iOS MDM搭建实践指南

By xia0

iOS MDM搭建实践指南

本文只介绍在iOS平台搭建MDM相关

开始

MDM全称是移动设备管理,方便企业对员工的移动设备管理。在iOS中同样支持MDM功能,本文就介绍如何搭建MDM整个架构。实际上在2018年的时候我通过翻阅为数不多的资料,经过一番折腾才最终走通了整个流程。然而当时过于激动并没有写相关文档记录,经过一年没想到签名证书过期了,却忘记了整个搭建流程。于是重新回顾了一下,所以这次记录下整个过程,希望对后面的人有所帮助。

整体流程

  • 获取Vendor p12证书

  • 制作服务端推送证书

  • 生成并签名设备描述文件

  • MDM通信指令结构及原理分析

  • 企业MDM最佳方案

获取Vendor p12证书

  • 制作MDM Vendor CSR

    1、打开钥匙串

    2、选择钥匙串访问->证书助理->从证书颁发机构请求证书

    3、填写相关信息

    4 、保存在本地

  • 上传CSR文件到Apple

    访问https://developer.apple.com/account/ios/certificate/create页面

    将CSR文件上传到页面,等待1-2个工作日。

    这时候你下载.cer文件,保存为mdmvendor.cer

  • 导出MDM私钥

    在钥匙串中打开mdmvendor.cer文件,然后右键选择导出并保存为private.p12文件

注意:这里生成的文件很重要,建议新建一个MDM目录保存

制作服务端推送证书

生成证书签名请求文件
  • 选择钥匙串访问->证书助理->从证书颁发机构请求证书
  • 输入邮箱,姓名等信息
  • 保存到本地为push.csr
导出MDM私钥和Vendor证书
  • 取出私钥

    执行下面的命令会要求输入private.p12的密码

    openssl pkcs12 -in private.p12 -nocerts -out key.pem
    
  • 去掉private.p12密码

    openssl rsa -in key.pem -out private.key
    
  • 取出证书文件

    执行下面的命令会要求输入private.p12的密码

    openssl pkcs12 -in private.p12 -clcerts -nokeys -out cert.pem
    
  • 转为DES加密

    openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DES
    
用mdmvendorsign工具生成applepush.csr

我们需要mdmvendorsign工具中的/vendor/的相关代码文件,这里将上面的private.key, push.csr, 以及mdm.cer文件都复制到/vendor/目录。然后执行下面的命令

python mdm_vendor_sign.py --key private.key --csr push.csr --mdm mdm.cer --out applepush.csr
从apple获取推送证书

将上面生成的applepush.csr文件上传到Apple’s Push Certificates Portal

然后下载推送证书,下载回来的证书在钥匙串中打开,你会看到以下信息

image-20190829194559215

其中用户ID需要保存下来,后面会用到。并右键导出p12私钥。存为mdm.p12

将导出的p12私钥用下面命令生成服务器推送证书

openssl pkcs12 -in mdm.p12 -out PushCert.pem -nodes

然后将PushCert.pem拷贝到./Apple-iOS-MDM-Server/scripts/目录

生成并签名设备描述文件

生成设备描述文件

用这个软件来制作Apple Configurator 2描述文件,但是现在新版本不支持直接生产MDM的描述文件,只能先做一个通用的描述文件,然后再增加MDM相关的字段。

