Hi my name is Haruhiko Nishi. I'd like to share my open source project, a server which allows remote security policy enforcement on iOS 4.x--Tested with iOS 5.x and worked--devices whose MS Exchange settings are configured to point to the it. This may not be a perfect MDM solution and obviously you'll find it very primitive when it is compared with the MDM provided Apple, as it relies on the ActiveSync Provisioning command subset which only provides only a handful of security features. However, since it does not use APNS service at all, you have pretty much full control of the devices connected or connecting to the server. When you use APNS, you can query against the service that Apple provides to find the devices profile, but how often do you need to use it? Or will you ever use all of the features?
ActiveSync happens to be not just another data synchronization protocol, it has mobile device management command subset. It is limited compared to the solution that uses configuration profile, but it still allows us remote wipe and enforce security policies on connected device,in addition to camera and safari browser control. If these are all what you need, why pay for the features that you are not sure if you are ever going to need?
ActiveSync is widely supported by smartphones currently available and those that will become available soon, not to mention Windows Phone 7 should be fully compatible to the Provisioning policies. Android 2.2 platform supports this protocol I believe, therefore the ActiveSync way is not limited to the iOS devices.
I find the device management capability supported by genuine MS Exchange is not easy to use and intuitive at all. By default you can find a way to factory reset the device in case the device is stolen, but how other security policies such as disabling camera or browser is not found easily; I think you need to prepare a script for most of the neat restriction features and this can be done only by the system's administrator. Your system administrator could be out sick even if you need him to remote wipe your device for you.
ActiveSync is implemented using Jetty(http://jetty.codehaus.org/jetty/) Because it is a Java implementation and you will be able to programmatically handle requests made from the client devices. This is not possible if you use genuine MS Exchange. The Jetty solution can,for example,remote wipe the device using source IP filtering.
Suppose that there is an iPad whose Internet and Intranet connection is only allowed to be made via company's WLAN access points. Jetty can examine whether the connection is made from unknown source IP address to trigger the remote wipe on device. This may be useful if there is an iPad containing information that should never leave your company.
ActiveSync also has a camera enable/disable security policy that can be enforced on the device. Using the source IP address, we can toggle on/of of the camera feature depending on which source IP address iPhone is making connection to the server. So maybe inside the building the camera feature is disabled, and once the iPhone is brought outside the WiFi area and reestablishes the connection with 3G network then the camera feature gets toggled on.
This Jetty solution currently supports the ActiveSync's Provision Command which is used for the security policy enforcement. Data Synchronization for Tasks,Calendar and Mail forwarding is not supported yet but I have a plan to implement all of the ActiveSync feature found in the Microsoft's publicized document and make them a pluggable Jetty module. So this prototype is just to show what would be possible if you had some kind of open source ActiveSync programmable component and it is not limited to just remote wipe the devices. You can develop your calendar application on your own.
The binary of the server can be downloaded from the following site.
The source code available, if you want to see how it is implemented.
There is also a demo site up running.
Here is the instruction on how you configure your device to communicate with the server
you'll be asked to enter username/password when you visit the url below.
you'll see an empty list and the username/password fields to register MS Exchange account that are used with your iOS devices.
The username is what you will use when you setup a MS Exchange account in your iOS.
Your username/password will appear as the following in the list.
foo/bar[No associated device]
username is used for the email field. The server does not check the @yourdomain.com part. so you can just add domain part anything you want. Likewise, the password is what needs to be used for the password field found in Exchange settings.
The server does not use any SSL connection you have to do the following:
you'll have to enter ip address of the server manually and it needs to end with :8080 like so
you'll also have to complete the Exchange setting without having properly configured. You first save your Exchange settings even if it has failed to connect to the server, and then reopen your Exchange settings to disable SSL. It is found at the bottom of the account settings.
Once the setup is done you can just wait watching the list until [No associated device] goes away. If it does, it is a sign that your device has successfully connected to the server and you are ready to apply security polices on your device.
If [No associated device] does not go away, you might have to force the device communicate ActiveSync.
