Intrepidus Group
Insight

Changes to Apple MDM for iOS 5.x

Posted: January 31, 2012 – 10:11 am | Author: | Filed under: Conferences, iOS, MDM, Mobile Device Management, Mobile Security

Last Saturday (January 28), I presented an updated talk on Apple’s iOS MDM system at ShmooCon 8. I had a great time, and really enjoyed all the questions and nice comments I received afterwards. I thought I’d mention a couple of the changes that iOS 5 provide.

First, the devices support some additional restrictions and controls. These controls should be available in most commercial MDM solutions, and can also be found in the iPhone Configuration Utility (IPCU). Among these new controls are the ability to:

  • Disable Siri
  • Selectively disable iCloud features: Backup, Document Sync, Photo Stream
  • Reject SSL sites with untrusted certificates
  • Prevent moving messages out of an email account into another
  • Prevent use of an email account from 3rd party applications

Additions to the MDM service as a whole include:

  • Ability to ask a device to “Check Out” when removed from MDM
  • Installing and removing applications (custom and App Store apps)
  • Listing managed applications
  • Configuration of some settings (Voice and Data Roaming)
  • Applying iTunes redemption codes to installation of apps (for Volume Purchase Plan)

I’ve updated my experimental MDM server to support most of these features. I’ve also added some better documentation for the server code, and scripts to help create the necessary server and CA certificates.

Slides from the presentation, as well as the code and the Black Hat white paper and slides, are all available at Github. Enjoy!

Both comments and trackbacks are currently closed.

8 Comments

  1. Van
    Posted February 15, 2012 at 7:22 am | Permalink

    Hello.
    First of all thank you for your work.
    Now question:
    I’m trying your sample with regular apple developer program.
    server – MacOS
    device – iPhone4 iOS 5.0.1

    1 – Create new AppID that looks like “com.apple.mgmt.COMPANY.PRODUCT_NAME” (this is not very clear from README).
    2 – Intall web.py (not easy step but this is general question, not mdm related)
    3 – Perform other steps from README, server address is ip-address.
    4 – Update SSL config strings in server.py to avoid warning at start:

    #————
    from web.wsgiserver import CherryPyWSGIServer
    from web.wsgiserver.ssl_builtin import BuiltinSSLAdapter
    ssl_cert = “Server.crt”
    ssl_key = “Server.key”

    CherryPyWSGIServer.ssl_adapter = BuiltinSSLAdapter(ssl_cert,ssl_key,None)
    #————

    5 – Launch server
    6 – Install CA certificate and Enroll configuration at device.
    7 – While Enroll installing I get such strings in console:

    com.apple.launchd[1] (com.apple.managedconfiguration.mdmd[209]) <Warning>: (com.apple.managedconfiguration.mdmd) Check-in of Mach service failed. Already active: com.apple.managedconfiguration.mdmdpush-dev

    mdmd[209] <Warning>: Unable to bootstrap_check_in() to namedDelegatePort ‘com.apple.managedconfiguration.mdmdpush-dev’. APS connections will not persist past process lifetime.

    com.apple.launchd[1] (com.apple.managedconfiguration.mdmd[209]) <Warning>: (com.apple.managedconfiguration.mdmd) Check-in of Mach service failed. Already active: com.apple.managedconfiguration.mdmdpush-prod

    mdmd[209] <Warning>: Unable to bootstrap_check_in() to namedDelegatePort ‘com.apple.managedconfiguration.mdmdpush-prod’. APS connections will not persist past process lifetime.

    8 – Send “DeviceInfo” command – nothing happens in device’s console for about 10 minutes.
    THIS IS PROBLEM

    9 – Send push notification (not mdm command) to app, in console I see almost immediatelly:

    unknown mdmd[273] <Notice>: (Note ) MDM: mdmd starting…
    unknown profiled[275] <Notice>: (Note ) profiled: Service starting…
    unknown mdmd[273] <Notice>: (Error) MDM: Rejecting MDM push dictionary because it does not contain the “mdm” key
    unknown mdmd[273] <Notice>: (Note ) MDM: Network reachability has changed.
    unknown mdmd[273] <Notice>: (Note ) MDM: Network reachability has changed.
    unknown mdmd[273] <Notice>: (Note ) MDM: mdmd stopping…

    Any thoughts what can be wrong with my MDM configuration (step 7,8)?

