Mobile Device Management (MDM) Primer
Mobile Device Management lifecycle
The MDM capabilities build into iOS the functionality for MDM on other platforms. Apple has taken the approach that the device belongs to whomever hands it is currently in. To that extent, there is quite a bit of management we can put into place, as long as the end-user continues to allow this management. By wiping the device, it is now back in full control of the end user.
Overall, MDM has four major categories and core capabilities: enrollment, configuration, querying, and management.
Prior to the setup of any MDM software, you may need to purchase an iOS Enterprise Program account ($299 per year). If you have an iOS Developer Program account ($99 per year), you must create a new account (separate credentials) to complete this process. This, typically, takes about two weeks for the qualification/verification. If using Apple's Profile Manager, and a few other third-party MDM solutions, an iOS Enterprise account may not be needed. Please check with your MDM provider for their requirements.
[Note: As of this writing, several of the MDM vendors have not updated their software to handle the free APNS and will need to come out with an update. As of today (mid-November 2011), about half of them have a patch already in place or will have one in place by the end of this month. -Ed.]
Figure 8 - Creating an APNS
The Apple Push Notification Service (APNS) is a notification service, provided by Apple, that provides priority to notifications. It requires an Internet connection and access to Apple's service. When the MDM server sends out a command, it is routed through APNS, which notifies the MDM server once the message has been received by the device. Commands and query responses are not sent by APNS. Rather, the APNS is telling the mobile device to check in with the MDM server and receive its command/queries.
In terms of security, APNS is only in place to request that the mobile devices "phone home” or check in with their server.
The MDM process continues with enrollment, which is the process of establishing a relationship between the device and MDM server. The MDM server sends a notification to the device, via Apple, telling it to check in with your server. When the device responds, it is provided with a list of actions the MDM administrator has slated for the device. These actions can include:
- Enrollment tasks - this typically only happens once, and is a URL that the user must follow and accept to load the profile.
- Configuration tasks - specific policy being pushed to the device, include password restrictions, base payload, embedded links, mail and security configuration, etc.
- Query tasks - asking the device to report back on the hardware configuration/state and network information
- Management tasks - removing settings, data, apps, etc.
All of these tasks may be set on a repetitive basis, as determined by the IT staff.
Figure 9 - Server Configuration
The first step of managing devices through your MDM is to enroll. This process allows the server and client to speak with each other, establishing a chain of trust. The enrollment process is accomplished via one of the means listed above.
You should, at this point, make the end user aware of the implications of opting into a management solution, especially if this is their personal device. The administrator of the MDM has the capability to wipe any device that is tied into their management console.
Figure 10 - Creating a Cert