The Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed iOS devices running iOS 4 and later, macOS devices running macOS v10.7 and later, and Apple TV devices running iOS 7 (Apple TV software 6.0) and later. MDM allows for OS level control of multiple devices from a centralized location. A remote administrator can install/remove apps, install/revoke certificates, lock the device, change password requirements, etc. You can read more about Mobile Device Management here.


Warning - If you are planning to implement MDM protocol for your production application which you want to distribute via AppStore then I'm sorry to tell you, you can't do this. Because since November 2018, using MDM/VPN for ad blocking or screen-time monitoring is not considered compliant with the App Store Review Guidelines. Read more about this here.

Update (28 Apr 2019) - Apple release press update about the Parental Control Apps.

Update (09 July 2019) - Apple restores banned from apps which are using MDM to the App Store.


1. Create MDM Vendor CSR

  • Open Keychain Access.
  • Go to the menu bar: Keychain Access -> Certificate Assistant -> Request a Certificate From a Certificate Authority.
  • Use the same email as the developer account that will be used. Enter in a common name as well.
  • Select Saved to disk.

    Note - Save all file in same directory (let's say MDM).

2. Upload CSR to Apple

  • Go to Apple's Certificates, Identifiers & Profiles page.
  • Select MDM CSR under Production. If this option is disabled, you will need to contact apple to enable it. You can either email apple at devprograms@apple.com or go through the online contact menu. In your message, indicate that you are looking to create an MDM Vendor Certificate and need the MDM CSR option enabled on the certificate creation page. Apple should respond within one business day according to their contact page.
  • When you have the MDM CSR option available, select it and hit continue. Hit continue again through Apple's description of how to create a CSR file (we already have one).
  • Upload the .certSigningRequest file we created in step 1 and then hit generate.
  • A .cer file should be downloaded. Name it something like mdmvendor.cer.
  • You can also download .cer file later from Certificates section.

3. Export MDM private key

  • Open your mdmvendor.cer file in Keychain Access.
  • Select Certificates from the left side.
  • You should find your certificate listed as MDM Vendor: Common Name.
  • There should be an arrow on that line that opens up show the MDM private key.
  • Right-click the private key, select Export..., and save as private.p12
  • Remember where you save this file, we will use it in step 5.

4. Create Push Certificate CSR

  • In Keychain Access, again select from the menu bar: Keychain Access -> Certificate Assistant -> Request a Certificate From a Certificate Authority.
  • Enter your email (can be a different email) and a common name.
  • Select Saved to disk and name it push.csr. (Same as Step 1)

5. Extract MDM private key and MDM Vendor Certificate

Open terminal and change the directory to the MDM directory, which you created in Step 1. Also, make sure at this stage MDM directory must contains following 4 files -

  • Extract private key using the following command:
    If you've added any password in private.p12 file during export in step 3 you need to enter same import password in this command. Also you need to enter PEM pass phrase. This pass phrase will be requires in next command.

    openssl pkcs12 -in private.p12 -nocerts -out key.pem
    
  • Strip the password from the private key using the following command:
    This command ask you to enter pass phrase for key.pem, here you need to enter same pass phrase which you entered in last command.

    openssl rsa -in key.pem -out private.key
    
  • Extract certificate using the following command:
    Again, if you've added any password in private.p12 file during export in step 3 you need to enter same import password in this command.

    openssl pkcs12 -in private.p12 -clcerts -nokeys -out cert.pem
    
  • Convert certificate to DES using the following command:

    openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DES
    
  • In this step you've created 4 files key.pem, private.key, cert.pem and mdm.cer. These files will be used in the next step. After this step you MDM directory will look like this -

6. Use the mdmvendorsign tool to create applepush.csr

  • We're going to use the python code located in /vendor/ of the repository. So, you need to clone this repository. To clone, run this command

    git clone https://github.com/vineetchoudhary/Apple-iOS-MDM-Server.git
    
  • Now, copy private.key, push.csr, and mdm.cer into Apple-iOS-MDM-Server/vendor/. You can run these command to copy -

    cp push.csr ./Apple-iOS-MDM-Server/vendor/
    cp private.key ./Apple-iOS-MDM-Server/vendor
    cp mdm.cer ./Apple-iOS-MDM-Server/vendor/
    # Change directory
    cd Apple-iOS-MDM-Server/vendor/
    
  • Run the following command while in that directory:

    python mdm_vendor_sign.py --key private.key --csr push.csr --mdm mdm.cer --out applepush.csr
    

    This should generate applepush.csr.

