为 iPhone 配置 MDM 服务器
似乎被问了好几次,但我找不到我的疑问的答案。
- 由于需要设置 MDM 服务器,因此该服务器上需要提供或安装哪些东西。有具体配置吗?
- 设置 MDM 是否需要 SCEP(我认为需要在服务器上可用)。如果是的话,该如何处理。
当我将 MDM 配置文件中的服务器 URL 设置为我拥有的任何服务器时,该配置文件无法安装,并在控制台中显示错误“找不到 com.abc.mdm.mdm1 的身份证书”。
如果有人可以将我重定向到设置 MDM 服务器的详细步骤,那将会很有帮助。我在 Apple 的 WWDC 2010 视频中找不到任何此类内容。
编辑:我尝试过的更多内容
我正在尝试为 iPhone 配置 MDM 服务器,并且到目前为止已尝试了以下步骤。
- 我已经安装了 RapidSSL 的试用证书。当我以 https://example.com 打开我的网站时,我可以在地址栏看到一个锁 - 因此我相信该证书是有效且有效的。
- 在 iPCU 中,我创建一个凭据有效负载并从列表中选择我的证书。
- 在 MDM 负载中,当我尝试选择身份时,下拉列表被禁用,并显示一条消息:在凭据负载中添加凭据。
在凭证有效负载中,当我从列表中选择任何其他证书(例如 VeriSign)时,在 MDM 有效负载中,我会启用“身份”下拉列表,并且可以选择已配置的凭证,但这是一个无效证书。
编辑:添加图片
编辑:进一步移动 经过一些点击,我现在可以启用“身份”字段。但是,当我尝试安装配置文件时,出现“配置文件安装失败”错误,控制台中的消息为
Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MDM|Cannot Authenticate. Error: NSError 0x1ddb8f50:
Desc : A transaction with the server at https://example.com has failed with the status 405.
US Desc: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"https://example.com",
405
)
Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MC|Cannot install MDM com.example.ota.mdm2. Error: NSError 0x1ddb9120:
Desc : The payload com.example.ota.mdm2 could not be installed.
Sugg : A transaction with the server at https://example.com has failed with the status 405.
US Desc: The payload com.example.ota.mdm2 could not be installed.
US Sugg: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"com.example.ota.mdm2"
)
编辑:长时间休息后继续
这是我所做的工作的总结现在。
- 使用来自 CA 的 SSL 证书配置 Windows 2008 服务器。 IE。可以通过 https://example.com 访问服务器
- 托管侦听 PUT 的 .Net Web 服务。
- 从 iOS 开发者门户生成了 MDM 证书。
- 生成 Apple 的 Push 证书。该主题类似于 com.apple.mgmt.External.035e7xxxxx
- 将服务器证书添加到 iPCU 的凭据有效负载中。这是由 - 将服务器端 SSL 导出为 .pfx 文件 - 将此文件添加到 Windows 证书存储中 - 在凭证有效负载中选择此证书。
我已在服务器上托管此配置文件。当我将其下载到设备上时,我会在设备上看到配置文件安装。当我安装此配置文件时,最终出现错误“无法安装配置文件 MDM”。在查看设备日志时,我发现
<Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc : A transaction with the server at “https://example.com” has failed with the status “400”
IMP:我注意到生成的推送证书显示“此证书由未知颁发机构签名”。也没有与之关联的私钥。
我怀疑在凭证有效负载中选择的证书有问题(步骤 5)。
此外,当显示配置文件安装屏幕时,我会在配置文件名称下方看到“未验证”。
已解决
对于“未知权限”问题,我安装了Apple的应用程序集成 证书。 我现在可以执行 MDM 命令。
完整步骤
https://drive.google .com/file/d/0B9vJDmfd2qb9RmdGNlp4OUR3eVk/view?usp=sharing https://drive.google.com/file/d/0B9vJDmfd2qb9eGlkUk44ajZrWjg/查看?usp=共享
It may seem to be asked several times, but I could not find answers to my doubts.
- As one needs to setup an MDM server, what are the things that need to be available or installed on this server. Is there a specific configuration?
- Is SCEP (which I think needs to be available on the server) required to setup MDM. If yes, how to go about with it.
When I set the Server URL inb the MDM config profile to any of the servers I have, the profile fails to install with the error in console as "The identity certificate for com.abc.mdm.mdm1 could not be found."
It'll be helpful if anyone could redirect me to the detailed steps to setup MDM server. I could not find any such thing in Apple's WWDC 2010 video.
Edit: Some more stuff I've tried
I'm trying to configure MDM server for iPhone and have tried the following steps till now.
- I have installed a trial certificate from RapidSSL. When I open my site as https://example.com, I can see a lock at the address bar - hence I believe that the certificate is valid and working.
- In iPCU, I create a credentials payload and select my certificate from the list.
