Why iOS MDM is the way it is?

0
votes

I am developing an MDM Server for my office(around 20-25) so that we can push our company's IOS apps(only 2) to users devices. We will not be managing the devices. There are around 20-25 sub-offices around the globe and each has their own server(hosted only in intranet) and set of users. None of them intervene with one another.

The APNs Certificate way of MDM looks convenient to me.

I have looked at few MDM providers. They ask each customer to create their own APNs certificate in the Apple Certificate Portal. Why can't the MDM providers have their own APNs certificate and use it to manage the devices of customers?

Can there be a centralized MDM Server which provides its SSL Certificate details, APNs Certificate details and Profile details for the .mobileconfig and also take care of profile and app installation so that users will connect to the centralized server and download the .mobileconfig but the individual servers should decide on who should download the .mobileconfig and see the status of installtion of apps on those particular devices?

Is this solution possible?

3
iossslapple-push-notificationsmdm

3 Answers

0
votes

My company uses Airwatch and there is very little user setup. We download the Agent, tech department sends a qr code to email, user scans it, puts in their username and email for our network, and it just does all the setup. Then they can go to a catalog and download our applications. I develop these applications and have enrolled maybe a hundred devices and haven't had to do much of anything on the client side.

0
votes

What you are saying would work if you change the phones OS to check into this central MDM server. This would actually break Apples streamlined way of doing this. Hate it or love it, APNS makes it so there is only one way of doing things.

iOS does not allow it but Android does.

0
votes

You have to think like Apple to see why the MDM vendors have you make an APNS push certificate to give them. Say one day, your MDM server goes absolutely bonkers and starts sending commands every second to devices that makes them unusable for users (constantly locking the screen or erasing devices every day). How can Apple prevent your rampant abuse of the MDM protocol that is ruining customer experience? Well, if they revoke the APNS certificate, you can't command your devices any more as the devices will never get notified there are new MDM commands, and the users will no longer be affected.

If there was a MDM vendor who had one APNS certificate for hundreds or thousands of different companies, the abuse by a single company could lead to Apple revoking the APNS certificate and now all those other companies are unable to use their MDM because of one abuser.