7. Get Push Certificate from Apple

  • Go to Apple's Push Certificates Portal and click the Create a Certificate button.
  • Upload applepush.csr to create a new entry in the table.
  • Download the resulting push certificate.
  • Open the push certificate in Keychain Access.

8. Prepare Push Certificate

  • Find the push certificate in Keychain Access. It should look like APSP:hexstuffhere.
  • Right-click the certificate and select Get Info.
  • Copy down the User ID which should look like com.apple.mgmt.External.hexstuffhere.... We will use it later
  • Right-click the certificate and select Export... and save it as mdm.p12
  • Run the following command to convert it to a pem file. Again, if you've added any password in mdm.p12 file during export you need to enter same import password in this command.
    openssl pkcs12 -in mdm.p12 -out PushCert.pem -nodes
    
  • Copy the resulting PushCert.pem file to /server/. You can use this command to copy -
    cp PushCert.pem ./Apple-iOS-MDM-Server/scripts/
    

9. Generate additional certs

  • Go to the scripts directory and rename the different part of your domain SSL certificate as following -
    • Rename your Certificate Authority (CA) certificate to cacert.crt, identity.crt and server.crt (Same file with three different names). Your CA cetificate content looks like this -
      -----BEGIN CERTIFICATE-----
      MIIFPDCCBCSgAwIBAgIJALJxXxDRdGWNMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
      VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
      MBgGA1UEChMRR29EYWRkeS5jb20sIE.................................
      .............................pyoNqhOasNUfoAbPgmXt+zXiy9AZWOds6Dc
      PtRTSsEEfATviu+nd7jrjS6AW/g4UKBorujxHYtGoqVfNx6aCqHMS+gmH0JbSnX9
      -----END CERTIFICATE-----
      
    • Rename your server Certificate Signing Request (CSR) file to identity.csr. The content of CSR file looks like this -
      -----BEGIN CERTIFICATE REQUEST-----
      MIIDAzCCAesCAQAwgaIxCzAJBgNVBAYTAkFVMRgwFgYDVQQIDA9Tb3V0aCBBdXN0
      cmFsaWExETAPBgNVBAcMC...........................................
      ...........................mqeUCKtYnoCE/zkUUPErkHq4dWo3f+JGPC4Dt
      Onj3dUOtkKJifHw0iknYl+fIMnoYfRsVKQ9d3GVKGqb/A4s4qFzbQWbU1rNq9Sx9
      mZgrKORxjA==
      -----END CERTIFICATE REQUEST-----
      
    • Rename your server SSL certificate private key to cakey.key, server.key and identity.key (Same file with three different names). The content of CSR file looks like this -
      -----BEGIN PRIVATE KEY-----
      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD2Xh1z9I4rWZ9J
      t5EyoJtH2ImS7UQo5bABItKkYFjP50towTD4+k2PfgPZCRJ3kDSlOVSLHzfD57qB
      kCv/UG29nbbIkFH6aqjhfaj.........................................
      .................................j8yc3sduzKMd+KoZGGLzEhB/JEFTrHn
      jWwvMQENHRawj/Jocsc0PUA=
      -----END PRIVATE KEY-----
      
  • Now, run make_certs.sh. You need to create an export password. You'll need to include it in the MDM profile.
  • This will generate a number of necessary certificates to move forward.
  • All certificates will be automatically moved to their proper location in /server. We'll use identity.p12 in step 10 to create an Enroll.mobileconfig file.

