/mdm-server

Sample iOS MDM server

Primary LanguagePython

Overviewanalytics

Instructions and code for setting up a simple iOS Mobile Device Management (MDM) server. MDM allows for OS level control of multiple devices from a centralized location. A remote administrator can install/remove apps, install/revoke certificates, lock the device, change password requirements, etc.

Prerequisites

  • Vagrant
  • Apple's PUSH certificate
  • Apple Enterprise Account
  • Apple Developer Account
  • openssl command-line

Setup

  1. Checkout sources: git clone https://github.com/piscesdk/mdm-server.git
  2. Go into folder: cd mdm-server
  3. Initialize MDM server and generate required certificates (SERVER_IP is IP address of your host machine where MDM server will be started): ./scripts/make_certs.sh <SERVER_IP>
  4. Get Push Certificate from Apple and move PushCert.pem file to ./scripts/ folder
  5. Initialize virtual machine and start MDM server: vagrant up
  6. The server should be reachable: https://SERVER_IP:8080

Device Enrollment Steps

You can now run those commands from any web browser, a successfull command will often looks something like the following:


Command Success

Click the "Response" button to see the plist response from apple. Click the pencil to edit the device name, device owner, and device location.

When stopping the server, the standard control-c doesn't usually work. Instead use control-z to suspend the process and then use a kill command to end the process.

^z
[1]+  Stopped                 python server.py
user:~/mdm-server/server$ kill %1
[1]+  Terminated              python server.py
user:~/mdm-server/server$ 

The server uses the pickle library to save devices. When the device class is updated, the pickle format may be invalidated, causing the server to error. In order to fix this, remove the devicelist.pickle file (make a backup just in case!) and re-enroll all devices.

Client Reporting

The MDM server also has REST endpoints for reporting issues and geolocation data from the enrolled clients. This functionality may be used at a later point in time by a security app. The API can be imported into any project as follows:

  • Click on the top level Project item and add files ("option-command-a")
  • Navigate to client-reporting/
  • Highlight the client-reporting subdirectory
  • Click the Add button

The library provides the following functions:

+(void) setHostAddress: (NSString*) host; // Set where the MDM server lives
+(void) setPause : (BOOL) toggle; // Toggle whether to add a thread execution pause to allow requests to finish
+(void) reportJailbreak;  // Report that the device has been jailbroken
+(void) reportDebugger; // Report that the application has a debugger attached
+(void) reportLocation : (CLLocationCoordinate2D*) coords; // Report the lat/lon location of the device

"setHostAddress" and "setPause" are meant to be set once only, and effect all "report" calls. An example usage may look like:

// Code in application init
[client_reporting setHostAddress:@"192.168.0.0"];
[client_reporting setPause:YES];

// Later code during execution
[client_reporting reportDebugger]

This client API can be coupled with the iMAS security-check controls to provide accurate reporting of jailbreak and debugger detection.

Apologies for the long and complex setup, we hope to eventually make things easier and simpler. Please post questions to github if you get stuck and we'll do our best to help. Enjoy!

LICENSE AND ATTRIBUTION

Copyright 2013-2014 The MITRE Corporation, All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this work except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project also uses code from various sources under various licenses.

The original code from the Intrepidus Group's python server is under the BSD License found here.

The python vendor signing code is located here and is under the MIT license.

The Softhinker certificate signing code is under the Apache License found here.

The website's Bootstrap code is under the MIT License found here.

The certificate setup instructions were based on this blog post. Our thanks to Daniel.

Finally we use some free glyphicons that are included with bootstrap.