生成的大概模板如下:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ConsentText</key>
    <dict>
        <key>default</key>
        <string>install to enble DiDi manage your device</string>
    </dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>DevAuthCA.cer.der</string>
            <key>PayloadContent</key>
            <data>
            MIIEFzCCAv+gAwIBAgIIZylBveTSpRowDQYJKoZIhvcNAQELBQAw
            YjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAk
            BgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYw
            FAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTEzMDQyOTE4NDA1NFoX
            DTI4MDQyOTE4NDA1NFowgYsxOTA3BgNVBAMMMERldmVsb3BlciBB
            dXRoZW50aWNhdGlvbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEs
            MCoGA1UECwwjQXBwbGUgV29ybGR3aWRlIERldmVsb3BlciBSZWxh
            dGlvbnMxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVT
            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6rDzm76u
            93aLqrS9hopNDa9oIjbzlWn62CLEsB4+GmzBJR6qK+ITfjbh6G0a
            /etrPsB/LYqUU4WAJiiZZqMWCLTkvD061OoGQFlZEt7fJu0plH49
            08rzTUA4nd81towql+yjYJH9wSGgvDfg2QpsvXd5c2ITTjgSUfZR
            wSFHTYHA3Eoj/rpDuuar1RHxZsswxrdB8o8lHJuaShGHWFbsYfNC
            FUmFMAxZbA3ppTYwcaAD8/KjUM3AeJbVqToz81QhEYmfMYFpsb8x
            I5ae3MNmOlBaL169c+hUHFTtoUmzbRI1gnrXVKhLMsIpCngAvNEp
            X85mEOCnN2NCJQrk3Ig5cQIDAQABo4GmMIGjMB0GA1UdDgQWBBRJ
            9jYJuBsj+gNbtuqCoNldEBhnBjAPBgNVHRMBAf8EBTADAQH/MB8G
            A1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMC4GA1UdHwQn
            MCUwI6AhoB+GHWh0dHA6Ly9jcmwuYXBwbGUuY29tL3Jvb3QuY3Js
            MA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgILBAIFADANBgkq
            hkiG9w0BAQsFAAOCAQEA1fKJRhfZZspW9+GqK8+E6ciXbsABciYm
            IvGy0snmeRN+e1KuFsoQmOXmdNY7SFvdb+2ZN/doOd5Es8hAih+3
            VwHbac8YiFDXphpQshJJrtiOSBSsXBDgz0b4LjRqhtXdU9BB67nD
            Q2/zZSNKxvIqXqqsPQiKv/tctQH7kr3ogmZ4GkqjGgHWEocbTfOF
            pioDQ1xXP0eF/jn02cp9vnyAuyqpkybJYkaIAVUq2bRWV+9D6WLo
            6/3X8AWOCj65GPgx+DLIDAD2yHJu1D9JuSqD5cD1AChpPUregUvi
            Uszq4TyJ7LjHi4/w1jbWrlbeObEp2lNcKFTKIkeSZ88IE2b25g==
            </data>
            <key>PayloadDescription</key>
            <string>添加 PKCS#1 格式的证书</string>
            <key>PayloadDisplayName</key>
            <string>Developer Authentication Certification Authority</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.pkcs1.A742C668-A859-4DB9-B7AD-5913CDACD1C9</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs1</string>
            <key>PayloadUUID</key>
            <string>A742C668-A859-4DB9-B7AD-5913CDACD1C9</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>AppleWWDRCAG2.cer</string>
            <key>PayloadContent</key>
            <data>
            MIIC9zCCAnygAwIBAgIIb+/Y9emjp+4wCgYIKoZIzj0EAwIwZzEb
            MBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1B
            cHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwK
            QXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTQwNTA2MjM0MzI0
            WhcNMjkwNTA2MjM0MzI0WjCBgDE0MDIGA1UEAwwrQXBwbGUgV29y
            bGR3aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ0EgLSBHMjEmMCQG
            A1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzAR
            BgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZI
            zj0CAQYIKoZIzj0DAQcDQgAE3fC3BkvP3XMEE8RDiQOTgPte9nSt
            QmFSWAImUxnIYyIHCVJhysTZV+9tJmiLdJGMxPmAaCj8CWjwENrp
            0C7JGqOB9zCB9DBGBggrBgEFBQcBAQQ6MDgwNgYIKwYBBQUHMAGG
            Kmh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDQtYXBwbGVyb290
            Y2FnMzAdBgNVHQ4EFgQUhLaEzDqGYnIWWZToGqO9SN863wswDwYD
            VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS7sN6hWDOImqSKmd6+
            veuv2sskqzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFw
            cGxlLmNvbS9hcHBsZXJvb3RjYWczLmNybDAOBgNVHQ8BAf8EBAMC
            AQYwEAYKKoZIhvdjZAYCDwQCBQAwCgYIKoZIzj0EAwIDaQAwZgIx
            ANmxxzHGI/ZPTdDZR8V9GGkRh3En02it4Jtlmr5s3z9GppAJvm6h
            OyywUYlBPIfSvwIxAPxkUolLPF2/axzCiZgvcq61m6oaCyNUd1To
            FUOixRLal1BzfF7QbrJcYlDXUfE6Wg==
            </data>
            <key>PayloadDescription</key>
            <string>添加 PKCS#1 格式的证书</string>
            <key>PayloadDisplayName</key>
            <string>Apple Worldwide Developer Relations CA - G2</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.pkcs1.32A40F6B-24FA-4026-9BF6-66AED47CEC40</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs1</string>
            <key>PayloadUUID</key>
            <string>32A40F6B-24FA-4026-9BF6-66AED47CEC40</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>AppleRootCA-G2.cer</string>
            <key>PayloadContent</key>
            <data>
            MIIFkjCCA3qgAwIBAgIIAeDltYNno+AwDQYJKoZIhvcNAQEMBQAw
            ZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEcyMSYwJAYDVQQL
            DB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UE
            CgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTQwNDMwMTgx
            MDA5WhcNMzkwNDMwMTgxMDA5WjBnMRswGQYDVQQDDBJBcHBsZSBS
            b290IENBIC0gRzIxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRp
            b24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYD
            VQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
            ANgREkhI2imKScUcx+xuM23+TfvgHN6sXuI2pyT5f1BrTM65MFQn
            5bPW7SXmMLYFN14UIhHF6Kob0vuy0gmVOKTvKkmMXT5xZgM4+xb1
            hYjkWpIMBDLyyED7Ul+f9sDx47pFoFDVEovy3d6RhiPw9bZyLgHa
            C/YuOQhfGaFjQQscp5TBhsRTL3b2CtcM0YM/GlMZ81fVJ3/8E7j4
            ko380yhDPLVoACVdJ2LT3VXdRCCQgzWTxb+4Gftr49wIQuavbfqe
            QMpOhYV4SbHXw8EwOTKrfl+q04tvny0aIWhwZ7Oj8ZhBbZF8+Nfb
            qOdfIRqMM78xdLe40fTgIvS/cjTf94FNcX1RoeKz8NMoFnNvzcyt