10. Create Enroll.mobileconfig

  • Open the Apple Configurator 2, click File option in menu bar, and then click the New Profile.
  • In the General category, pick a name to identify the cert. For Identifier, use the com.apple.mgmt.External.hexstuffhere that you copied down in step 8.
  • In the Certificates category, click configure and find your scripts/identity.p12 file generated in step 9. For password, we either use the PEM password or the export password. Also, add the server.crt, Apple Root CA, Apple Worldwide Developer Relations CA - G2 and Apple Worldwide Developer Relations Certification Authority certificates. You can download these certificates from Apple website. So, here you need to add total 5 certificates.
  • Now, save this mobile configuration as Enroll.mobileconfig.

11. Config Mobile Device Management

  • For Mobile Device Management, Open Enroll.mobileconfig file in any text editor. Your Enroll.mobileconfig file looks like this -

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>ConsentText</key>
        <dict>
            <key>default</key>
            <string>Install "Developer Insider" to enable you device monitoring.</string>
        </dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>server.crt</string>
                <key>PayloadContent</key>
                <data>
                LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZQRENDQkNT
                Z0F3SUJBZ0lKQUxKeFh4R...............................
                .....................ElNNUN1ZgpSZVlObnlpY3Nia3FXbGV0
                TncrdkhYL2J2Wjg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#1-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>*.example.com</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs1.4AA9D1AB-XXXX-XXXX-XXX-1E9280222697</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs1</string>
                <key>PayloadUUID</key>
                <string>4AA9D1AB-XXXX-XXXX-XXXX-1E9280222697</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>AppleIncRootCertificate.cer</string>
                <key>PayloadContent</key>
                <data>
                MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYD
                VQQGEwJVUzETMBEGA1U.................................
                ................xw8dtk2cXmPIS4AXUKqK1drk/NAJBzewdXUh
                </data>
                <key>PayloadDescription</key>
                <string>Adds a CA root certificate</string>
                <key>PayloadDisplayName</key>
                <string>Apple Root CA</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.root.57B909F1-XXXX-XXXX-XXXX-B066B59CA281</string>
                <key>PayloadType</key>
                <string>com.apple.security.root</string>
                <key>PayloadUUID</key>
                <string>57B909F1-XXXX-XXXX-XXXX-B066B59CA281</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>AppleWWDRCAG2.cer</string>
                <key>PayloadContent</key>
                <data>
                MIIC9zCCAnygAwIBAgIIb+/Y9emjp+4wCgYIKoZIzj0EAwIwZzEb
                MBkGA1UEAwwSQXBwbGUgUm9v............................
                ....................FUOixRLal1BzfF7QbrJcYlDXUfE6Wg==
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#1-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>Apple Worldwide Developer Relations CA - G2</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs1.685F84A4-XXXX-XXXX-XXXX-4EBD1021F707</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs1</string>
                <key>PayloadUUID</key>
                <string>685F84A4-XXXX-XXXX-XXXX-4EBD1021F707</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>AppleWWDRCA.cer</string>
                <key>PayloadContent</key>
                <data>
                MIIEIjCCAwqgAwIBAgIIAd68xDltoBAwDQYJKoZIhvcNAQEFBQAw
                YjELMAkGA1UEBhMCVVMxEzA.............................
                ................05Cdqa3zr/04GpZnMBxRpVzscYqCtGwPDBUf
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#1-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>Apple Worldwide Developer Relations Certification Authority</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs1.1BD58990-XXXX-XXXX-XXXX-7D09252A9190</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs1</string>
                <key>PayloadUUID</key>
                <string>1BD58990-XXXX-XXXX-XXXX-7D09252A9190</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>Password</key>
                <string>test@123</string>
                <key>PayloadCertificateFileName</key>
                <string>identity.p12</string>
                <key>PayloadContent</key>
                <data>
                MIIeyQIBAzCCHo8GCSqGSIb3DQEHAaCCHoAEgh58MIIeeDCCGS8G
                CSqGSIb3DQEHBqCCGSAwghk.............................
                ....................DAyJB5BmDPMECJpm+FuDUe5tAgIIAA==
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#12-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>identity.p12</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs12.38236F74-XXXX-XXXX-XXXX-5C4923A303FA</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs12</string>
                <key>PayloadUUID</key>
                <string>38236F74-XXXX-XXXX-XXXX-5C4923A303FA</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
        </array>
        <key>PayloadDescription</key>
        <string>"Developer Insider Device Certificate" enable Developer Insider server to control your device.</string>
        <key>PayloadDisplayName</key>
        <string>Developer Insider Device Certificate</string>
        <key>PayloadIdentifier</key>
        <string>com.apple.mgmt.External.63cccfb4-XXXX-XXXX-XXXX-82bcc05a2535</string>
        <key>PayloadOrganization</key>
        <string>Developer Insider</string>
        <key>PayloadRemovalDisallowed</key>
        <false/>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>0CF6836A-XXXX-XXXX-XXXX-12B61C878FB4</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
    </plist>
    
