Simplifying MDM Server Administration for iOS Devices
Create a service configuration entry point to your MDM server to access to frequently used information.
Overview
Add an unauthenticated HTTPS request entry point to your server to make it easier to access useful information about your MDM server. Create the entry point using the endpoint /MDMServiceConfig; for example, https://mdm.example.com/MDMServiceConfig. The server code should return a UTF-8 JSON-encoded hash (Content-Type: application/json; charset=UTF8) with the following values in the body of its response:
dep_anchor_certs_urlThe URL a device uses to obtain the certificates required to trust the URL specified by the
dep_enrollment_urlkey. This value has the same format as theanchor_certsvalue in the DEP profile, except the body needs to be UTF-8 JSON-encoded for transfer. The decoded body of the response from this URL should be usable in a Device Enrollment Program (DEP) profile under theanchor_certskey without any modification.
Provide this URL even if the MDM server doesn’t require additional certificates because it’s using a trusted SSL certificate. However, provide either an empty body (Content-Length: 0) or an empty array JSON string ('[]') .
dep_enrollment_urlThe URL a device uses to begin MDM enrollment with the MDM server. This is also the URL to use for the
urlkey when defining a DEP profile usinghttps://mdmenrollment.apple.com/profile.trust_profile_urlThe URL a device uses to obtain a Trust Profile for the MDM server, as a fully-formed
.mobileconfigprofile with only payloads of typecom.apple.security.root.
Omit this key if the MDM server doesn’t require a Trust Profile because it’s using a trusted SSL certificate. Don’t return a URL that would generate an empty profile.
Example of an MDMServiceConfig Request
// Format
GET https://mdm.example.com/MDMServiceConfig
// Response body
{ "dep_enrollment_url": "https://mdm.example.com/devicemanagement/mdm/dep_mdm_enroll",
"dep_anchor_certs_url": "https://mdm.example.com/devicemanagement/mdm/dep_anchor_certs",
"trust_profile_url": "https://certs.example.com/mdm/trust_profile"
}Example of the dep_anchor_certs_url Key
// Format
GET https://mdm.example.com/devicemanagement/mdm/dep_anchor_certs
// Response body (truncated)
["MIIEKDCCAxCgAwIBAgIEOjznoTALBgkqhkiG9w0BAQswfjEkMCIGA1UEAwwbU3ly \nYWggQ2VydGlmaWNhd...SVVTo9ll1Lv3OJGqBkxPl9TCC\nfYYnArwzlk4qm1tP\n"]Example of the trust_profile_url Key
// Format
GET https://certs.example.com/mdm/trust_profile
// Response body
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<data>
MIIEKDCCAxCgAwIBAgIEOjznoTALBgkqhkiG9w0BAQswfjEkMCIG
...
9TCCfYYnArwzlk4qm1tP
</data>
<key>PayloadDescription</key>
<string>Installs the Root certificate for Example Corp.</string>
<key>PayloadDisplayName</key>
<string>Root certificate for Example Corp</string>
<key>PayloadIdentifier</key>
<string>com.apple.ssl.certificate</string>
<key>PayloadOrganization</key>
<string>Example Corp</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>B90FA650-5A7D-496A-8C84-0D81C9EBCE6E</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configures your device to trust the MDM server.</string>
<key>PayloadDisplayName</key>
<string>Trust Profile for Example Corp</string>
<key>PayloadIdentifier</key>
<string>com.apple.config.mdm.example.com.ssl</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>94cdf5c0-bde0-0131-1ed5-005056831d08</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>