            N31O661A4T+B/fc9Cj6i8b0xlilZ3MIZgIxbdMYs0xBTJh0UT8TU
            gWY8h2czJxQI6bR3hDRSj4n4aJgXv8O7qhOTH11UL6jHfPsNFL4V
            PSQ08prcdUFmIrQB1guvkJ4M6mL4m1k8COKWNORj3rw31OsMiAND
            C1CvoDTdUE0V+1ok2Az6DGOeHwOx4e7hqkP0ZmUoNwIx7wHHHtHM
            n23KVDpA287PT0aLSmWaasZobNfMmRtHsHLDd4/E92GcdB/O/Wuh
            wpyUgquUoue9G7q5cDmVF8Up8zlYNPXEpMZ7YLlmQ1A/bmH8DvmG
            qmAMQ0uVAgMBAAGjQjBAMB0GA1UdDgQWBBTEmRNsGAPCe8CjoA1/
            coB6HHcmjTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
            BjANBgkqhkiG9w0BAQwFAAOCAgEAUabz4vS4PZO/Lc4Pu1vhVRRO
            TtHlznldgX/+tvCHM/jvlOV+3Gp5pxy+8JS3ptEwnMgNCnWefZKV
            fhidfsJxaXwU6s+DDuQUQp50DhDNqxq6EWGBeNjxtUVAeKuowM77
            fWM3aPbn+6/Gw0vsHzYmE1SGlHKy6gLti23kDKaQwFd1z4xCfVzm
            MX3zybKSaUYOiPjjLUKyOKimGY3xn83uamW8GrAlvacp/fQ+onVJ
            v57byfenHmOZ4VxG/5IFjPoeIPmGlFYl5bRXOJ3riGQUIUkhOb9i
            ZqmxospvPyFgxYnURTbImHy99v6ZSYA7LNKmp4gDBDEZt7Y6YUX6
            yfIjyGNzv1aJMbDZfGKnexWoiIqrOEDCzBL/FePwN983csvMmOa/
            orz6JopxVtfnJBtIRD6e/J/JzBrsQzwBvDR4yGn1xuZW7AYJNpDr
            FEobXsmII9oDMJELuDY++ee1KG++P+w8j2Ud5cAeh6Squpj9kuNs
            JnfdBrRkBof0Tta6SqoWqPQFZ2aWuuJVecMsXUmPgEkrihLHdoBR
            37q9ZV0+N0djMenl9MU/S60EinpxLK8JQzcPqOMyT/RFtm2XNuyE
            9QoB6he7hY1Ck3DDUOUUi78/w0EP3SIEIwiKum1xRKtzCTrJ+VKA
            Cd+66eYWyi4uTLLT3OUEVLLUNIAytbwPF+E=
            </data>
            <key>PayloadDescription</key>
            <string>添加 CA 根证书</string>
            <key>PayloadDisplayName</key>
            <string>Apple Root CA - G2</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.root.A0BB6B15-2A9E-47B8-9EC2-871F1C04DE8E</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>A0BB6B15-2A9E-47B8-9EC2-871F1C04DE8E</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>Password</key>
            <string>yourPWD</string>
            <key>PayloadCertificateFileName</key>
            <string>Identity.p12</string>
            <key>PayloadContent</key>
            <data>
            MIINeQIBAzCCDT8GCSqGSIb3DQEHAaCCDTAEgg0sMIINKDCCB98G
            CSqGSIb3DQEHBqCCB9AwggfMAgEAMIIHxQYJKoZIhvcNAQcBMBwG
            CiqGSIb3DQEMAQYwDgQISPv8pCIqoMwCAggAgIIHmIW7JqMAsRYE
            Zb1bI8OK2QMWzR2ZAALxYRzvclL4Y4bhrxpK+muxPUj20lq3tR7L
            jORI5yz9h1b+iXw+DezIs3+2PzGK9bQ3LwXIT23eEStW6UfA958J
            u98w6XfupsFAUe/mrxw28eyP7hvG0BWzDIdO8pLJfKzyOROqsGRy
            guq3pBN+wZWqb/eyQRcod/nek12Ob0KcNcChtPgzgwLtbpRJ02lh
            cU9PYc9u+trKtdg8of6quZJoqwVMIkkbsNLrQ8bigS/FKo1Myx0J
            XlFiZaz+CjF5qs3VaSOtC1GDEhuJRnZHtTF/EvjinrhmrqG6iACz
            +R955Q2FYwM+FXhLTtQ5z1nZzZ3liWzXPGYIMA9RT+vYQdsNUBrL
            jmliJoGXqe2hxfSNaH6PCPEYwkoE0MQC7kZkS2i3bQLHykZbaZdS
            u+YxsqQ3Dl72EjTrYBTlOcfpE/7Vw/QurxSElZrV5hnb796zXKiX
            x0Bky25831mDW/ilA0IdQIJt5EAsU1FYqN5hNU3EpbNFl+sSNv4f