  • Now we need to add following MDM options dictionary into PayloadContent array of Enroll.mobileconfig.

    <dict>
        <key>AccessRights</key>
        <integer>4096</integer>
        <key>CheckInURL</key>
        <string>https://YOUR_HOSTNAME_OR_IP:8080/checkin</string>
        <key>CheckOutWhenRemoved</key>
        <true/>
        <key>IdentityCertificateUUID</key>
        <string>38236F74-XXXX-XXXX-XXXX-5C4923A303FA</string>
        <key>PayloadDescription</key>
        <string>Configures MobileDeviceManagement.</string>
        <key>PayloadIdentifier</key>
        <string>com.apple.mdm.34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E</string>
        <key>PayloadOrganization</key>
        <string>Developer Insider</string>
        <key>PayloadType</key>
        <string>com.apple.mdm</string>
        <key>PayloadUUID</key>
        <string>34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>ServerURL</key>
        <string>https://YOUR_HOSTNAME_OR_IP:8080/server</string>
        <key>SignMessage</key>
        <true/>
        <key>Topic</key>
        <string>com.apple.mgmt.External.63cccfb4-XXXX-XXXX-XXXX-82bcc05a2535</string>
        <key>UseDevelopmentAPNS</key>
        <false/>
    </dict>
    
  • Structure of MDM Payloads
    The Mobile Device Management (MDM) payload, a simple property list, is designated by the com.apple.mdm value in the PayloadType field. This payload defines the following keys specific to MDM payloads:

    Key Type Description
    IdentityCertificateUUID String

    Mandatory. UUID of the certificate payload for the device’s identity. It may also point to a SCEP payload. You need to use the `PayloadUUID` of the `identity.p12` in this field.

    IdentityCertificateUUID String

    Mandatory. Here you need to generate a UUID. You can use `uuidgen` to generate an UUID and then copy paste that UUID in this field. UUID looks like this 34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E

    PayloadIdentifier String Here you need to append the UUID in after `com.apple.mdm.` which we generated in last step. Your payload identifier looks like this com.apple.mdm.34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E
    Topic String

    Mandatory. The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the com.apple.mgmt.External.hexstuffhere... prefix.

    ServerURL String

    Mandatory. The URL that the device contacts to retrieve device management instructions. Must begin with the https:// URL scheme, and may contain a port number (https://YOUR_HOSTNAME_OR_IP:PORT/server, for example).

    CheckInURL String

    Optional. The URL that the device should use to check in during installation. Must begin with the https:// URL scheme and may contain a port number (https://YOUR_HOSTNAME_OR_IP:8080/checkin, for example). If this URL is not given, the ServerURL is used for both purposes.

    CheckOutWhenRemoved Boolean

    Optional. If true, the device attempts to send a CheckOut message to the check-in server when the profile is removed. Defaults to false.

