stackoom
  简体   繁体   中英

iOS MDM Device Polling and APNs Certificate

 原文  2018-01-06 20:20:59       ios/ apple-push-notifications/ polling/ mdm

Question

I'm developing an iOS MDM Server as my project and I have almost completed.

I created all the necessary files manually including the mobileconfig file and installed the profile.

The device polls the URL mentioned in Server URL often with an Idle message.I read that the Idle message indicates that the device is checking the server for commands and we can send plist response as a command.

My question is, if all the devices poll the MDM Server frequently, what is need for .pem file and APNs certificate. Should we send push notification to the device like below like we send push notifications to our iOS apps. 

{
    "aps": {
         "id": 10,
         "message": "Hello world!",
         "from": "Ram"
    }
}

If this is what we should do, what should we send in the payload?

EDIT :

I found out the solution for sending push notifications. 

com.notnoop.apns.ApnsService apnsservice = com.notnoop.apns.APNS.newService().withCert(<pushCertStream>,<pushCertPass>).withProductionDestination().build();
apnsservice.push(token, com.notnoop.apns.APNS.newPayload().mdm(pushMagic)).build());

When push notification is sent like this, the device responds with an Idle Message and we can send commands to the device.

Few more doubts :

1) When does apple check the SSL Certificate of the profile? I'm sure it checks during profile installation because my profile installation has failed many times due to wrong SSL Certificat. Does Apple also check the SSL Certificate when sending push notification as I have noticed a class com.notnoop.exceptions.InvalidSSLConfig ? Does it check whether the server sending push notification has the SSL Certificate specified in the profile?

EDIT

When server send push notification to the device, the device responds with an Idle Message to the URL specified in Server URL. What happens if the SSL Certificate is invalid at this point. Does it produce an error?

2) Can multiple servers have the same push notification certificate to reduce the load on a single server to send push notification and send commands to devices? Will there be any conflict?

3) Is there any limit to the no. of push notifications sent using a single push notification certificate? If not, can it handle any number of push notifications?

4) Can the Check-in URL and Server URL in the profile be different?

EDIT Can the Check-in URL and Server URL be of different servers ie .,

CheckIN URL : https://www.domainone.com/MDM/

Server URL : https://www.domaintwo.com/MDM/

5) First question in this link (Least important) Though the solution talks about expiration of SSL Certificate, it does not say about changing of SSL Certificate.

EDIT 2

When a push notification certificate is renewed, how does a device with profile already installed update the certificate details in the device's profile?

2 answers

solution1
 0  2018-01-08 20:44:19

1) hmm AFAIK if your server has a SSL certificate then signing the profile with that certificate only verifies it. In terms of functionality I don't think it does anything. However, you do also need a certificate that is related to your server this is the one that goes inside the plist as part of the payload. It'll need to be the same one that server has. (Usually in a .p12 format)

2) Yes you can have multiple servers because essentially sending a push notification is just a request to apple with proper credentials.

3) I don't believe there is a limit to how many push notifications a certificate can send... but more so how frequently you're sending them. (for eg flooding apple with push notification requests)

4) Yes I strongly believe so but you should double check this

5) Again SSL certificate only just makes the profile verified AFAIK (if we're strictly talking about mdm). (edit: I forgot that there was another .p12 certificate that you could embed inside the profile. This provides authentication between the device and the server and will need to be the same SSL cert).

solution2
 0 ACCPTED  2018-01-09 13:01:18

1) When MDM Server sends push notification to the device, the device responds to the Server by contacting the Server URL. The SSL Certificate of the server has to match the SSL Certificate Payload in the profile. If there are any conflicts, there will be an error. So, the SSL Certificate is checked everytime the device contacts Serverl URL. The below error will be produced if there are any conflicts.

Desc : The Server Certificate for "Server URL" is invalid.

Domain : MCHTTPTransactionErrorDomain

2) Yes, multiple servers can have the same push notification certificate. Each server just need to know the password of the certificate.

3) I don't think there is any limit to the no. of push notifications sent. Check below links.

Reference 1

Reference 2

4) Your Server URL and Check-in URL can be different but should be of same host.

5) If the SSL Certificate is changed, the profile has to be deleted and a new profile has to be installed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java iOS MDM : APNs Certificate UID changes iOS MDM Server SSL Certificate not trusted by device MDM:How to use APNS certificate Regenerating iOS APNS Certificate; Device Tokens Affected? iOS MDM Certificate Expiration How to generate development MDM/APNS certificate? Identity certificate - IOS MDM permanent iOS APNS certificate Certificate to be used for encryption in iOS MDM Certificate stuff in iOS MDM operation
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM