0 Replies
      Latest reply on May 22, 2020 5:08 AM by mdmdev1
      mdmdev1 Level 1 Level 1 (0 points)

        Hello everyone,

         

        I am in the process of creating an MDM server.
        I've read several documents including the MDM protocol reference, and at this point I am a bit stuck because I can find the information I need to get started.


        I am developing this solution in .NET, but this is unimportant as I seek to understand the process and the concepts rather that looking for specific implementations.

        So far I know this:

         

        • I need to create an enrollment profile, which the device needs to have access to, so that it can initiate the enrollment process.
        • This enrollment profile contains a property called CheckInURL that the device will use to contact the MDM server to initiate the enrollment process.

        So far I've done this:

        • I created a very basic enrollment profile, including the CheckInURL, other basic information, but I DO NOT currently include any certifiacte or signature information.
        • I created a CSR and obtained a certificate via the Apple Developer portal, but I don't know what I need to do with it.
        • Exposed the enrollment profile via HTTPS so that the device can access this URL and downoad the enrollment profile
          • This profile is accepted (although not signed) by the iOS device
        • When the profile is installed by the device it tries to access the CheckInURL, but I get the following message "Profile installation failed the server certificate for is invalid".

         

        My doubts:

         

        • What certificates are used in the process and what is their specific purpose?
        • What signature/certificate information does neeed to be inluded in the enrollment profile (if any)?
        • I know that payloads need to be signed:
          • What exactly needs to be signed and with wich private key?
          • The same quetion goes for the device side, what key does the device uses to sign payloads? Do I have to pass this from the server side?

         

        Thanks!