    AccessRights Integer, flags

    Required. Logical OR of the following bit-flags:

    • 1: Allow inspection of installed configuration profiles.
    • 2: Allow installation and removal of configuration profiles.
    • 4: Allow device lock and passcode removal.
    • 8: Allow device erase.
    • 16: Allow query of Device Information (device capacity, serial number).
    • 32: Allow query of Network Information (phone/SIM numbers, MAC addresses).
    • 64: Allow inspection of installed provisioning profiles.
    • 128: Allow installation and removal of provisioning profiles.
    • 256: Allow inspection of installed applications.
    • 512: Allow restriction-related queries.
    • 1024: Allow security-related queries.
    • 2048: Allow manipulation of settings.
    • 4096: Allow app management.

    May not be zero. If 2 is specified, 1 must also be specified. If 128 is specified, 64 must also be specified.

    UseDevelopmentAPNS Boolean

    Optional. If true, the device uses the development APNS servers. Otherwise, the device uses the production servers. Defaults to false. Note that this property must be set to false if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal. That portal only issues certificates for the production push environment.

  • Now save the file as Enroll.mobileconfig and move it to the /server directory.

  • Your final Enroll.movbileconfig will be looks like this -

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>ConsentText</key>
        <dict>
            <key>default</key>
            <string>Install "Developer Insider" to enable you device monitoring.</string>
        </dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>server.crt</string>
                <key>PayloadContent</key>
                <data>
                LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZQRENDQkNT
                Z0F3SUJBZ0lKQUxKeFh4R...............................
                .....................ElNNUN1ZgpSZVlObnlpY3Nia3FXbGV0
                TncrdkhYL2J2Wjg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#1-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>*.example.com</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs1.4AA9D1AB-XXXX-XXXX-XXX-1E9280222697</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs1</string>
                <key>PayloadUUID</key>
                <string>4AA9D1AB-XXXX-XXXX-XXXX-1E9280222697</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>AppleIncRootCertificate.cer</string>
                <key>PayloadContent</key>
                <data>
                MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYD
                VQQGEwJVUzETMBEGA1U.................................
                ................xw8dtk2cXmPIS4AXUKqK1drk/NAJBzewdXUh
                </data>
                <key>PayloadDescription</key>
                <string>Adds a CA root certificate</string>
                <key>PayloadDisplayName</key>
                <string>Apple Root CA</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.root.57B909F1-XXXX-XXXX-XXXX-B066B59CA281</string>
                <key>PayloadType</key>
                <string>com.apple.security.root</string>
                <key>PayloadUUID</key>
                <string>57B909F1-XXXX-XXXX-XXXX-B066B59CA281</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>AppleWWDRCAG2.cer</string>
                <key>PayloadContent</key>
                <data>
                MIIC9zCCAnygAwIBAgIIb+/Y9emjp+4wCgYIKoZIzj0EAwIwZzEb
                MBkGA1UEAwwSQXBwbGUgUm9v............................
                ....................FUOixRLal1BzfF7QbrJcYlDXUfE6Wg==
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#1-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>Apple Worldwide Developer Relations CA - G2</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs1.685F84A4-XXXX-XXXX-XXXX-4EBD1021F707</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs1</string>
                <key>PayloadUUID</key>
                <string>685F84A4-XXXX-XXXX-XXXX-4EBD1021F707</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>PayloadCertificateFileName</key>
                <string>AppleWWDRCA.cer</string>
                <key>PayloadContent</key>
                <data>
                MIIEIjCCAwqgAwIBAgIIAd68xDltoBAwDQYJKoZIhvcNAQEFBQAw
                YjELMAkGA1UEBhMCVVMxEzA.............................
                ................05Cdqa3zr/04GpZnMBxRpVzscYqCtGwPDBUf