(There are many ways to do that, syncing email will trigger the communication)
To apply security policies on your deice you just click on the image(iPhone or iPad)
!!!!! When used with iOS6 running devices, security enforcement only works if you perform "fetch" action with the configured device. It seems that no long polling request is initiated with the iOS6 upgraded devices, therefore 'Push'ing is not possible!!!!
[No associated device] goes away once Provision command completes
your device becomes "ON LINE" if it connects using Ping command and it is controllable.
You need to push enable the device. Set its setting to one of the 15min/30min/1hr switching from manual which is the default. This may or may not be a bug, the device does not seem to initiate Ping request if this is set to manual so the workaround is to set it to one of there three choices.
If you have any questions, please leave here comments.
Congrats for building such a fantastic demo site ... it's very easy to use and try out ..
i have a question regarding device status. How do you determine whether the device is online or offline ? is it based on last sync time ? or is there an activesync command which you use to check for device status?
Sorry for the belated response.
I will shortly post the SVN URL here so that everyone can scrutinize how its done and further develop their own versions.
The offline and online status changes when the device makes each Ping requests to the server. If Ping is accepted by the server, the request is suspended until either timeout occurs or there is a server side change. In another words, if you control the device from the dialog window it is a change and the request suspended returns marking the device offline.
Device to which the http long polling request response returned will immediately request another Ping command and is suspended again. This is when the device status becomes online. However, it does not mean that the device needs to be online in order to control the device, the security policies are imposed when the device connects to the server next time.
The Online status does not guarantee that the device is actually online. It could, for instance drop the connection with the server.
Server won't know until the long polling timeout occurs which defaults to 2min.
Thanks for your reply. You answered my question.
Oh, and please do not register your device more than once. There is a bug in the application.
I see may of them in the list not being able to click open the device dialog. This occurs if a device is registered more than once with different name/password, unless you remove your device from the list.
Apologize for your inconvenience
Thanks for the info
i have one more question .. from what i understand .. client will initiate session by sending ping request and server will respond back with data to be pushed to client. Is it possible for the server to send data even if there is no ping coming from client. i have a specific use case - i want to be able to remote wipe a device even if there is no ping coming from the device
The server actually does not respond back with the policy data to be enforced on the device, but it notifies the client that a change has occurred(HTTP 449), when the client received the notification, it should request to be provisioned.
When this was to be done using an actual MS Exchange Server, device provisioning is usually not something repeatedly performed, may be once in a while when admin decide to change the security policy. It is probably no as easy as my little gadget to toggle the camera feature on/off with real Exchange Server.
The device needs to communicate with the server in order to become aware of the change occurred server side. If you "push" enable your device, your device initiates http long polling, which is the DirectPush in Microsoft term. If you turn off the "push " then the device starts to asks for changes periodically at the interval you set in the device, or manually when your sync your mail box or calendar with the server. Regardless of whether the device is using the Ping command or not, the server side image of the device, which is similar to HTTP session object, is marked as "changed" when you control the device in the dialog. When the device asks for changes, it is replied with HTTP 449 and the device requests the provision command. This is when the policy is set. The policy is sent to the device because the device asks for it.
Now you may think this becomes useless if the device never communicates with the server. My idea is to place this jetty server in between the device and actual Exchange server and let it proxy the ActiveSync traffic, but for the security policy enforcement, intercept the communication and manipulate the device from the jetty server. Depending on where the traffic is coming from, jetty can, for instance, trigger remote wipe for you while you are asleep, if you design it so.
I'll upload the code to google source code so you have the source code to start try things of your own. I'll continue to implement ActiveSync command. Help appreciated.
Thanks for the nice idea and the demo. I can see your point especially that it's going to work with other devices which implement the active sync.
Can you provide some documentation on what other functionality can be achieved by active sync.
Also looking for your post on the svn so that we can look into the code. Very much appreciate your efforts on this and posting the svn code.
I'll post the svn url shortly. I sort of need to modify the package name to something else before I re-import the entire source tree to a freely available svn repository. I wonder if I could possibly make it enterpriseios.com as it is a contribution(sort of) to this site?
that should be fine..
Thanks for the offer, but we don't have a public SVN repository here. You may want to try Assembla, which is free for open source projects.
