Mobile Device Management (MDM) Flashcards
(24 cards)
What transformative update to the MDM protocol allows a device to react autonomously to its own state changes an apply management logic to itself without cues from the server?
Declarative Device Management (DDM)
Apple’s modern approach to device management, designed to improve efficiency, responsiveness, and automation in MDM (Mobile Device Management). DDM is a shift from the traditional MDM “command-and-control” model to a more autonomous, state-driven configuration system. Instead of waiting for the MDM server to push every change, devices are given rules, declarations, and logic that they can act on independently.
- Devices proactively report their state to the MDM server (e.g., whether a configuration is applied).
- Replaces the need for constant polling.
- Devices can evaluate conditions and apply logic (e.g., time-based or account-based triggers) without constant server interaction.
What happens when a user manually enrolls an iOS device in an MDM solution? (JAMF, Mosyle, etc…)
With Manual MDM Enrollment Workflow
- Enrollment Initiation
- The user visits a URL or downloads a configuration profile from the MDM provider.
- Alternatively, the MDM provider may send a link via email or SMS.
- Profile Download and Installation
- iOS prompts the user to review and install the configuration profile.
- The user must explicitly accept and install it via Settings > General > VPN & Device Management.
- Device MDM Enrollment
- Once installed:
- The device sends a request to the MDM server.
- The server may request additional info (e.g., user authentication).
- The device is now enrolled in MDM.
- Device Management Begins
Depending on MDM settings and device type, several configurations are applied:
* Security settings (e.g., passcode requirements, restrictions)
* Wi-Fi, VPN, email, calendar configurations
* App deployment (e.g., install managed apps)
* Compliance enforcement
* The device checks in with the MDM regularly for updates and commands
What Is NOT Enabled in Manual Enrollment
* Supervision: This gives deeper control (e.g., disable iMessage, AirDrop). It’s only available via:
* Apple Business Manager + Automated Device Enrollment (ADE)
* Apple Configurator (on Mac) for local setup
* Device lock or full erase may be limited depending on the profile and user consent.
What are the types of MDM enrollment for an iOS device?
- Device Enrollment (Legacy or Manual Enrollment)
- User Enrollment (BYOD Focus)
- Supervised Enrollment (via Automated Device Enrollment)
- Apple Configurator Enrollment
What is Device Enrollment (Legacy or Manual Enrollment)?
Device Enrollment (Legacy or Manual Enrollment) refers to the traditional method of enrolling iOS devices into an MDM solution without supervision or automation. It is the simplest form of MDM enrollment, often used when Apple Business Manager (ABM) or Apple Configurator is not available.
Manual enrollment is when a user installs an MDM profile directly on their iPhone or iPad by visiting a URL (typically provided by the MDM solution) or downloading it through a web portal or email.
User opens Settings > General > VPN & Device Management
Security Implications
* Since users can remove the profile, you can’t guarantee long-term compliance.
* Device is not supervised, meaning certain restrictions (e.g. blocking AirDrop, iCloud, or Messages) are unavailable.
After a device has enrolled in an MDM server, what happens next?
- The server sends push notifications to the device.
After enrollment is complete:
* The MDM server does not wait for the device to poll it (as in older models).
* Instead, it uses Apple Push Notification service (APNs) to alert the device when there is a new command or configuration to apply.
What is User Enrollment (BYOD Focus)?
User Enrollment is Apple’s MDM method specifically designed for BYOD (Bring Your Own Device) environments. It provides a privacy-respecting, secure way to manage personal devices while keeping corporate and personal data separate.
How User Enrollment Works
1. Admin invites the user or provides an enrollment URL
2. User authenticates with a Managed Apple ID (from ABM or ASM)
3. iOS enrolls the device in User Enrollment mode
4. The device creates a separate APFS volume for managed data
5. MDM installs:
* Managed email accounts
* Wi-Fi and VPN settings
* Work apps via VPP or Apple Business Manager
6. Personal apps, files, settings remain untouched
What is Supervised Enrollment (via Automated Device Enrollment)?
