowinstallationandremovalofprovisi oningprofiles. 256:Allowinspectionofinstalledapplicatio ns. 512:Allowrestriction-relatedqueries. 1024:Allowsecurity-relatedqueries. 2048 4096 , , , , ( ). , , |Copyright , PayloadDictionaryKeysCommontoAllPayloads ,see ConfigurationProfileKeyReference Payload , , :{ mdm : PushMagicValue }InplaceofPushMagicValueabove, (Theapskeyisusedonlyforthird-partyapppus hnotifications.)
7 Thedevicerespondstothispushnotificationb ycontactingtheMDMserverusingHTTPPUT overTLS(SSL). , :MDMrequestpayloadexamplePUT /your/url : : 1234 Content-Type: application/x- Apple -aspen-mdm; charset=UTF-82019-03-25|Copyright <?xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -// Apple //DTD PLIST > <plist version= > <dict> <key>UDID</key> <string>..</string> <key>CommandUUID</key> <string>9F09D114-BCFD-42AD-A974-371AA7D6256E</string> <key>Status</key> <string>Acknowledged</string> </dict> </plist> : 200 OKContent-Length: 1234 Content-Type: application/xml; charset=UTF-8<?xml version= encoding= UTF-8 ?> <!DOCTYPE plist PUBLIC -// Apple //DTD PLIST > <plist version= > <dict> <key>CommandUUID</key> <string>9F09D114-BCFD-42AD-A974-371AA7D6256E</string> <key>Command</key> <dict>.
8 </dict> </dict> </plist> (OK) , , |Copyright (butempty)pushactivityshouldlooklikethis :Wed Sep 29 02:09:05 unknown mdmd[1810] <Warning>: MDM|mdmd Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Network reachability Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Polling MDM server :2001/mdm for commandsWed Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Transaction completed. Status:200 Wed Sep 29 02:09:06 unknown mdmd[1810] <Warning>: MDM|Server has no commands forthis Sep 29 02:09:08 unknown mdmd[1810] <Warning>: MDM|mdmd :Key Type ContentCommandUUIDS tring , ContentRequestTypeString ,thecommandisexecutedonlyifthedevicehasa tetherednetworkconnection;otherwiseanMCM DM errorvalueof12081isreturned(seeMCMDME rrorDomain).
9 , |Copyright (ifany). (thereisnostatus).NotNowThedevicereceive dthecommand, , :ErrorChainarraydictionarykeysKeyType ContentLocalizedDescriptionString Descriptionoftheerrorinthedevice , ,forreference, , , |Copyright , ,thereisoneinstanceofanmdmclientagentfor eachlogged-inuser, , ; , : Thedevicewillbemanaged. Thelocaluserthatinstalledtheprofilewillb emanaged. , , , ,userrequestscontainadditionalkeysinthei rrequestplists:<key>UDID</key> <string>23EB7CD8-5567-5E97-827F-06E4E4C456B2</string> <key>UserID</key> <string>F17C470A-3 ADC-47EC-A7CC-D432867F4793</string> <key>UserLongName</key> <string>Jimmy Smith</string> <key>UserShortName</key> <string>jimmys</string> <key>NeedSyncResponse</key> <boolean>true</boolean>Notethefollowingconditionsforincludingth eforegoingkeys: RequestsfromadevicecontainonlytheUDIDkey .
10 , , ,theclientblocksthetransactiononlyuntilt heserversendsanemptyresponsetoanIdle/ |Copyright ,itindicatesthatthemacOSclientistryingto obtainuser-specificsettingswhileinSetupA ssistantduringDeviceEnrollment(seeDevice EnrollmentProgram).AfteramacOSclientobta insdevice-specificsettings, , ,itstartsanormalIdle/ ,nothingtheclientreceivespersists,becaus etheuseraccounthasn (anemptybody) ,theclientinitiatesanewseriesofIdle/ , , ,iftheuserisanetworkuserorhasamobilehome , , , :Key Type Localuser sGUID,ornetworkuser sGUID fromOpenDirectoryRecord(seebelow).Ifthem acOSdevicebeingenrolledhasanowner, ,anX-MDM-is-ownedheaderisaddedtotherespo nsetoallrequeststothecheckinURL, ; :KeyType ContentDigestChallengeStringStandard HTTP |Copyright , ,witha200responseandDigestChallengevalue thatisnon-empty,theclientgeneratesadiges tfromtheuser sshortname,theuser sclear-textpassword, , , ,however, :KeyType User :Key Type ContentAuthTokenString , :KeyType ValueUDIDS tring GUID attributefromtheuser Recordnamefromuser Fullnamefromuser , :// UserAuthenticate request from client to server:2019-03-25|Copyright <dict> <key>MessageType</key> <string>UserAuthenticate</string> <key>UDID</key> <string>23EB7CD8-5567-5E97-827F-06E4E4C456B2</string> <key>UserID</key> <string>16C0477E-EB2F-4B5E-AAFD-92B2B91C4B16</string> </dict>// Server sends challenge.