Aaron Freimark, Enterprise iOS founder & Tekserve CTO
source code posted to the following url:
Thanks for the update and appreciate your efforts on this front
Do you have any good pointers into the activesync protocols especially the apis which supports mobile device management side..
Here is the spec of the Provisioning Policies available. However, not all of them are supported by iOS.
Oh you mean in the source code? sure. Check out the the spring configuration file. This is probably where you could start the code reading. It pretty much gathers components used in the application.
There are *Handlers defined in the bean configuration file each corresponds to the ActiveSync command used in Provisioning phase...needs to be discussed at the source code url to this regard.
Thanks a lot Hanishi .. this helps a lot
If you ever want to commercialize, deriving your own version from the source code you find at above url or anything that uses ActiveSync, you might want to consult the following.
$100,000 isn't cheap.
I think, if we just want to write a proxy for activesync like you did, we do not need to do any licenseing..that will be just be a proxy and do the operations specified in the protocol.
Oh then buy me a beer if you ever going to make money with it!
is also something to look at, if you wan to make it some cloud service.
Aaron, I changed my email address to my personal one.
That email is invalid as I no longer work for that company.
What was your question?
Nice job with this server.
Another good project would be to create a fully functional OpenSource MDM Solution like Mobile Iron or Air-Watch.
I don't think it's very difficult in a development perspective.
The difficult thing would be to get access to the specific MDM APIs which are not part of the public APIs from the Developper program. You need a special agreement with Apple to get access to those APIs.
Anyone interested ?
I actually have seen it. Because I've worked with it. It is actually nothing more than binary encoded JSON messaging to APNS servers. I don't know if you want call it an API.
The draft I've received wasn't even finished.(Maybe that is why it is called draft)
You still have to poll APNS servers to get information from MDM controlled iOS device. Do you want to do that for
100,000 device simultaneously?
Using my solution, although it is limited, it can be done! and no need for admin!
You also can put your server on premise. But don't get me wrong. Genuine MDM is for those who can afford it. And this is something I was having fun developing.
MDM Solutions are capable of managing thousands of devices and I think it would be great to build a similar solution but OpenSource.
Do you have documents on JSON messaging to Apple's APNs ?
Yes, It is capable. But it still is simple HTTP request and your service have to sequentially poll all of the devices one at a time, which does not interest me at all.
And you also need to buy Cisco SCEP device. Can't afford it. It basically means, you need a lot of investment.
I expect those documents to be licensed to Apple. Please don't involve me in an Intellectual Property lawsuit!
Yes, no more question about Apple's MDM API!
I hear SCEP servers are going to be a lot cheaper next month.
Exactly, that's what I meant in my earlier comment.
MDM API's are licensed to Apple's and with a special agreement, you can have acces to them. That's what I guys from Mobile Iron and other MDM solutions provider I met before told me.
But still, it doesn't cost anything to ask for that agreement for an OpenSource project even the expected answer from Apple is well knwon ... already.
And still, I'd love to work on that kind of project.
You can work on it without SCEP devices. You only need a SCEP compatible certificate authority, like Microsoft Certificates Authority provided with any Windows 2003 R2 or Windows 2008 R2 server. No need to buy a Cisco device.
To them, I think it is a liability issue what is concerned than whether a company has a potential to make such investment or not. As long as there is APNS(apple's demarcation) in between iOS devices and servers that request MDM commands against APNS to have it the connected device notified, Apple probably do not want any unidentified services use the features that could compromise the devices on the far end. So even if it becomes an open source, it is no use. Not to mention that the API is so simple and there is just no point of making it an open source project.
I think there is misunderstanding here, and perhaps it's my fault.
I wouldn't like to make MDM APIs opensource, I know there is no point asking that to Apple. I just would like to build an application such as McAfee EMM or MobileIron VSP, but opensourced.
That's it. I know it's not gonna happen because Apple won't sign a licence agreement with a bunch of geeks, It's just a whish.
If somebody could realize my idea, it is still going to be useful at least for remote wipe.
