How to Set Up an iOS Mobile Device Management (MDM) Server: A Step-by-Step Guide

How to Set Up an iOS Mobile Device Management (MDM) Server: A Step-by-Step Guide

Setting up a Mobile Device Management (MDM) server for iOS allows businesses and administrators to control and manage multiple iOS devices centrally. An MDM server provides the ability to install or remove apps, manage certificates, lock devices remotely, change password requirements, and enforce security policies on enrolled devices. This guide will walk you through the setup process using simple steps and clear explanations.

Prerequisites

Before you begin setting up an MDM server, ensure you have the following:

• Publicly Accessible Linux/Unix Server: A server accessible from the internet to host your MDM services.
• Apple Enterprise Account: Required to distribute apps within your organization.
• Apple Developer Account: Necessary for managing certificates and profiles.
• Python 2.7: Ensure this version is installed as it’s required for certain server libraries.
• Openssl Command-Line Tool: Used for generating and manipulating certificates.
• Java SDK (java/javac): Required for various MDM server functions.
• Apple’s iPhone Configuration Utility: To create and manage configuration profiles.
• Operating System Requirements: macOS and Windows versions of Apple's Configuration Utility.

Step 1: Create MDM Vendor CSR (Certificate Signing Request)

1. Open Keychain Access: Navigate to Keychain Access -> Certificate Assistant -> Request a Certificate From a Certificate Authority.
2. Fill Details: Use the same email associated with your Apple Developer account. Enter a common name for identification.
3. Save the CSR File: Choose to save the request to disk.

Step 2: Upload CSR to Apple

1. Go to Apple’s Certificates, Identifiers & Profiles Page: Sign in and navigate to the section to create a new MDM CSR.
2. Contact Apple if the Option is Disabled: If MDM CSR is disabled, contact Apple through the Developer Support or email them at devprograms@apple.com requesting access to MDM CSR.
3. Upload the CSR File: Follow Apple’s steps to upload your CSR file and generate a .cer file (e.g., mdmvendor.cer).

Step 3: Export MDM Private Key

1. Open the MDM Vendor Certificate (mdmvendor.cer) in Keychain Access.
2. Locate the Private Key: Right-click on the key, select Export…, and save it as private.p12. You’ll need this file in later steps.

Step 4: Create a Push Certificate CSR

1. In Keychain Access: Go to Keychain Access -> Certificate Assistant -> Request a Certificate From a Certificate Authority.
2. Save the CSR: Name it something identifiable, such as push.csr.

Step 5: Extract Keys and Certificates Using Openssl

Run the following commands to extract the necessary files from the private key and certificate:

bash

Copy code

# Extract private key openssl pkcs12 -in private.p12 -nocerts -out key.pem # Remove the password from the private key openssl rsa -in key.pem -out private.key # Extract certificate openssl pkcs12 -in private.p12 -clcerts -nokeys -out cert.pem # Convert certificate format openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DER

These files will be used to sign the push certificate request.

Step 6: Generate Apple Push Certificate CSR Using mdmvendorsign

1. Prepare the Environment:

   • Initialize the Git submodule:
     bash

     Copy code

     git submodule init git submodule update
   • Copy private.key, push.csr, and mdm.cer into the /vendor/ directory.

2. Run the Signing Command:

   bash

   Copy code

   python mdm_vendor_sign.py –key private.key –csr push.csr –mdm mdm.cer –out applepush.csr
   • This will generate an applepush.csr file required for the push certificate.

Step 7: Obtain the Push Certificate from Apple

1. Go to Apple’s Push Certificates Portal: Click on Create a Certificate and upload the applepush.csr file.
2. Download the Push Certificate: Once generated, open it in Keychain Access.

Step 8: Prepare the Push Certificate

1. Export the Certificate as .p12: Save it as mdm.p12.
2. Convert to PEM Format Using Openssl:
   bash

   Copy code

   openssl pkcs12 -in mdm.p12 -out PushCert.pem -nodes

Step 9: Generate Additional Certificates

1. Navigate to the Scripts Directory: Run make_certs.sh to generate additional required certificates, which will automatically be moved to the appropriate directories.

Step 10: Create Enroll.mobileconfig

1. Open Apple’s iPhone Configuration Utility.
2. Create a New Configuration Profile:
   • In the General category, enter the details such as name and identifier (com.apple.mgmt...).
   • In the Credentials category, select your identity.p12 file generated earlier.
3. Configure MDM Settings:
   • Server URL: https://YOUR_HOSTNAME_OR_IP:8080/server
   • Check-In URL: https://YOUR_HOSTNAME_OR_IP:8080/checkin
   • Topic: Use the same identifier from the general settings.
4. Save the Profile as Enroll.mobileconfig and move it to your server directory.

Step 11: Clean Up Unnecessary Files

• Delete or secure any private keys or sensitive data generated during this process. Keep your certificates and keys in secure locations.

Server Setup

1. Install Required Tools and Libraries:

   • Openssl: Ensure it’s compiled from source to include all necessary features.
   • Python Libraries: Install the following Python packages:
     bash

     Copy code

     pip install web.py M2Crypto PyOpenSSL
     Make sure APNSWrapper is modified to use TLSv1 due to SSLv3 deprecation.

2. Configure Network Settings:

   • Ensure outbound access to Apple’s Push servers and inbound access on port 8080.

3. Run the Server:

   • Navigate to the /server directory and start the server:
     bash

     Copy code

     python server.py

4. Enroll Your Device:

   • On your device, navigate to https://YOUR_HOST:8080/ and follow the prompts to install the CA certificate and enroll in MDM.

Testing Device Management Commands

• Test various commands such as locking the device or installing an app. Monitor the responses to ensure proper communication with the server.

Troubleshooting and Maintenance

• For any command or server issues, refer to the device logs and server output.
• Regularly update your certificates and server software to maintain security and functionality.

Conclusion

Setting up an MDM server for iOS involves several technical steps but offers robust control over your enterprise’s devices. Following this guide ensures a secure and effective MDM implementation that allows administrators to manage devices centrally. If you encounter any issues, refer to Apple’s official documentation or community forums for additional support.

For further assistance, consult the following resources:

• Apple Developer Documentation
• OpenSSL Documentation
• Python M2Crypto Library