Generating MDM certificate

3
votes

For implementing a app like Kidslox or Screen Time and I need to make use of MDM server. I went through various blogs for creating or setting-up the MDM server and for that MDM certificate is required. But I'm not getting the MDM CSR option while creating a new certificate.

enter image description here

I already have the Apple's Developer account so my biggest question is that:

Do I really need to signup for the Apple's Enterprise Program?

This answer says that we do not require enterprise account for using an MDM service but we require it for creating an MDM service? Quite confusing.

Here are the blogs & posts that I referred:

  1. MDM protocol https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf
  2. https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/profile-service/profile-service.html#/
  3. Understanding certificates https://micromdm.io/blog/certificates/
  4. generate MDM certificate
  5. http://avibirnale.blogspot.com/2013/05/mdm-development-configuration-for-ios.html
  6. How to develop mobile device management application in iOS
  7. How to develop iPhone MDM Server?
  8. https://docs.oracle.com/cd/E60418_01/doc.1210/e58650/admmdmarch.htm#OLDEP080
  9. https://developerinsider.co/how-to-create-a-verified-ios-mobile-device-management-mdm-profile/
  10. MDM Architecture https://docs.oracle.com/cd/E60418_01/doc.1210/e58650/admmdmarch.htm#OLDEP100
  11. Prerequisites for MDM https://github.com/macadmins/mdm-server/blob/master/README.md#prerequisites

I went through the top questions of MDM as well: https://stackguides.com/questions/tagged/mdm+ios?sort=frequent

Most of these blog posts are quite old so I believe things have changed since then so I'm curious why we need the enterprise account when that program is majorly for distributing proprietary in-house apps within the company or organization while we are doing this for end-users?

2
iosmdm
Did you go to identity.apple.com/pushcert ?Hack Saw
Yes I tried one of the blog post and uploaded the certificate in there. But it said, invalid signatureShashank Agrawal
As per the answer you linked to, you don't need an enterprise membership to use an MDM, but you do need one to create an MDM, and you want to create one, so I don't understand your confusion.Paulw11
I mean, the use of Enterprise account will be needed for only one time, i.e. while creating MDM certificate?Shashank Agrawal
Yes, you need to use the MDM certificates for signing certificates that will be used with the MDM server. If you are just using a single instance of your MDM server for your app then you will only need to sign one certificate. Presumably those certificates will need to be renewed periodically.Paulw11

2 Answers

1
votes

Yes, in order to become an MDM vendor with Apple, you need an Enterprise Developer Program; this program requires you to register it in a company name (not a personal name), be registered with your country's tax department, and also obtain a DUNS (Dun & Bradstreet) number.

All in all, just a bit of paperwork and a few hundred dollars would set you straight.

1
votes

Yes, technically you need to register with the Enterprise Developer Program, however with some clever trickery, it is possible to obtain a certificate like this for free.

Apple has maintained the "macOS Server" program for years now and it includes a service called Profile Manager. It is a rudimentary MDM server made by Apple. It uses MDM push certificates just as 3rd party vendors do, however they have made their own system for getting these certificates. I won't go too in depth here because this is kind of gray area on the terms & conditions front, but with some research on GitHub, you can find where people have uploaded scripts that use the protocol used by the macOS server program to get & renew its push certificate for free.

I reverse engineered it a while ago and have been using it to run by own personal mdm server for years. In my opinion, much cheaper and easier (and kinda fun if you're interested in this kinda stuff) than paying for an enterprise account.