Automated Device Enrollment (formerly “DEP”) is used when devices are purchased through Apple Business Manager (ABM) or Apple School Manager (ASM) and are enrolled automatically during setup — enabling Supervision without physical access. It offers full control, persistent MDM, and advanced restrictions not available in other enrollment types.
Supervision unlocks features not available in manual or user enrollments, including:
* Disable iMessage, AirDrop, or App Store
* Force Wi-Fi always on
* Web content filtering
* Single App Mode (kiosk)
* Set Home Screen layout
* Remote wipe or lock
* Activation Lock bypass
* Auto-install apps silently
* Non-removable MDM profile
How It Works
1. Device is purchased through an ABM/ASM-connected reseller
2. ABM links the device to your MDM server
3. When the device is turned on:
* It contacts Apple’s activation servers
* Sees it’s assigned to an MDM
* Applies enrollment profile automatically
* Supervision is enabled
4. User proceeds through Setup Assistant, potentially with Setup steps skipped
What is Apple Configurator Enrollment?
Apple Configurator Enrollment is a manual method for enrolling and supervising iOS and iPadOS devices using the Apple Configurator app on a Mac. It’s ideal when:
* The device was not purchased via Apple Business Manager (ABM)
* You want to supervise the device manually
* You need to add the device to ABM retroactively (iOS 16+)
Apple Configurator (currently version 2.x) is a macOS utility that allows IT admins to:
* Prepare, supervise, and enroll iPhones, iPads, and Apple TVs
* Optionally add them to Apple Business Manager (ABM) or Apple School Manager (ASM)
* Apply configuration profiles and automated enrollment settings
How Apple Configurator Enrollment Work?
- Prepare the Mac
- Download Apple Configurator 2 from the Mac App Store
- Connect the iOS/iPadOS device
- Use a USB cable to connect the device to your Mac
- Choose the Enrollment Method
- Choose “Prepare” and select:
- Manual enrollment or
- Automated enrollment via ABM
- Enable Supervision
- Optionally assign MDM server and skip Setup steps
- Deploy the Device
- Configurator erases the device and applies:
- Supervision
- Enrollment profile
- Configuration profiles
- If added to ABM, the device will automatically re-enroll in the future
What is the Apple Push Notification service?
The Apple Push Notification service (APNs) is Apple’s secure and scalable messaging service that allows servers to send notifications to Apple devices like iPhones, iPads, Macs, Apple Watches, and Apple TVs.
In the context of MDM (Mobile Device Management), APNs plays a critical role in prompting managed devices to check in with their MDM server.
How It Works in MDM
1. The MDM server registers with APNs and receives a unique push token for each enrolled device.
2. When the MDM server needs the device to take action (e.g., install a profile, update settings, or wipe the device):
* It sends a silent push notification via APNs.
3. The device receives the push, wakes up, and contacts the MDM server to fetch instructions.
Without APNs:
* The MDM server cannot initiate communication
* Devices would need to poll constantly, which is inefficient and unreliable
What happens if the APNs service cannot be reached?
If the Apple Push Notification service (APNs) cannot be reached, the MDM communication workflow is interrupted, and devices may fail to receive timely instructions from the MDM server. Here’s exactly what happens and what you can expect:
- Devices Stop Receiving Push Triggers
- The MDM server cannot notify devices to check in.
- As a result, devices will not fetch new commands or configurations (e.g., install profiles, update apps, enforce restrictions).
- Delayed Policy Enforcement
- Actions such as:
- Locking a device
- Installing/removing apps
- Enforcing passcode changes
- Initiating remote wipe
- …will not take effect until the device manually checks in, which may only happen sporadically (e.g., on reboot, manual sync, or profile update).
- MDM Server May Retry Later
- MDM servers typically queue commands and retry APNs connections.
- Once APNs is available again, pending push notifications will be sent, and devices will respond.
