Basic queries about MDM

GC's picture

GC

Joined: Jan 11, 2016
No votes yet

Hi,
I'm a newbie to MDM and am still trying to figure out how all the pieces fit together. Have a query I hope the Gurus can help answer.

Is the following correct? From the moment it registers itself with Apple, each device maintains a persistent connection with the APNS service via the "apsd" deamon. This connection serves as the underlying "pipe" that helps the apsd deamon, on its part, offer the publish-subscribe service that helps client apps (aka the subscribes) receive "messages" from the publisher (aka APNS in this case). If this is true then

My query concerns how a device gets its unique token from APNS. Per my understanding, an application needs to register itself with APNS for it to be able to receive notifications...and as a part of this registration process, the APNS service returns a unique App Specific "token" to the app...how does this pan out in the MDM context...what's this app? Who decides the topic to use? The reason for me to ask this is because the MDM Check-In protocol requires the device to send the "Topic" and "Token" during the final TokenUpdate step. Without an app, where does the "Topic" and "Token" come from?

Any responses would be greatly appreciated.

Thanks and Regds

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

The answer: mdmd

Your rating: None

Great question. How does the MDM protocol work is there is no app installed on the device?

It works because ALL MDM systems use the same daemon on the device side, called "mdmd". This service is part of iOS and is installed on every iOS device, although it may not be active.

So yeah, MDM is actually managed by Apple. This is why all MDM providers are pretty limited to the same set of features: Apple is running the device end of the connection. And this is why a snafu like iOS 9.2 can mess up MDM app installation for ALL MDM providers.

On the other hand, maybe it's why MDM tends to be pretty reliable.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
GC's picture

GC

Joined: Dec 18, 2015

Thank you for your response

Your rating: None

Thank you for your response Aaron.

So, keeping the above in mind then, is it right to assume that

  1. once the device is powered on, the "mdmd" process registers itself with the APNS infrastructure and receives the "topic" and "token" that it uses for all subsequent interactions with the MDM Service running on its managing OS X Server (Profile Manager)...including the Check-In protocol (viz. the AUTHENTICATE and TOKENUPDATE messages)?
  2. Its this built in "application" viz. "MDMD" that knows how to interpret and implement the various protocols (such as Check-In)?
Top
Uroshnor's picture

Uroshnor

Joined: Nov 5, 2012

Close ...

Your rating: None

The MDM agent built into iOS only connects to APNS if the device has been enrolled in MDM.

If it is enrolled then it reestablishes to connection to APNS when required eg power on, coming out of airplane mode etc

No App is required, it implements the entire clients side part of the protocol.

The token is created when the ,MDM server gets its push certificate from APNS.

It's worth reading Apples developer documentation on APNS . The MDM server is just a "provider", and mdmd is the client agent.

Keep in mind, the commands and queries & responses do not transit APNS, that's just a long range reminder to get agent to phone home directly to the MDM server

Top
darkdevil's picture

darkdevil

Joined: Jan 4, 2016
WWW

MDM

Your rating: None

You are right each device maintains a persistent connection with the APNS service via the "apsd" deamon. The token is created when the ,MDM server gets its push certificate from APNS.

Top
GC's picture

GC

Joined: Dec 18, 2015

Thank you all for your

Your rating: None

Thank you all for your responses. I apologize I've been a tad late in responding.

Top

Who is online?

There are currently 0 admins, 0 users and 25 guests online. Connected users: .

Recent Activity