自行开发MDM的iOS设备注册? [英] iOS Device Enrollment with Self-Developed MDM?

问题描述

我正在尝试开发一个非常简单的概念验证iOS MDM，以允许对iOS设备进行OTA注册.这并不意味着可以替代MobileIron或其他任何东西.这实际上只是一种学习练习.我正在用Java开发Java代码，并使用用于RESTful服务端点的JAX-RS.

I am in the process of trying to develop a really simple proof-of-concept iOS MDM that will allow for OTA enrollment of iOS devices. This isn't meant to be some MobileIron replacement or anything. It's really just a learning exercise. I am developing my code in Java, with JAX-RS for the RESTful service endpoints.

在这一点上，我可以从我的iOS系统获得一个URL( http://myhost/enroll )它将返回注册响应以启动设备注册过程.返回的响应如下所示:

At this point, I am able to it a URL (http://myhost/enroll) from my iOS that will return an enrollment response to kickoff the device enrollment process. The response returned looks something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <dict>
            <key>URL</key>
            <string>https://myhost/profile</string>
            <key>DeviceAttributes</key>
            <array>
                <string>UDID</string>
                <string>IMEI</string>
                <string>ICCID</string>
                <string>VERSION</string>
                <string>PRODUCT</string>
            </array>
            <key>Challenge</key>
            <string>MySuperSecureChallenge</string>
        </dict>
        <key>PayloadOrganization</key>
        <string>Example Inc.</string>
        <key>PayloadDisplayName</key>
        <string>Profile Service</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadUUID</key>
        <string>fdb376e5-b5bb-4d8c-829e-e90865f990c9</string>
        <key>PayloadIdentifier</key>
        <string>com.example.mobileconfig.profile-service</string>
        <key>PayloadDescription</key>
        <string>Enter device into the Example Inc encrypted profile service</string>
        <key>PayloadType</key>
        <string>Profile Service</string>
    </dict>
</plist>

一旦我的设备收到此有效负载，它将带我进入设置"应用程序并提示我安装配置文件.当我单击安装"时，它将对另一个URL执行HTTP POST( http://myhost/profile )并包含我在/enroll的响应中请求的属性.

Once my device receives this payload, it takes me to the Settings app and prompts me to install the profile. When I click "Install", it performs an HTTP POST to another URL (http://myhost/profile) and includes the attributes I requested in the response from /enroll.

我的/profile端点能够从我的iOS设备成功提取签名的响应，如下所示:

My /profile endpoint is able to successfully extract the signed response from my iOS device, which looks something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>CHALLENGE</key>
        <string>MySuperSecureChallenge</string>
        <key>IMEI</key>
        <string>__MY_IMEI__</string>
        <key>PRODUCT</key>
        <string>iPhone10,4</string>
        <key>UDID</key>
        <string>__MY_UDID__</string>
        <key>VERSION</key>
        <string>15B202</string>
    </dict>
</plist>

我的问题是:现在呢??我发现

My question is: now what?? I've found example payloads like this (from Apple) that show how to do SCEP enrollment. However, I don't want to do SCEP for this simple proof-of-concept. Is there something else I can return at this stage? If so, what should the response contain and look like? I haven't found any documentation outlining what should be returned by my /profile endpoint if I'm not using SCEP, so I'm a little stuck.

更新:我在线上找到了一些资源，这些资源意味着我需要使用SCEP或在有效负载中提供PKCS#12格式的证书.因此，我已经更新了/profile的返回值，使其看起来像这样:

UPDATE: I found some resources online that imply that I need to either use SCEP or provide a PKCS#12-formatted certificate in the payload. So, I have updated the return value of the /profile to look something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadContent</key>
                <dict>
                    <key>Challenge</key>
                    <string>MyChallengeGoesHere</string>
                </dict>
                <key>PayloadDescription</key>
                <string>Provides device encryption identity</string>
                <key>PayloadUUID</key>
                <string>fd8a6b9e-0fed-406f-9571-8ec98722b713</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs12</string>
                <key>PayloadDisplayName</key>
                <string>Cert Test</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadOrganization</key>
                <string>Example, Inc.</string>
                <key>PayloadIdentifier</key>
                <string>com.example.profileservice.webclip</string>
                <key>PayloadContent</key>
                <string>__MY_BASE64_ENCODED_PKCS12_CERT__</string>
                <key>Password</key>
                <string>__MY_CERT_PASSWORD__</string>
            </dict>
        </array>
    </dict>
</plist>

我将此值返回给客户端，但是当我在iOS设备上单击Install时，出现错误消息:

I'm returning this value back to the client, but when I click Install on my iOS device, I get an error saying:

配置文件安装失败无法连接到服务器 建立.

Profile Installation Failed A connection to the server could not be established.

现在，我知道通信不是问题，因为我在日志和调试器中看到了与/profile的连接.还有其他我想念的东西吗?个人资料是否需要进行数字签名?如果是这样，它是什么格式?我应该使用哪个证书进行签名?

Now, I know that communication isn't an issue, because I see the connection to /profile in my logs and debugger. Is there something else I'm missing? Does the profile need to be digitally signed? If so, what format is it? Which certificate should I be using to sign it?

推荐答案

经过反复尝试后，我终于弄清楚了此配置文件的问题所在.我缺少几个参数:PayloadIdentifier和PayloadUUID.此外，包含我的base64编码证书的PayloadContent参数的值应为data，而不是string.因此，我的新个人资料如下所示:

After LOTS of trial and error, I have finally figured out what the issue was for this profile. I was missing a couple of parameters: PayloadIdentifier and PayloadUUID. Further, the value for the PayloadContent parameter containing my base64-encoded certificate should be data, not string. So, my new profile looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
            <string>9f93912b-5fd2-4455-99fd-13b9a47b4581</string>
            <key>PayloadIdentifier</key>
            <string>org.example.mymdm</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs12</string>
                <key>PayloadUUID</key>
                <string>f78c5002-3907-4f67-b631-d41c44283628</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadIdentifier</key>
                <string>com.mymdm.cert</string>
                <key>Password</key>
                <string>__MY_CERT_PASSWORD__</string>
                <key>PayloadContent</key>
                <data>__MY_BASE64_ENCODED_P12__</data>
              </dict>
          </array>
    </dict>
</plist>

进行了这些更改后，便能够在iOS设备上成功安装配置文件.

Once I made these changes, I was able to successfully install the profile on my iOS device.

这篇关于自行开发MDM的iOS设备注册?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！