            YsDvm+91yDk2hWFots9AyEMTVan2HJgvqkV/MET+UTCXC9tAhEPu
            y2xubYvCF5HZVPsts+JjmgvIHKLsxGeBk6m2lUYrAKaQOURIjyTa
            dW8Hux1oDE7tQx1ounXmar9ELtFmxwEpQ/IyizkHLULwf3Lxtdfe
            tD4OghtvZGLv5uoJcdt0UnGsupmWNVtdKS7va7RLqwesut5FTt5x
            YgN06uRvKTI8CF0Oi7FihD5BG6/t7icAJvwcmaeur/UzLmAT/1ZN
            hU0VObzKlVKOpy2Ll0uwZfyn+J04vTxZ4vUId0bfpWwoOINU12c6
            gr4k0HB2fK1ehiHJn4Cn6ap7tC4aD2sXIafPsfXIrXqNW2KGTMN1
            Dc+S8HeoqX3d/wMqrDYeSJo8Dn6Zn6O60MnvwuljYcCmho7WHPN4
            Pqvrnzpcg49wGQEs2G1ptlOCvcAIKTfCo4BZ4080cQe45TPIwnTJ
            Ajd7pmStvYB1ywzH9a4STaIQ1fBNtg7h+G8z19fsD8vdlEHcVwcV
            ButEhxUaxAhwK1Eee/1rmN4kQ5UT+zCCcNjIDeNHtd8PSMOFfZc6
            aRL2mpbFa9IhkeKKuzt7cMx+Iqvvzl3NX+ZrJSqpiFtx7Cxi7uv9
            nVETZAr9L8okYHGw4Se0ObrDelCKGSdLoR54HNrw9FEpQ0zfhtke
            PqG+whBBWsKrI0cwFNKp+AoMqHaGyr0lKNbD1cnbu1+ldA1aSoCQ
            Va035smpmGI9rCaLEbsBnnKpUJ/uDivWP8PlHZBkEumfG3jMQen+
            ozPhZ19Mzcch8QG93qvFCZol/IupuURxyrXxN5XppF2OPsKC8/R2
            N6Lrr9K/mr8alZ8X2FDk3y9cYCTJ4zu6cVSiVMOLtH2BrWXHilwC
            J9MY43IObHTndIHKwI7dCxA8ZOKuchRO4qxOgH5O8HUBcmWCfFtG
            ii0KSpwhGPrKiEy2Iu/ztiA03dvGn0hufFyYXNi1A0TkVkexqDZW
            XFGEsWxE6UCKpFurtpio7P9VwTMIW5w+yqmpx/ilhN+xbNZHETU1
            tUSWgkpSm5WYh+69PkKMFIECZ0JRB6gfpfpgLGzScXrJcfCP4k/E
            ztE2NpwGdG9bQgv9lNyjPqP5aekEyK/gtWwIgBF9s01Wc1G3Pwnk
            V6KW1vlTRFzMIJi5YJmk/LdeH93uh4nHMp59QlNr0rSwMUMeY9UO
            NkqAO6aHvZF4BIsHJbVXg8DEIA9KWTjUWtw4ZhZu1KlltfGzctHX
            W6+Xa/jd6luANdlJ34yWXnmc9CmsEModagEVrYTJYVes2DEgeVtT
            +jtXqaSLlHUrHDzxJR/UyeiB3Zvs9GcFhR7vvrtC8J8pDbLhuoaw
            yhmXp86c6LjBUXzG3iwPh/7ehbuh4sZQMmmBPkqS90d/ct6ujZte
            qX2KKRoZxA46Wno4bzcWcDOm9JsvMzh5PUTu56xDx6VVvrILkoAK
            6S7IqKMihA/My11IUpWBV6CMoAsLJeo/vDrIRTE21iV1LYIa2JSL
            fOPK3qm1H4lPz2Fll7cHXeZ6JvJ993zxr6hlmwxKRafRnFczfbg0
            EwfrKkkEbIXnbXhMYR7kn5whxkdyRxaVTOIb6GC/EimkBskNlSJh
            IjelRaiOCZp2sBs6SuSql4OYIifnFEwzCJ8lvYTnvaNOoB2OJkYn
            yBOOekfk8ZRKd4NmFFvATaEKfWsIGnpbYnnZ2X0fEHc1Jz9wRB4I
            YwKXbofMtbXGuJ/WgfT7QlxhWqdo6vxbabWdJpq8EY3lxix3QL8v
            /QXvTxqTVnBk4qW/qEDQgGknk1wIWu66t5mPdKmEw8lzdFp13dV6
            1eKftikZOlKNKJbODHriCQ8OiQgpeQLO2puk0Ym6ZVeUjVxdJnex
            Z+y81/1WU1Z6RwP12410Hwu5xPwLzd/+JaXleUQBRVYw7DsdEBCE
            F1UPUcVpqdPebcOa17Q2Ksr//JUc0xWcQJ7jhBDU9Egx5Mopj5y7
            HOBuiQ8Ci9HjRnQN0YQEspqXPj2N/QzrfSiwwyfhhHlgpJDzihfX
            yAbqtZFcer219Y3vcOMkX0wd4ftoAeeeBTCCBUEGCSqGSIb3DQEH
            AaCCBTIEggUuMIIFKjCCBSYGCyqGSIb3DQEMCgECoIIE7jCCBOow
            HAYKKoZIhvcNAQwBAzAOBAj4e7Sv8km87gICCAAEggTIWgM4Qg4a
            I35dq9FGoHDYgxtmAB9Y/2Yn1HTU+R9sMMpea4OIBrfXyqlHYX00
            kl/rx+c15fKIUlOD4jH+kndz+6xHpVerFnbeWy6NASMbFE4pYKHD
            /elNj18Dw34SbNRbHSx44tV3kzNBjx4eTImj6pZqLsFIHAQfEMur
