Questions regarding creating an MDM server for iOS devices

Hello everyone,


I am in the process of creating an MDM server.
I've read several documents including the MDM protocol reference, and at this point I am a bit stuck because I can find the information I need to get started.

I am developing this solution in .NET, but this is unimportant as I seek to understand the process and the concepts rather that looking for specific implementations.

So far I know this:


  • I need to create an enrollment profile, which the device needs to have access to, so that it can initiate the enrollment process.
  • This enrollment profile contains a property called CheckInURL that the device will use to contact the MDM server to initiate the enrollment process.

So far I've done this:

  • I created a very basic enrollment profile, including the CheckInURL, other basic information, but I DO NOT currently include any certifiacte or signature information.
  • I created a CSR and obtained a certificate via the Apple Developer portal, but I don't know what I need to do with it.
  • Exposed the enrollment profile via HTTPS so that the device can access this URL and downoad the enrollment profile

    This profile is accepted (although not signed) by the iOS device

  • When the profile is installed by the device it tries to access the CheckInURL, but I get the following message "Profile installation failed the server certificate for is invalid".


My doubts:


  • What certificates are used in the process and what is their specific purpose?
  • What signature/certificate information does neeed to be inluded in the enrollment profile (if any)?
  • I know that payloads need to be signed:
    • What exactly needs to be signed and with wich private key?
    • The same quetion goes for the device side, what key does the device uses to sign payloads? Do I have to pass this from the server side?


Thanks!