My firs idea was to build a ActiveSync Java stack so MS Exchange client software on all mobile devices become useful if some one wants to develop their own groupware. Who would? Who knows..
currently i am working on a similar project. I'll be grateful if we can have some more discussions on this topic. My personal mail id is firstname.lastname@example.org. Please drop me a mail if you are interested.
I was not the only one who wrote the code.Guess who helped with it.
Simone Bordet and Greg Wilkins. Both known as the jetty developer.
Thank them too.
You may also want to check out z-push,which is a php implementation
of the same.
Hi Sailesh, Haruhiko:
I am also interested something like this. I am reading through the docs to understand the stuff bit more. Can you please send me an email so that we can discuss more offline.
At last, I got some time to go through your code in depth and the docs on microsoft site. I am not sure you're still following this thread or not. If yes, can you post a note and I have few more questions on this.
Also any one, how this will work on HP WebOS and coming windows phone (mango).
thanks for all your time
I'm still following this thread.
Thanks. Here are few questions:
1. In order to effective intercept the exchange, we need to write a full proxy for the exchange, right? What you have is a skeleton implementation for that, but it's not a proxy yet. Right?
2. How much work is to write a full proxy so that we can effective make an mdm for all the clients which implements activesync proxy
3. How does it work for WebOS (HP).
4. Can I assume that this proxy stuff and mdm functionality in upcoming mango will completely work for our current solution.
Will it be possible to block the activesync access using our current solution.
1. There is no proxy feature implemented yet, but I have started to work on it. You will have to use jetty's http client component and make the server itself a client to MS Exchange server. I have implemented Ping command, which is the hardest to proxy, seems to work OK. The downside for the proxy is that you have to disable "keep-alive".
2. First you probably have to know the jetty's internal well, in order to write one. So I recommend you to study jetty before you do anything. You'll have to know the mechanism of jetty's Continuations to clearly approach the problem you may encounter while writing it. You also need a MS Exchange and wireshark to sniff the protocol sequence.
3. Don't know the WebOS. Not so popular in Japan. But if it supports ActiveSync, should work for it as well.
4.Don't know waht to answer yet, but it should be capable of blocking the activesync access if it can be in between the client and the actual Exchange server.
Can you bit explain me once you're done with your implementation, the result will be a proxy for the activesync or will replace the activesync part. In other words, does the end user (customer), needs to make any changes to their existing environment to deploy your solution.
I think, it's important, since most of the folks do not want to make any big changes into their existing setup which works fine. Ideally the new code should be able to sit in between flow of current mail setup.
Also is there any reason you tried to use the jettys framework?
I will go through the jetty framework first before trying to do anything.
thanks for the reply and effort.
From the end server point of view, it will look like legitimate ActiveSync request coming from a single source IP address. In other words, the proxy will just look like a mobile device to the Exchange Server, same principle as a regular HTTP proxy.
I don't know if people are still interested but I will post the details here soon.
I was trying to run the Server, but I am getting java.lang.NoClassDefFoundError: com/yourinventit/push/spring/Main Exception, I was able to build the project but having difficulty in running it. Could you please help me with this.
oops! com/yourinventit/push/spring/Main should not exists. I have altered the "com.yourinventit" to "com.enterpriseios" when I uploaded the source to google repository. You could try replace the "com.yourinventit" strings with "com.enterpriseios" and it should work. I'll fix the source and update the repository later. Sorry for the inconvenience.
For any further questions, you can just contact me with the address below.
I was able to resolve the issue by changing the start.ini to point to com.enterpriseios.push.spring.Main class. Now I am able to run the server
Quick question, how should I configure the Exchange server i.e. Domain and Server parameters?
Thanks Hanishi, I was able to run the server now, but struck with Configuring Exchange settings on iPhone I will send you an email.
It seems that I am unable to access your test site. Could you please re-post the URL if it has changed?
I'm trying to find a new server location where I can deploy the server application.
Thanks for the update. I am new to the java environment and have been having quite a difficult time to compile it and getting errors in regards to sleepycat (it seems like the required version is 4.1.6 but maven has 4.0.92). Would it be possible to provide a compiled version (maybe by dropbox or FTP) for me to test out?
Thanks in advance.
I'll make the binary downloadable from the google code site where you have checked out the source code.
Thank you very much.