The MDM framework built into iOS gives MDM solutions the ability to wirelessly interact with iOS devices that are managed by organizations. Third-party vendors use this framework to build MDM servers that communicate seamlessly with iOS devices.
MDM gives IT departments the ability to securely enroll devices in an enterprise environment, configure and update settings, monitor compliance with corporate policies, and remotely wipe or lock managed devices. Using an MDM server gives organizations a simple way to get users up and running with access to company services regardless of who owns the device.
The MDM framework in iOS supports the following features:
Installation, management, and removal of accounts that provide access to corporate services.
Configuration of settings including passcodes, device restrictions, voice and data roaming policies.
Ability to clear the user's passcode and remotely lock or wipe a lost or stolen device.
Installation, management, and removal of App Store and custom in-house apps.
Scheduled querying of device, network, application and security information.
To initially communicate with an iOS device, MDM servers use the Apple Push Notification service. Once a server has established a connection, all tasks are carried out on the device by the built-in MDM framework in iOS. This framework enables MDM servers to keep in contact with the device without affecting performance or battery life. It also means there’s no need for each MDM solution provider to create a custom agent of their own.
- A Configuration Profile containing MDM server information is sent to the device.
- User installs the profile to allow the device to be managed.
- Device enrollment takes place as the profile is installed. The server validates the device and allows access.
- The MDM server sends a push notification prompting the device to check-in for tasks or queries.
- The iOS device connects directly to the server over HTTPS. The MDM server sends down commands or requests information.
The MDM framework is what ultimately determines what can and can't be seen by an IT administrator on a user’s device. This ensures IT can only manage corporate accounts, settings, and information that they have provisioned via MDM. The user's personal accounts cannot be accessed.
Below are examples of what an MDM server can and cannot see on an iOS device:
MDM can see
- Device name
- Phone number
- Serial number
- Model name and number
- Capacity and space available
- iOS version number
- Installed apps
MDM cannot see
- Personal mail, calendar, contacts
- SMS or iMessages
- Safari browser history
- FaceTime or phone call logs
- Personal reminders and notes
- Frequency of app use
- Device location
For more information, including a full list of what information the MDM framework in iOS can access from an iOS device, refer to the Deploying iPhone and iPad MDM overview.
A number of third-party vendors have MDM solutions that support iPhone and iPad. Select an MDM product that best suits your business requirements and you're ready to get started.
To use MDM, you’ll need to install an SSL certificate obtained from Apple on your MDM server. This certificate enables your server to securely communicate with the Apple Push Notification service.
Requesting a certificate is simple and free. Follow these instructions to get started:
- Contact your MDM vendor to request a signed Certificate Signing Request (CSR). Your vendor will sign a CSR and deliver it to you.
- Once you have a signed CSR from your vendor, visit identity.apple.com/pushcert and sign in with a verified Apple ID.
- Select your signed CSR and click upload. After a moment, your certificate will be available for download.
- This certificate can now be uploaded to your MDM server for use with the Apple Push Notification service.