RSS

Category Archives: Useful links

personal Useful links to help in daily life.

Apple iOS MDM (Mobile Device Management) Protocols

Introduction

The use of iOS devices, such as the iPhone, iPad or iPod, can present a serious risk to an organization. These devices are powerful computers with high storage capacity and can potentially exfiltrate data beyond corporate control and release it, deliberately or accidentally, to unauthorized third parties. Many protections available for iOS focus on the device itself, such as the use of passcodes to prevent a 3rd party from accessing the data on the device. However, managing such “iStuff” presents a serious challenge to the large enterprise, and has historically been a complicated and cumbersome process. The easiest way to configure a device is through the iOS Settings application. Of course, this requires direct physical access to the device, which becomes  increasingly impractical as the installed base of iOS devices grows.

To ease this, Apple created the iPhone Configuration Utility (IPCU), which directly installs custom .mobileconfig files over USB. An extension to this capability allows Over the Air (OTA) configuration — letting the end user click on a link to fetch and install new profiles. But even the OTA configuration method has its drawbacks, not least the requirement of end-user interaction. Then, in 2010, Apple introduced Mobile Device Management (MDM) services for iOS, a solution to the problem of iOS MDM, targeted at the enterprise. This system features remote installation of profiles, querying of device settings, and certain remote controls: lock, unlock, and remote wipe of a device. Unfortunately, documentation of the underlying protocol has never been freely available.

Obviously, third parties selling MDM servers were provided access to the documentation by Apple, but it’s not been available for researchers or smaller development shops. This hampers risk analysis for enterprises making use of MDM. In order to aid such risk assessments, and to enable and encourage future research, this project was born. The goal is not to create a simple, turn-key, stand-alone MDM server, nor to probe the protocol for weaknesses or hidden features, but simply to document as much of the protocol as possible. It is hoped that future researchers may build upon this documentation to better understand the security of MDM, and in particular, of various implementations of MDM servers and clients.

User Configuration

Basic user configuration changes are made in the Settings application. Many of these
settings are stored as Property List (
.plist
) files on the device, in /var/mobile/Library/ConfigurationProfiles, along with profiles installed by IPCU or MDM. For example, the file UserSettings.plist may contain the following:

In this case, we can see (for example) that installing applications is permitted by the local user. If the user were to enter Settings, and navigate to General -> Restrictions to turn off the App Store, then the value for “allowAppInstallation” would be changed to “false.” These configuration files are not normally visible to the end user, but can be accessed on a jailbroken device. Understanding how these are formatted and interpreted by the operating system is useful to decoding how MDM works as a whole.

<plist version=”1.0″>
<dict>
<key>assignedObject</key>
<dict/>
<key>restrictedBool</key>
<dict>
<key>allowAccountModification</key>
<dict>
<key>value</key>
<true/>
</dict>
<key>allowAddingGameCenterFriends</key>
<dict>
<key>value</key>
<true/>
</dict>
<key>allowAppInstallation</key>
<dict>
<key>value</key>
<true/>
</dict>
<key>allowAppRemoval</key>
<dict>
<key>value</key>
<true/>
</dict>

Advertisements
 
Comments Off on Apple iOS MDM (Mobile Device Management) Protocols

Posted by on February 28, 2014 in iPhone, Useful links

 
 
%d bloggers like this: