search

project-imas / mdm-server

Sample iOS MDM server
601 stars 150 forks source link

OS X client support note #31

Open bruienne opened 9 years ago

bruienne commented 9 years ago

I know this project is meant for iOS management, but I wanted to note that I was able to join Yosemite clients with a small modification to the code. Instead of UnlockToken OS X Yosemite clients send a Token key instead. Testing for either one allowed the Yosemite client to join.

    if pl.get('UnlockToken'):
        my_UnlockToken = pl['UnlockToken'].data
    else:
        my_UnlockToken = pl['Token'].data

After the client is enrolled it will respond to a majority of the built in commands. I'm experimenting with some OS X-specific ones as well, as found in /usr/libexec/mdmclient

If there's interest I could submit a PR after I do some more testing of OS X-specific commands.

MaximilianoRios commented 9 years ago

That's really good. Nice to know it!

alloylab commented 9 years ago

@bruienne This is great! Definitely will be trying this out. Side note... since we are discussing the token... have you seen this https://github.com/project-imas/mdm-server/issues/29 come up in the error log when trying to enroll a new device?

bruienne commented 9 years ago

@alloylab I didn't see that particular one with OS X clients, but then I manually hit the /enroll and /ca endpoints and installed the CA cert and mobileconfig on the client - the UI will need some tweaking to also show it for OS X. The one thing I noticed is that certain supported operations will crash the server the first time I try them, then the second run will be fine. I'm trying to figure out if this is reproducible in a reliable way. I did run into a few plistlib parsing errors when I was using a profile that contained some binary data alongside XML, but that's to be expected.

bruienne commented 9 years ago

Another note: in order to properly support the ability of per-user and per-device MDM profiles the Enroll.mobileconfig should add the following key:

<key>ServerCapabilities</key>
<array>
    <string>com.apple.mdm.per-user-connections</string>
</array>

This will signal the OS X mdmclient that the server is capable of OS X management and will automatically make the enrollment happen per-device, instead of per-user.