Skip to content

Commit

Permalink
Merge branch 'master' of github.com:project-imas/mdm-server
Browse files Browse the repository at this point in the history
  • Loading branch information
gavin-black committed Oct 30, 2013
2 parents 5c00c31 + 909b72c commit c2f2065
Showing 1 changed file with 62 additions and 8 deletions.
70 changes: 62 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,31 +7,36 @@ Instructions and code for setting up a simple iOS Mobile Device Management (MDM)
* Publicly accessible Linux/Unix server
* Apple Enterprise Account
* Apple Developer Account
* OS X KeyChain Access Tool
* openssl command-line
* Java SDK (java/javac)
* Apple's iPhone Configuration Utility
* (OS X Version)[http://support.apple.com/kb/dl1465]
* (Windows Version)[http://support.apple.com/kb/DL1466]

# Certificate Setup

First run **make_certs.sh**. Hopefully this works properly and generates 90% of what you need.

# Apple MDM Push Certificate
Download the [MDM vendor CSR signing tool](http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning/Softhinker.zip) from [Softhinker](http://www.softhinker.com/). You will notice several certificates are included:
* customer.der
* Must be replaced
* Generated from server setup
* Generated from **make_certs.sh**
* Accept defaults for all other values (Including **Challenge password**)
* intermediate.pem
* Does not need replaced
* Apple's WWDR intermediate certificate
* mdm.pem
* Must be replaced
* Obtain from [iOS Provisioning Portal](Apple Member Center)
* Use **customer.csr** created by **genCustomerDer.sh**
* Use **customer.csr** created by **make_certs.sh**
* Download the file, should be in .cer format
* Convert to pem: **openssl x509 -inform der -in YOUR_MDM.cer -out mdm.pem**
* root.pem
* Does not need replaced
* Apple's root certificate
* vendor.p12
* Import the customerPrivateKey.pem into Keychain access
* Export the private key as p12 file
* Must be replaced
* Generated from **make_certs.sh**

Now that all certificates are in place, compile and run the java program
cd Softhinker/src/com/softhinker
Expand All @@ -41,8 +46,57 @@ Now that all certificates are in place, compile and run the java program

You should now have **plist_encoded.plist**. Upload this to [Apple's Push Certificates Portal](https://identity.apple.com/pushcert/). If all was successfull you will see a screen similar to below:

Notice the (i) icon besides renew. If you click it there will be a long string of text ending in **UID=com.apple.mgmt...**, make sure to copy that string starting at **com** since you will need it later. Finally download the certificate, save as **PushCert.pem** and upload to your server.
Notice the (i) icon besides renew. If you click it there will be a long string of text ending in **UID=com.apple.mgmt...**, make sure to copy that string starting at **com** since you will need it later. Finally download the certificate, save as **PushCert.pem** in the **server** directory.

# Enrollment profile

Open the **iPhone Configuration Utilities** program. Select **Configuration Profiles** click the **New** button, and fill out the sections as follows:
* General
* Name: A unique name for you to keep track of
* Identifier: **com.apple.mgmt...** string you recorded during certificate generation
* Certificates
* Use **vendor.p12** generated during certificate creation
* Password: Enter the password you used during certificate creation
* Mobile Device Management
* Server URL: https://YOUR_HOSTNAME:8080/server
* Check In URL: https://YOUR_HOSTNAME:8080/checkin
* Topic: **com.apple.mgmt...** string
* Identity: vendor.p12
* Sign messages: Checked
* Check out when removed: Unchecked
* Query device for: Check all that you want
* Add / Remove: Check all that you want
* Security: Check all that you want
* Use Development APNS server: Uncheck

After you are finished, highlight the entry in the table, and click **Export**. Choose **None** for security and then **Export...**. Save in the **mdm-server/server/** directory as **Enroll**. You should now have an **Enroll.mobileconfig** file.

# Server Setup

The server is a direct copy from [Intrepidus Group's blackhat presentation](https://intrepidusgroup.com/).
The server code is a direct copy from [Intrepidus Group's blackhat presentation](https://intrepidusgroup.com/). Copy over the **mdm-server/server** directory you put the enrollment profile and certificates in to your server. You will need to install the following:

You must have the following installed on the server:
* Openssl
* Recommend downloading and compiling yourself
* Some Debian-based distros disable features needed by M2Crypto
* Source available at [http://www.openssl.org/source/](http://www.openssl.org/source/)
* Python, with the following libraries
* [web.py](http://webpy.org/)
* [M2Crypto](http://chandlerproject.org/bin/view/Projects/MeTooCrypto)

Network Settings
* Outbound access to gateway.push.apple.com:2195
* Inbound access to port 8080
* iOS device must also have outbound access to gateway.push.apple.com:5223

If everything is setup appropriately, simply navigate to the **server** directory and run **python server.py**.

On the device navigate to: **https://YOUR_HOST:8080/**
Once there you need to, in order:
1. Tap here to install the CA Cert (for Server/Identity)
2. Tap here to enroll in MDM
3. Select Command (Device Lock is a good one to test)

You can now run those commands from any web browser, a successfull command will often looks something like the following:

You may have to hit the **refresh** link, if the output doesn't look recent.

0 comments on commit c2f2065

Please sign in to comment.