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#1-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>Apple Worldwide Developer Relations Certification Authority</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs1.1BD58990-XXXX-XXXX-XXXX-7D09252A9190</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs1</string>
                <key>PayloadUUID</key>
                <string>1BD58990-XXXX-XXXX-XXXX-7D09252A9190</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
            <dict>
                <key>Password</key>
                <string>test@123</string>
                <key>PayloadCertificateFileName</key>
                <string>identity.p12</string>
                <key>PayloadContent</key>
                <data>
                MIIeyQIBAzCCHo8GCSqGSIb3DQEHAaCCHoAEgh58MIIeeDCCGS8G
                CSqGSIb3DQEHBqCCGSAwghk.............................
                ....................DAyJB5BmDPMECJpm+FuDUe5tAgIIAA==
                </data>
                <key>PayloadDescription</key>
                <string>Adds a PKCS#12-formatted certificate</string>
                <key>PayloadDisplayName</key>
                <string>identity.p12</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.security.pkcs12.38236F74-XXXX-XXXX-XXXX-5C4923A303FA</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs12</string>
                <key>PayloadUUID</key>
                <string>38236F74-XXXX-XXXX-XXXX-5C4923A303FA</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
                <key>AccessRights</key>
                <integer>4096</integer>
                <key>CheckInURL</key>
                <string>https://YOUR_HOSTNAME_OR_IP:8080/checkin/</string>
                <key>CheckOutWhenRemoved</key>
                <true/>
                <key>IdentityCertificateUUID</key>
                <string>38236F74-XXXX-XXXX-XXXX-5C4923A303FA</string>
                <key>PayloadDescription</key>
                <string>Configures MobileDeviceManagement.</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.mdm.34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E</string>
                <key>PayloadOrganization</key>
                <string>Developer Insider</string>
                <key>PayloadType</key>
                <string>com.apple.mdm</string>
                <key>PayloadUUID</key>
                <string>34995C2E-XXXX-XXXX-XXXX-D6DB637A1D6E</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>ServerURL</key>
                <string>https://YOUR_HOSTNAME_OR_IP:8080/server/</string>
                <key>SignMessage</key>
                <true/>
                <key>Topic</key>
                <string>com.apple.mgmt.External.63cccfb4-XXXX-XXXX-XXXX-82bcc05a2535</string>
                <key>UseDevelopmentAPNS</key>
                <false/>
            </dict>
        </array>
        <key>PayloadDescription</key>
        <string>"Developer Insider Device Certificate" enable Developer Insider server to control your device.</string>
        <key>PayloadDisplayName</key>
        <string>Developer Insider Device Certificate</string>
        <key>PayloadIdentifier</key>
        <string>com.apple.mgmt.External.63cccfb4-XXXX-XXXX-XXXX-82bcc05a2535</string>
        <key>PayloadOrganization</key>
        <string>Developer Insider</string>
        <key>PayloadRemovalDisallowed</key>
        <false/>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>0CF6836A-XXXX-XXXX-XXXX-12B61C878FB4</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
    </plist>
    

12. Signing / Verify Enroll.mobileconfig Profile

If you try to use current Enroll.mobileconfig using Apple Configurator 2, you've probably noticed that it says ‘Unsigned’ when you send the .mobileconfig file to your device.

In order to sign Enroll.mobileconfi you need to save you server (domain SSL) certificate chain in the server directory with name serverchain.pem. server.crt and server.pem these two files you've already copy in step 9. Now run this command in server directory to generate Signed mobile config profile with name EnrollSigned.mobileconfig.

openssl smime -sign -signer server.crt -inkey server.pem -certfile serverchain.pem -nodetach -outform der -in Enroll.mobileconfig -out EnrollSigned.mobileconfig

13. Cleanup

  • Any additional files that are not in /server/ generated during this process are not necessary for running the server. Some of them may have/be private keys or other unique information, so it is probably a good idea to protect or destroy those files.
  • Most certs will be located in the /scripts/ folder. There may be some certificates are part of your domain SSL certificate, so a good idea is save them elsewhere.
  • Please secure these files and prevent others from being able to access them.

References