How to send MDM DeviceLock command using java

Question

I am new to IOS MDM development using the APNs service. We are developing MDM for ios and it is in initial stage. We have a developer account created for Apple recently. I have gone through many websites and links but still is not confident on how to send command to an ios device. Going through the below forum i understood that we need to first check the device status and then send the commands to the device. Sending mdm payload

My query is how to do it. I did not find any code snippet in Java which we actually use to send a command like "DeviceLock" to ios device. Can anyone help me with a small snippet of Java for my proceedings so that I can use the same code to apply policies to the devices as well.

Please Help.. Thanks for reading.

Answer 1

Updated:

1. To send any command to the device we first need to install the MDM Profile into the device profiles which will contain a server-url which will be used by the device to poll for commands whenever the device receives push notification.

2. Refer http://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf for in detail enrollment also refer "Sending Push Notifications" section and sections following it from the above link for detailed device commands.

3. To send push notification we need to have an apns push certificate which we can create from apple's identity portal refer: http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning

4. For mdm, we send push notification payload to APNs as {mdm : "PushMagicToken-of-device"}

5. When push notification is received by the device it will contact mdm server's server-url for command to be executed.

Answering your questions: (P.S Used Java for communication)

Q1. "Can you suggest me how server is interacting with the device and device with the server in the form of request"

Answer: Device will interact to the server when it receives push notification from APNs. It will contact to the url of key ServerUrl which you provide in the mdm payload.

This is PUT request method type, device sends an Idle status to server in the plist format.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Status</key>
<string>Idle</string>
<key>UDID</key>
<string> [ redacted ] </string>
</dict>
</plist>

All the communication with the device is done using the Plist (Property list format), device understands this format easily.

Q2: "It means in what form you send command from server and how you check that the command is done and send the feedback to the device"

Server too sends command to the device in form of plist. For Example: Below is the plist sent for DeviceLock command from my mdm server when the device sends an Idle status response.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Command</key>
        <dict>
            <key>RequestType</key>
            <string>DeviceLock</string>
        </dict>
        <key>CommandUUID</key>
        <string>ph_mdm_command_uuid</string>
    </dict>
</plist>

Please Note: each command has a CommandUUID field which we can use to check the current commands at server end, it maintains the current session. Whatever command we send to the device with the CommandUUID, device responds back with the status of that command back with the same CommandUUID.

So in response to DeviceLock Command RequestType, device sends back a response:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CommandUUID</key>
    <string>ph_mdm_command_uuid</string>
    <key>Status</key>
    <string>Acknowledged</string>
    <key>UDID</key>
    <string>device_udid</string>
</dict>
</plist>

Here the CommandUUID is similar to the one sent by the server, UDID is the device udid and the status is Acknowledged, which denotes that the command was successfully executed on the device.

Note: All this is sent in the response of Java in form of bytes. If you meant which format i was sending the response to the device.

I assume To send feedback to device means to either send next request or to stop polling: Similar steps are to be followed if you have list of commands to be sent to the device, as currently we can send only one command at a time. If there are no commands to execute and you want the device to stop polling you need to send empty response. Refer iOS MDM - How to close or stop connection after device responds back with valid response for more details.

Hope this cleared the doubts. If you are at the enrollment phase please refer @Victor's comments before following this. Let me know in case of any clarifications. Currently I have an mdm setup running on iOS device successfully.

Thanks.

Answer 2

I don't think there is a way to answer your question. It's not clear what is your problem and it's impossible to explain whole MDM here on stackoverflow.

I would recommend to read three documents (at least couple of times):

• MDM documentation (available for enterprise developer program)
• Configuration Profile reference guide
• OTA documentation

Generally speaking, it's impossible to develop MDM without deep understanding of at least first two documents.

There are couple of open source implementation which you can take a look:

• Profile manager (included in OS X Server). it's in some mix of ruby + binary

• WSO2

I can swear that I saw Java open source implementation of MDM, but I can't find it now.