  2. david_schuetz
    Posted February 21, 2012 at 1:50 pm | Permalink

    Hey, first, thanks for that update to the CherryPy configuration. Those errors thrown the first time a client connected were annoying, but not so annoying that I ever looked into fixing it. :)

    As for the problems you’re having… The notifications you copied in step 7 are normal (or at least, I see them too). Are you successfully enrolling? That is, does the server show response of Authenticate and TokenUpdate commands? I’m assuming it did, and that you’re using the device token in the “normal” push notification you sent in step 9.

    Problem is, if step 9 is working (that is, if the message is at least getting to the client), then you’ve got APNS service working. Unless the test message sent in 9 is from a different network than what your test server is running on? For example, if you use an online service to test the push notification… In that case, I’d look into whether local network rules are preventing the outbound connection to Apple’s APNS servers.

    You can try sending the proper MDM-formatted push message via whatever system you used in step 9, if it’ll allow you to create the right message (which it might not). I simply added the “{‘mdm’:'<pushmagic token>’}” property to a normal message, which gives an error on the device because of the extraneous “aps:” dict, but the mdm daemon processes the command anyway.

    That’s all I can think of at the moment, that the push message simply isn’t getting from your sever to Apple’s servers, or perhaps if it is, the push cert might not be correct.

  3. Van
    Posted February 28, 2012 at 10:17 am | Permalink

    Hello.
    I have use your advice about manual MDM-formatted push message and it work. If I send push notification ["aps":{"alert":"My first push notification!","sound":"default"},"mdm":"A0433A31-2B0B-41FD-B79B-002F8C1A28D7"] when device connect to server and perform action (lock at least, don’t test another yet). So problem is with MDM-push-notification part of server.
    I have send request to join enterprise program but doubt I’m already accepted. So this mean even with developer profile you are able to implement MDM :).
    I will try to investigate why server from post doesn’t work fine. If server’s code have some error and I’ll find it – I’ll post here.
    Thanks for help.

  4. Van
    Posted February 28, 2012 at 11:28 am | Permalink

    I found why device don’t receive notification from server. I testing with developer provisioning profile, so must use gateway.sandbox.push.apple.com as notification server. But server was configured to use gateway.push.apple.com. To use sandbox I’m changed APNSNotificationWrapper param: “wrapper = APNSNotificationWrapper(‘PushCert.pem’, True)” It was False.

  5. dschuetz
    Posted February 29, 2012 at 11:14 am | Permalink

    Ah! good catch. I thought developer push certs could use either server, but that they should use the sandbox when testing. Or perhaps that’s just how you created the certificate in the first place. I’ll try to make a note of that, it might trip up someone else too. :)

  6. Starks
    Posted June 17, 2012 at 11:30 pm | Permalink

    Hi david_schuetz,
    I met the same error which Van mentioned.
    After the device enrolled, I can send mdm command to the device and get response from it.
    However, when I tried to send normal apns message to device such as {“aps”,{“alert”:”Hello”}}, I got error from iPCU console:
    =======================================
    <Notice>: (Error) MDM: Rejecting MDM push dictionary because it does not contain the “mdm” key
    =======================================
    After that I add the mdm key with push magic, it shew the “MDM: Ignoring extra keys in push dictionary” warning.
    Then I confused if the mdm framework supports the normal apns message(not contain “mdm” key) or not?
    Many thanks.

  7. Posted June 18, 2012 at 9:05 am | Permalink

    Ideally, the MDM push message should not contain an “aps” key, but only the “mdm” key. However, the APNS library I used doesn’t let you send such a message (though it can easily be modified to do so). The “ignoring extra keys” warning shouldn’t affect anything.

    You can’t use the MDM push enrollment to send “normal” APNS messages to the device (like the alert you describe above). To do that you’ll need to send to another client designed to accept such alerts.

  8. Yannick
    Posted August 24, 2012 at 10:10 am | Permalink

    Hi, I tried sending an InstallApplication command, the device receives it, prompt for installation and fails silently without nothing happening, sending a ManagedApplicationList command after a while shows the app with a status of failed. Tried with both a custom app and itunes free app.

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24573 items have been purified.