alt

TECHNICAL CENTER


iOS MDM Overview

2016-02-29
MDM



Download PDF

iOS MDM Overview
Mobile Device Management (MDM) is the function that Apple provided for iOS4 and later, that remotely manages iOS device over the network. Below drawing shows how iOS MDM manages devices.

tech_mdm_07_01-1

Servers that manage devices are called MDM Server. Push service provided by Apple is called APNs (Apple Push Notification service), and distribute Push notification to iOS devices worldwide.

Device opens sessions with APNs
Device is turned-on and ready to connect, TSL session is established between APNs. Device and APNs are always connected and ready to receive commands immediately.

MDD Server sends push request
MDM server requests Push notification every time supervised device connection is required.

Push Notification is delivered to devices from APNs
Push notification is delivered to APNs over network (3G/LTE or Wi-Fi). Push notification activates system service (mdmd) that is built in in iOS. In case of iOS, there is no need to install new application to devices to use MDM.

Device and MDM server Connection
System service (mdmd), built in iOS, sends https request to pre-registered MDM server. The MDM server sends commands to be executed on devices.

Commandss
iOS has 5 streams of commands which can be executed on devices.

Acquisition of Device Information
It acquires device information such as iOS versions or list of applications installed iOS. When the device is locked, it will not collect security information, but the rest. The information that the device is locked is sent to the server.

Device Configuration
Once device receives configuration file, created by Apple Configurator, device are configured as such. When device is locked, configuration file is not received. It is possible to delete configuration during lock.

Distribution of applications
iOS devices can install applications developed in-house or from AppStore. When device is locked, installation or update of applications can be executed, however, it is possible to delete application from the device.

Distribution of Contents
iOS device can install contents from iBook Store or created in-house. When device is locked, installation or update of applications can be executed, however, it is possible to delete contents from the device.

Special Command
・Remove passcode
・Remote lock
・Remote wipe

iOS device is encrypted when it is locked, there are a set of commands that are not executed in sleep status. Registration and update commands are on hold while device is unlocked by passcode input by user. Commands associate to deletion of settings, applications, contents and remote wipe are executed even when device is locked.

When device is turned-off or not connected to network, push notification and commands are not received and executed. Those commands are on hold until device is turned-on and connected to network.

As explained above, it depends on network connection and lock/unlock status when commands are executed. Completed commands can be identified on the MDM Server. It is important to understand the differences between commands that can be executed or not during lock.

Some people say MDM (Mobile Device Management) means acquisition and setting of device alone, other calls listing and distribution of applications as MAM (Mobile Application Management). Some calls contents distribution as MCM (Mobile Contents Management).

iOS is sandbox structure and contents are stored within application. Apple manages applications and contents on the device collectively, therefore, there is no such category as MAM and MCM.

Overview of MDM for Android
When Android device uses MDM, MDM client needs to be installed. MDM Client can be installed from Android Market (Google Play).

Android MDM management flows as follows.

tech_mdm_07_01-2

Servers that manage devices are called MDM Server. Push service provided by Google is called GCM (Google Cloud Messaging) and distribute Push notification to Android devices worldwide.

Open GCM session on MDM Client on device
When Android device is turned-on and ready to connect, MDM client establish TSL session between GCM. Device and GCM are always connected and ready to receive commands immediately.

MDD Server sends push request
MDM server requests Push notification to GCM every time supervised Android device connection is required.

Push Notification is delivered to devices from GCM
Push notification is delivered from GCM to MDM Client over network (3G/LTE or Wi-Fi). Push notification activates activate MDM client.

Device and MDM server Connection
MDM Client that received Push notification sends https request to pre-registered MDM server. The MDM server sends commands to be executed on devices.

Commands
Android has 4 streams of commands which MDM can execute on devices.

Distribution of applications
MDM Console installs applications developed in-house or from Google Play on devices.

Acquisition of Device Information
It acquires device information such as Android OS versions or list of applications installed on device.

Device Configuration
MDM Management console reflect configuration to devices

Distribution of applications
Applications developed in-house or from Google Play can be introduced to devices from MDM console.

Special Command
・Remove passcode
・Remote lock
・Remote wipe

Commands are executed on Android devices when it is locked or on sleep status. However, there are a set of commands that are not executed in sleep status and those commands are on hold and executed when the device is awake from sleep status. Commands associate to deletion of settings, applications, contents and remote wipe are executed even when device is locked.

When device is turned-off or not connected to network, push notification and commands are not received and executed. Those commands are on hold until device is turned-on and connected to network. Completed commands can be identified on the MDM Server.

It is important to understand the differences between commands that can be executed or not during lock.

Structure of BizMobile Go! for iOS
MDM structure of BizMobile Go! for iOS is as follows.

tech_mdm_07_01-3

※1 Based on contract
※2 Connected to Wi-Fi . Address is either 17.0.0.0/8 (from Developer Program "Technical Note TN2265")

Security
Secure connection between MDM Server and devices is established by mutual authentication with SSL Server Certificate and Client Certification. Secret key, root of the client certification is generated inside of the device, and protected at hardware level. Device will send/receive keys for Push notification to trusted servers. Without the key, no Push notification can be sent. In addition, device will be connected to pre-registered servers. That reduces the risk of the third party users to control devices.

Structure of BizMobile Go! for Android
MDM structure of BizMobile Go! for Android is as follows

tech_mdm_07_01-4

※1 Based on contract
※2 Address owned by Google is 74.125.0.0/16, 72.14.192.0/18. Uses "mtalk.google.com"

Security
Unique token is used to certify connection between MDM Server and device. Token is generated by MDM server and saved in device. (only MDM client can access to saved place). That makes it difficult for the third party users to impersonate and access to the servers. Device will send/receive keys that are required PUSH notifications to trusted servers. Without the key, no Push notification can be sent. That reduces the risk of the third party users to control devices.

Push Notification

iOS Push Certification

PUSH certification as a group needs to be acquired from Apple. Devices supervised by MDM Server are associated to the group PUSH certificate at registration. No notification is sent by PUSH certificate for other group.

Actions on Device
On iOS, PUSH notification is sent over 3G/LTE or WiFi network. TLS Session (TCP Port 5223) is created between device and APNs over Wi-Fi connection, and notification is sent from APNs to devices. When device is charging or enough battery, keep-alive is sent every 15-30 minutes. PUSH notification action varies depending on devices.

iPhone / iPad Cellular model(3G/LTE)
when device can connect to cellular(3G/LTE)network, push is notified always over 3G. When cellular (3G/LTE)network is not available, those device connects over Wi-Fi.

iPad Wi-Fi model
For iPad Wi-Fi model, push notice is received as long as Wi-Fi is available.

When the device is on sleep mode, TSL session is kept. When push is sent from APN, the device wakes up from sleep mode, and actions are taken. Please note that when battery of iPad is less than 20%, session is cut and the device cannot receive push notice. In this case, it is necessary to manually disable sleep or charge the device to continue the session.

iPod touch
Push notice is received only when device is activated (not on sleep mode) or while charged.

Queued Notice
When the device cannot receive push notice, APNs maintains the last notice requested in the queued on the server. When connection with APNs is recovered, queued push notice is sent again.

Android Push Certification

Google account and Android Market application are required to send Push notice. Devices managed by MDM server are associated to specified applications (MDM client) on specified device at the registration.

Actions by Devices
Android pushes notice on cellular(3G/LTE)or Wi-Fi connection. At Wi-Fi connection, TLS session (TCP port 5228、5226、5226) is created between devices and GCM, and push notice is sent from GCM to devices.

3G Model
When 3G network (not connected to Wi-Fi) is available, push notice is sent over 3G/LTE network. When Wi-Fi is available, Wi-Fi is used.

Wi-Fi Model
Push notices is received when Wi-Fi is available.

Sleep Mode
When device is on sleep mode, TSL session is kept. When GCM sends notice, necessary actions are processed on MDM clients. In some models, MDM client does not process actions on sleep mode. In that case, process are done when the device wakes up from sleep mode.

Queued Notice
When device cannot receive Push notice, push notice is queued on the server. When connection between devices and GCM are recovered, queued push notice are sent. For some Android devices, it is not possible to process actions on MDM client correctly while push notice is not received. In that case, actions are taken when connection recovers.

Actions on Servers

Number of push notice at a time
There is no limit to the number of push notice at once. Server defines the number of push notice in a specified time (one minute).

Period of Saved Push Notice
Offline request on the MDM Server are saved permanently until device becomes unregistered. Period of saved push notice on APNs are described as “delete after certain period” but no specific time. Push notice on GCM are not defined. Therefore, BizMobile Go! re-sends push notice once a day.






Copyright© BizMobile Inc. All Rights Reserved. BizMobile Inc.
alt