            QXSwMTI8lmfXGtd22MHNL27VGJ7nC7X5OIpP/lcelatHfq6TWPz6
            SrzsVJH/ayPpBywWBXl3mnMMDBAAeUaiH8Hvk5nQdN2UPrvNckRL
            F7dlCLApQitVLAROrN7DEfdYCLnzqrxpzOFGs/N0ofZpWTzv2rgE
            qWQ05FFEK9knvej54K/r/tttmK/ImgNcU8voqJox3znWodZrcE5E
            znp4gwD77S32cr7EURMqh8z2yKAjkBMzw04Z/Tl6y7Gg7eX90qpb
            yvG+cXKavdULydv+dqheTVnCvhbxMnA6Gjv1w614EoUr90LEcKhB
            ziWc+ObVTcUsIwNkiixjWgmYbHg5q66hbZ73ePncnV2XWLGJOntA
            FafO/lcVoCOYACee3471Q2Qip52atlHTFZcKCgVgX9AEQC7GVdVn
            yjonWgKHrdG7J8ehr+qxSNbr+NT3zFbTwmkhBu8eKY5TJixBkoTC
            vGNh6j3qy8p2AVmtXOusOP96lcGt4u9aZULsnFG50iR4QbHfNeko
            u2G+f2M+/92bNgpLIY1x/yArFo3xGZg9X1MnftyPrYanVsMiytO2
            FAtOFCX3e33bkzkzIOa6uII4KpCiyZ4Y9J4Xo14skhRUAeRMLYI/
            1wJ0+FAVDT3h9BMffYYV3+9eJKUjuQzEK4QZB7PjQ+o9iqPg41lA
            8sfqWPNEjkQJ79/bteYp2kf0SaltYJPNotLOc21ZtU/sM3XcEaDv
            +FLT3CDEmXQBnTBRW0pn79zrvAwza5CPqNhejF3eZaz+MqHE/T1W
            3e6XE98OvBGUGYyYJP5B52nuniLEQQsMlpx0k3tOgX5pzXsbS1ET
            vjf110+zlXP6HtiQiFWE1CiepLrexZJWJh1306Vt8BwAkC3MoBct
            q5zu1eqUePcPn0JPP/Xf8VL/+W0Xdg2sVxbCiKE5iT6/ZnzcdzRS
            BVGGY5nxG7aVMcsUe3k39hw8bIdDjdF17YiiFrJbj6fjE2UWkvjS
            cvxT5ap4jCGUwUiRhoWFsFsBf21ZEvV0wAzU+pFIrXYfzXL8lEQ3
            1FYKDcYVGzIthx3KpBY7ACuq43nPDO7DJqde9kwgeaOxMPr6p8Xa
            m69jul/vZAB9QajfTzF04lTACCDBwUpnHk4iak+UAy56LGjix3iD
            FQXNG9QBf7XzZrEz9Y+BC2AS0R8J7yMSAYo+dIrHWywHo1bx9q4g
            oJidx2eFJI02XJnghkRDQg2O/95jYzp4NmpIo9O6s0P6xyjZ7IJA
            W/sY2a3vLdo3NlpTMJ9kKz/hEXkajXmaWs8AGoG2MBHjqxd69NRH
            GxOBmLwuaN0k/MX+oEKvak+iE/22O1i/zTSHCRqEN1g1WbFA/yMv
            QTj0iB4x8vziQAs1scPjJ9915CuoZ3NOWNN+AY9JXTtc4MQq8OaN
            igwHLq8yP6bPf64dammDwrqfv4jm+geJJBGI34EX7Treok2u+jyc
            I0lLSv603XN5MSUwIwYJKoZIhvcNAQkVMRYEFFcbKmi+SkFemKRs
            WZm6BWrzFSOgMDEwITAJBgUrDgMCGgUABBSk3QCiculUdJKQNkJX
            e96ah6AF/AQIVFgg47LiiYwCAggA
            </data>
            <key>PayloadDescription</key>
            <string>添加 PKCS#12 格式的证书</string>
            <key>PayloadDisplayName</key>
            <string>Identity.p12</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.security.pkcs12.E61D7ED5-850A-4F2E-B191-F99E40846FF6</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs12</string>
            <key>PayloadUUID</key>
            <string>E61D7ED5-850A-4F2E-B191-F99E40846FF6</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>MDM enbale server manage your device</string>
    <key>PayloadDisplayName</key>
    <string>XXX MDM</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.mgmt.External.3a3c70d4-cc4f-4713-xxxx-f38d6fd7xxxx</string>
    <key>PayloadOrganization</key>
    <string>XXX</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>D633CDFE-9806-4224-AD38-7FE0CAB12163</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

