Generating MDM certificate

Question

For implementing a app like Kidslox or Screen Time and I need to make use of MDM server. I went through various blogs for creating or setting-up the MDM server and for that MDM certificate is required. But I'm not getting the MDM CSR option while creating a new certificate.

I already have the Apple's Developer account so my biggest question is that:

Do I really need to signup for the Apple's Enterprise Program?

This answer says that we do not require enterprise account for using an MDM service but we require it for creating an MDM service? Quite confusing.

Here are the blogs & posts that I referred:

1. MDM protocol https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf
2. https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/profile-service/profile-service.html#/
3. Understanding certificates https://micromdm.io/blog/certificates/
4. generate MDM certificate
5. http://avibirnale.blogspot.com/2013/05/mdm-development-configuration-for-ios.html
6. How to develop mobile device management application in iOS
7. How to develop iPhone MDM Server?
8. https://docs.oracle.com/cd/E60418_01/doc.1210/e58650/admmdmarch.htm#OLDEP080
9. https://developerinsider.co/how-to-create-a-verified-ios-mobile-device-management-mdm-profile/
10. MDM Architecture https://docs.oracle.com/cd/E60418_01/doc.1210/e58650/admmdmarch.htm#OLDEP100
11. Prerequisites for MDM https://github.com/macadmins/mdm-server/blob/master/README.md#prerequisites

I went through the top questions of MDM as well: https://stackoverflow.com/questions/tagged/mdm+ios?sort=frequent

Most of these blog posts are quite old so I believe things have changed since then so I'm curious why we need the enterprise account when that program is majorly for distributing proprietary in-house apps within the company or organization while we are doing this for end-users?

Answer 1

Yes, technically you need to register with the Enterprise Developer Program, however with some clever trickery, it is possible to obtain a certificate like this for free.

Apple has maintained the "macOS Server" program for years now and it includes a service called Profile Manager. It is a rudimentary MDM server made by Apple. It uses MDM push certificates just as 3rd party vendors do, however they have made their own system for getting these certificates. I won't go too in depth here because this is kind of gray area on the terms & conditions front, but with some research on GitHub, you can find where people have uploaded scripts that use the protocol used by the macOS server program to get & renew its push certificate for free.

I reverse engineered it a while ago and have been using it to run by own personal mdm server for years. In my opinion, much cheaper and easier (and kinda fun if you're interested in this kinda stuff) than paying for an enterprise account.

Answer 2

Yes, in order to become an MDM vendor with Apple, you need an Enterprise Developer Program; this program requires you to register it in a company name (not a personal name), be registered with your country's tax department, and also obtain a DUNS (Dun & Bradstreet) number.

All in all, just a bit of paperwork and a few hundred dollars would set you straight.