The iOS device itself maintains a persistent connection to one of the APNS courier servers at courier.push.apple.com, which is the centralized
communications channel used for all push notifications on iOS. This connection is established using client-certificate authenticated TLS to TCP
port 5223 and uses the XMPP protocol. iPhones and iPads with a cellular data connection make this connection over the cellular network, whereas
other mobile iOS devices are able to make this connection only when they are on a Wi-Fi network. The XMPP protocol was designed for the
Jabber instant messaging system; however, it is flexible enough to be used for any system needing presence notification and a publish/subscribe
model for message distribution. The iOS device simply informs Apple's APNS servers which topics to subscribe to, and those servers will route
messages published to those topics to the device. In the case of MDM, a managed client device is configured to subscribe to a unique topic
corresponding to the MDM server that is managing the device.
The MDM server acts as a push notification provider, similar to the way third-party application developers implement push notifications for their
iOS applications. In this role, the server connects to Apple's APNS gateway servers at gateway.push.apple.com. This connection is also over
client-certificate authenticated TLS, but this time it is to TCP port 2195. Push notifications are formatted as JSON dictionaries and are sent to
Apple's APNS servers through a custom binary network protocol. The push notification provider also makes a similar connection to Apple's APNS
servers on TCP port 2196 for the feedback service. Apple does not guarantee that these services will remain on a defined IP subnet, so it
recommends that firewall administrators permit outbound access to Apple's entire assigned IP space of 17.0.0.0/8. For more specifics on these
communications, see Apple's Local and Push Notification Programming Guide in the iOS Developer Library.
Finally, the MDM server serves the MDM API over HTTPS. When an iOS device receives an MDM push notification, it contacts the MDM server
at the URL configured when the device was enrolled for management and queries the MDM server directly for the sent command. The response to
the downloaded command is sent over HTTPS back to the MDM server. The MDM server may optionally provide a Simple Certificate Enrollment
Protocol (SCEP) server on TCP port 1640, which is also built on top of HTTP. The protocol-level details of the MDM API are beyond the scope of
this chapter. For more information on these, see David Schuetz's presentation “Inside Apple's MDM Black Box,” presented at BlackHat USA 2011
(https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf).
Lion Server Profile Manager
Lion Server's Profile Manager is a Ruby-on-Rails web application that acts as an MDM API server and administration console. The initial setup and
configuration is performed through the Server app, but after the initial setup, most administration tasks are performed through a web browser to the
Profile Manager web application.
Profile Manager can apply settings on a user, user group, device, or device group basis. If the devices' owners have accounts in Open Directory,
they can log in to the Profile Manager web application directly to enroll and manage their devices. If the devices are shared or the users do not have
accounts in OD, a Lion Server administrator will have to enroll their devices for them. Profile Manager supports a special type of profile, called an
Enrollment Profile, to assist in enrolling devices for remote management without requiring the user to log in to the Profile Manager web application.
This chapter assumes that device owners also have accounts in Open Directory on the Lion Server. For more information on using Enrollment
Profiles, consult the eBook “Managing iOS Devices with OS X Lion Server” by Arek Dreyer from Peachpit Press.
Setting Up Profile Manager
To set up Profile Manager, launch the Server application and click Profile Manager in the sidebar. This brings up the basic Settings pane for Profile
Manager, as shown in Figure 2.13. Before you can start the service, you have to perform some basic configuration. To get this started, click the
Configure button.
Figure 2.13 Profile Manager service configuration in the Server application