上面直接用那个工具填写相关信息并导入相关证书就能生成,但是真正的MDM策略相关需要手动添加一个字典如下:

<dict>
            <key>AccessRights</key>
            <integer>8191</integer>
            <key>CheckInURL</key>
            <string>https://mdmapi.demo.com/checkin</string>
            <key>CheckOutWhenRemoved</key>
            <true/>
            <key>IdentityCertificateUUID</key>
            <string>E61D7ED5-850A-4F2E-B191-F99E40846FF6</string>
            <key>PayloadDescription</key>
            <string>Configures MobileDeviceManagement.</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.mdm.2C62A547-9CA9-4D5A-AF86-0DF2467274EF</string>
            <key>PayloadOrganization</key>
            <string>Developer Insider</string>
            <key>PayloadType</key>
            <string>com.apple.mdm</string>
            <key>PayloadUUID</key>
            <string>E7438708-331E-4E68-99BC-3B9B435DF3DC</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ServerURL</key>
            <string>https://mdmapi.demo.com/server</string>
            <key>SignMessage</key>
            <true/>
            <key>Topic</key>
            <string>com.apple.mgmt.External.3a3c70d4-cc4f-4713-xxxx-f38d6fd7xxxx</string>
            <key>UseDevelopmentAPNS</key>
            <false/>
        </dict>

这里简单说几个比较重点的字段

KEY TYPE DESCRIPTION
IdentityCertificateUUID String Mandatory. UUID of the certificate payload for the device’s identity. It may also point to a SCEP payload. You need to use the PayloadUUID of the identity.p12 in this field.
PayloadUUID String Mandatory. Here you need to generate a UUID. You can use uuidgen to generate an UUID and then copy paste that UUID in this field. UUID looks like this 34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E
PayloadIdentifier String Here you need to append the UUID in after com.apple.mdm. which we generated in last step. Your payload identifier looks like this com.apple.mdm.34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E
Topic String Mandatory. The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the com.apple.mgmt.External.hexstuffhere... prefix.
ServerURL String Mandatory. The URL that the device contacts to retrieve device management instructions. Must begin with the https:// URL scheme, and may contain a port number (https://YOUR_HOSTNAME_OR_IP:PORT/server, for example).
CheckInURL String Optional. The URL that the device should use to check in during installation. Must begin with the https:// URL scheme and may contain a port number (https://YOUR_HOSTNAME_OR_IP:8080/checkin, for example). If this URL is not given, the ServerURL is used for both purposes.
CheckOutWhenRemoved Boolean Optional. If true, the device attempts to send a CheckOutmessage to the check-in server when the profile is removed. Defaults to false.
AccessRights Integer, flags Required. Logical OR of the following bit-flags:1: Allow inspection of installed configuration profiles.2: Allow installation and removal of configuration profiles.4: Allow device lock and passcode removal.8: Allow device erase.16: Allow query of Device Information (device capacity, serial number).32: Allow query of Network Information (phone/SIM numbers, MAC addresses).64: Allow inspection of installed provisioning profiles.128: Allow installation and removal of provisioning profiles.256: Allow inspection of installed applications.512: Allow restriction-related queries.1024: Allow security-related queries.2048: Allow manipulation of settings.4096: Allow app management.May not be zero. If 2 is specified, 1 must also be specified. If 128 is specified, 64 must also be specified.
UseDevelopmentAPNS Boolean Optional. If true, the device uses the development APNS servers. Otherwise, the device uses the production servers. Defaults to false. Note that this property must be set to false if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal. That portal only issues certificates for the production push environment.
  • IdentityCertificateUUID:这个UUID是identity.p12PayloadUUID。关于identity.p12这里其实是一个设备标识的证书,这个证书可能不知道怎么制作。其实用自签的签名就行。制作流程如下

    生成自签证书(生成2046位的加密私钥)

    openssl genrsa -out server.key 2048
    

    生成自签证书(生成证书签名请求)

    openssl req -new -key server.key -out server.csr
    

    生成自签证书(生成类型为X509的自签名证书)

    openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
    

    这时候我们有server.keyserver.csrserver.crt三个文件

    然后将server.crt复制生成两个文件并命名:identity.crtserver.crt

    同样将server.key复制生成两个文件并命名:cakey.keyidentity.key

    最后将server.csr重命名为identity.csr

    然后用make_certs.sh生成Identity.p12

  • AccessRights:这个字段会在安装描述文件的时候提示申请了哪些权限,并且这里是按位与运算

  • CheckInURL以及ServerURL涉及到后面MDM设备、苹果APNS、服务器三方通信相关

签名描述文件

在签名前建议先对未签名的描述文件进行通信测试,保证在未签名之前安装描述文件以后服务端能够正常发送指令通信。

这里的签名仅仅是为了部署描述文件,和MDM本身并不相关,所以事实上可以用任意一个证书进行签名,但为了保证是公司发布的描述文件,建议用公司的iOS开发证书即可。这里提供两个工具

使用比较简单,这里不再介绍。

MDM通信指令结构及原理分析

暂位,后面有时间再补充

企业MDM最佳方案

虽然MDM自身提供了很多远程指令相关的移动设备管理功能,但是在实际上企业管理中还远远不够,所以建议配合一个agent之类的app辅助。在我们实现中,采用安装描述文件的时候就推送安装agent,然后用户后续的所有交互都由app负责。app主要作用在于能够获取定位,账号设备绑定,安全准入,扫码登录等等。以及能够提供公司级的VPN等相关公司配置。这里能做的还有很多,可以和企业实际的管理结合。

参考