- In the MDM payload, when I try to select an Identity, the dropdown list is disabled with a message as Add credentials in the credentials payload.
In the credentials payload when I select any other certificate from the list - VeriSign for example - in the MDM payload I get the Identity dropdown list enabled and can select the configured credential, but this is an Invalid certificate.
Edit: Images added
Edit: Moved further more
With some hits here and there, I'm now able to get the 'Identity' field enabled. But when I try to install the profile, I get an error as 'Profile failed to install' with the message in console as
Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MDM|Cannot Authenticate. Error: NSError 0x1ddb8f50:
Desc : A transaction with the server at https://example.com has failed with the status 405.
US Desc: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"https://example.com",
405
)
Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MC|Cannot install MDM com.example.ota.mdm2. Error: NSError 0x1ddb9120:
Desc : The payload com.example.ota.mdm2 could not be installed.
Sugg : A transaction with the server at https://example.com has failed with the status 405.
US Desc: The payload com.example.ota.mdm2 could not be installed.
US Sugg: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"com.example.ota.mdm2"
)
Edit: Continuing after a long break
Here's a summary of what I've done till now.
- Configured a Windows 2008 server with an SSL certificate from a CA. ie. The server can be accessed as https://example.com
- Hosted a .Net webservice that listens to PUT.
- Generated an MDM certificate from the iOS Developer portal.
- Generated a Push certificate from Apple. The topic is something like com.apple.mgmt.External.035e7xxxxx
- Added the server certificate to the Credentials payload of iPCU. This was done by
- Exporting the server side SSL as a .pfx file
- Adding this file to the Windows Certificate store
- Selecting this certificate in the credentials payload.
I've hosted this profile on the server. When I download it on the device, I'm presented with Profile Installation on the device. When I install this profile, I end up with an error saying "The profile MDM could not be installed". On looking at the device logs, I found
<Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc : A transaction with the server at “https://example.com” has failed with the status “400”
IMP: I noticed that the Push certificate generated says "This certificate was signed by an unknown authority". There's also no private key associated with it.
I suspect something wrong is selecting the certificate in the Credentials payload (Step 5).
Also when the Profile Installation screen is presented, I get "Not Verified" just below the the profile name.
Solved
For the "unknown authority" issue I installed Apple's Application Integration certificate.
I'm now able to execute the MDM commands.
Complete Steps
https://drive.google.com/file/d/0B9vJDmfd2qb9RmdGNlp4OUR3eVk/view?usp=sharing
https://drive.google.com/file/d/0B9vJDmfd2qb9eGlkUk44ajZrWjg/view?usp=sharing
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您只需要 3 件事
1) mdm 负载,mdm url 以 https://
开头
2) 您使用苹果开发者门户下载的证书。苹果网站上有详细说明
3) 将此证书 (.p12) 文件链接到 mdm 负载的身份部分
您的服务器需要打开必要的端口 - 这也已记录在案。服务器需要侦听 PUT 方法,而不是 GET 或 POST。
如果您执行上述操作,您将看到您的设备发送了 deviceToken、pushMagic 等。
You need just 3 things
1) mdm payload with mdm url starting with https://
2) certificate which you download using apple developer portal. This is detailed on apple site
3) Link this certificate (.p12) file in the identity section of the mdm payload
Your server needs to have the necessary ports open - this is also documented. The server needs to listen on PUT method and not GET or POST.
If you do above - you will see that your device sends the deviceToken, pushMagic etc.
首先,来自服务器的 405 状态意味着您正在尝试 POST 到不接受 POST 方法的 URL。此时它与证书无关。 MDM 中的证书仅用于签署 MDM 消息,因此如果您没有从设备签署 MDM 消息(我建议您在测试/设置时不要签署您的 MDM 消息),那么放入其中的任何内容都不会被使用。使用 iPCU 中的“Sign Messages”复选框进行配置。
MDM 的总体思路是,您告诉设备在收到 MDM APNS 消息时“回拨”到配置文件中配置的“服务器 URL”。您必须编写或购买该服务器上的代码才能响应设备并执行正确的操作。您还可以配置“签入”和“签出”URL 以与不同的 URL 对话,从而与服务器上的不同代码组件对话来处理不同的消息。
First up, the 405 status from the server means that you are attempting to POST to a URL that does not accept the POST method. It has nothing to do with the certificates at this point. The certificate in MDM is only used for signing the MDM messages so anything that is put in there is unused if you are not signing your MDM messages from the device (I would recommend not signing your MDM messages while you are testing/setting up) which is configured using the 'Sign Messages' tick-box in the iPCU.
The general idea with MDM is that you tell the device to 'phone home' to the 'Server URL' configured in the configuration profile when it receives an MDM APNS message. You will either have to write or purchase the code that lives on this server to respond to the device and do the right thing. You can also configure the 'Check In' and 'Check Out' URLs to talk to different URLs and, therefore, different code components on the server to handle the different messages.