iOS 5 – Changes to MDM Usage Policies

I have already covered the new (enterprise relevant) features in iOS 5:
http://mobilitydojo.net/2011/10/04/ios-5-anything-in-it-for-the-enterprise-conclusion/

Right after releasing that post Apple just launched a couple of changes to how these features work, or rather the policies relating to the usage of them. (The features themselves are still on – don’t worry.)

So far Apple has been very secretive even by their standards regarding how Mobile Device Management has been implemented. Since several MDM vendors have had support for iOS devices for a while now, and supported pretty much the same feature set, it was obvious that they didn’t just all come up with this out of nothing. And they certainly didn’t. This was actually with the help of a documented API, but the thing was that the documentation wasn’t exactly publicly available. You had to apply and be approved before receiving the docs, and then you could implement an MDM solution for your customers.

As of last week they have made the docs available for a broader audience. It’s still not totally public – you will need an iOS Developer Enterprise account which should set you back 299$ a year. It’s not available for hobby developers either, unless they happen to have a Dun & Bradstreet number, which I’m guessing most hobbyist don’t have. If you happen to have an Enterprise account you can just sign in and actually read everything you need to know to develop your own iOS MDM solution.

Of course not everyone will be interested in developing their own solution for managing iOS devices. After all there a couple of vendors who have been down that road already, and you don’t need something homegrown just for the fun of it. Enterprises have been able to use the MDM API for a long time already, even if they are not aware that they are using it. But so far you have had to enroll to an iOS developer program as a company to obtain the necessary certificates for authenticating to the “Apple Push Notification Service” (APNS). While APNS will work with a iOS Standard Company account you still have to send over necessary details to Apple proving you’re a company entity and pay up 99$. (There is a misconception that the iOS Enterprise program is required – it’s not. Basic MDM will work with Standard accounts, but distributing in-house apps requires an Enterprise account.)

The good news is that Apple is now waiving this fee, and you can get your APNS cert for free. The process is outlined here:
http://www.apple.com/ipad/business/integration/mdm/

Basically your company needs to generate a Certificate Signing Request (CSR), you send it to your chosen MDM vendor who will in turn sign the CSR. The signed CSR will have to be submitted to Apple, and Apple will give you a certificate in return. (You will need a valid Apple id to sign in naturally.) Previously the entire process was performed by the customer without involving the MDM vendor at all, but this new process means that MDM vendors have to implement some new bits and bytes on their end to handle the signing part. While this means there’s still a step or two the customer needs to do it still sounds like an improvement to me. (The process to get your developer account approved by Apple could take 1-2 weeks if you’re unlucky.)

Trying to draw the line between the consumer market and the enterprise market it is also stated quite clearly in the License Agreement, (you didn’t think for a second Apple would skip a chance to present legalese did you?), that only company owned/controlled devices are allowed to use MDM. A normal end-user customer cannot sign up to a generic hosted MDM solution; the MDM control should only be used where an employer<->employee relationship is in place. Oh, well, consumers have iPhone Configuration Utility (now updated to support iOS 5) for configuration and iCloud for remote wipe so they will hopefully be able to get by without MDM Smile

6 thoughts on “iOS 5 – Changes to MDM Usage Policies”

  1. What is the MDM API listed under? I have access to the Enterprise developer pages but I can’t seem to find an “MDM” API

  2. They didn’t exactly put up a very visible button linking to the docs 🙂
    You should be able to find “Mobile Device Management Protocol Reference” by going to: iOS Provisioning Portal->Certificates->Other

  3. “While APNS will work with a iOS Standard Company account you still have to send over necessary details to Apple proving you’re a company entity and pay up 99$. (There is a misconception that the iOS Enterprise program is required – it’s not. Basic MDM will work with Standard accounts, but distributing in-house apps requires an Enterprise account.)”

    As a vendor,

    These are the documented steps to obtain “MDM Signing Certificate” as per MDM Protocol Reference:

    – create a CSR using any toolkit, i.e. KeyChain Access on MacBook, then export private key as ‘vendor.p12’
    – log in to Apple Member Center, and go to ‘iOS Provisioning Portal’
    – select ‘Certificates’ on the left navigation bar, and click ‘Other’ tab on the center.
    – follow the instruction on that page, and upload the CSR you created.
    – then the certificate for you as a MDM vendor will be available to download on the ‘Other’ tab. And download it.

    My question is ,

    1. How do we obtain “MDM Signing Certificate” with a “Standard account”?

    2. I am not able to see any ‘Other’ tab on the Certificates section of my Provisioning portal.Is it because I have a iOS Standard individual account and not a company account?

  4. To answer your question in reverse 🙂

    2. You will need an Enterprise account to see the “Other” tab, and you need this type of account if you want to create an MDM solution.

    1. The Standard account is no longer in use for MDM in any way. MDM customers will sign into https://identity.apple.com/pushcert to have their APNS certificate generated. MDM vendors will need to follow the procedure you listed above to generate their cert. The cert of the vendor is to be used for signing the csrs customers generate.

Leave a Reply

Your email address will not be published. Required fields are marked *

*