I am in the process of creating an MDM server.
I've read several documents including the MDM protocol reference, and at this point I am a bit stuck because I can find the information I need to get started.
I am developing this solution in .NET, but this is unimportant as I seek to understand the process and the concepts rather that looking for specific implementations.
So far I know this:
- I need to create an enrollment profile, which the device needs to have access to, so that it can initiate the enrollment process.
- This enrollment profile contains a property called CheckInURL that the device will use to contact the MDM server to initiate the enrollment process.
So far I've done this:
- I created a very basic enrollment profile, including the CheckInURL, other basic information, but I DO NOT currently include any certifiacte or signature information.
- I created a CSR and obtained a certificate via the Apple Developer portal, but I don't know what I need to do with it.
- Exposed the enrollment profile via HTTPS so that the device can access this URL and downoad the enrollment profile
- This profile is accepted (although not signed) by the iOS device
- When the profile is installed by the device it tries to access the CheckInURL, but I get the following message "Profile installation failed the server certificate for is invalid".
- What certificates are used in the process and what is their specific purpose?
- What signature/certificate information does neeed to be inluded in the enrollment profile (if any)?
- I know that payloads need to be signed:
- What exactly needs to be signed and with wich private key?
- The same quetion goes for the device side, what key does the device uses to sign payloads? Do I have to pass this from the server side?