- Device Check-In Still Possible (Manually)
- If a user manually opens Settings > General > VPN & Device Management or reboots the device, it may check in without APNs, but this is inconsistent.
Troubleshooting Steps if APNs Is Down or Blocked
1. Check Apple System Status
👉 https://www.apple.com/support/systemstatus/
2. Verify Network Access to APNs Ports
Ensure your firewall allows:
* TCP port 5223 (to *.push.apple.com)
* TCP ports 443 and 80 (for fallback and initial connection)
3. Check Device Clock
Incorrect system time can cause certificate validation to fail.
4. Restart the Device or MDM Agent
May help re-establish connection.
How to configure Proxy server for APNs?
To configure a proxy server for APNs (Apple Push Notification service), you must ensure your network allows persistent, secure connections to Apple’s push service endpoints. Apple doesn’t support deep customization of APNs over proxies, but proper firewall and proxy configuration can enable compatibility.
- Understand APNs Requirements
APNs uses:
* TCP port 5223 for persistent device-to-Apple connections
* TCP ports 443 and 80 for fallback and initial handshakes
* *.push.apple.com and related endpoints
Devices and MDM servers need direct access or transparent proxy routing to these Apple servers.
- Recommended Proxy Configuration for APNs
What links a device to an MDM solution?
An enrollment profile is what links the device to the MDM solution. It contains:
* The MDM server URL
* Certificates
* Payloads for configuration
* Security settings for how the device communicates with the MDM
Once installed, the profile:
* Establishes trust between the device and the MDM
* Enables device management
* May include supervision settings (if via ADE or Apple Configurator)
What are MDM restrictions profiles?
MDM restriction profiles are configuration payloads sent by a Mobile Device Management (MDM) solution to control and limit what users can do on their Apple devices (iPhone, iPad, or Mac). These restrictions enforce security, productivity, and compliance policies on managed devices.
What iOS MDM restriction is used to block websites?
The iOS MDM restriction used to block websites is configured through the:
“Content Filter” payload, specifically using:
“URL Filtering” via a Web Content Filter
⸻
Two Main Ways to Block Websites via MDM
- Restrict Adult Content (Apple built-in filter)
- Limits access to adult content using Apple’s system-level web filter.
- Allows adding specific URLs to a blocklist or allowlist.
- Using a Third-Party Web Content Filter (Plugin-based)
- Routes traffic through a third-party solution like Cisco Umbrella, Securly, or Lightspeed.
- Offers more granular control and content categories.
How to Use:
1. Use the BlockSites.mobileconfig file
2. Upload and deploy it via your MDM (e.g., Jamf, Mosyle, Kandji)
3. Ensure the target iOS devices are supervised
4. Devices will now block access to the specified URLs in Safari and other webkit-based browsers
How do devices report their status when using declarative device management?
In Declarative Device Management (DDM), devices proactively report their state to the MDM server using a dedicated, encrypted status channel.
This channel enables real-time status updates without polling or push triggers.
What is an MDM declaration?
An MDM declaration is a structured, signed configuration document used in Apple’s Declarative Device Management (DDM) model. Instead of relying on the MDM server to push commands reactively, declarations are rules and policies sent to the device, allowing the device to act autonomously based on its own state and context.
How Declarations Work in DDM
1. MDM server sends declarations to the device
2. Device evaluates its own state and context
3. If activation conditions match, device applies the declaration
4. Device reports success/failure via the status channel
5. If conditions change (e.g., user logs out), the device can self-deactivate the declaration
Example Use Cases
* Apply Wi-Fi settings only when a Managed Apple ID is signed in
* Enforce restrictions only during work hours
* Automatically report compliance status in real-time
* Update baseline settings without needing a push
What are MDM profiles?
MDM profiles (also known as configuration profiles) are files used by Mobile Device Management (MDM) systems to define and deliver settings, restrictions, and configurations to Apple devices such as iPhones, iPads, and Macs.
They are fundamental to traditional MDM, allowing organizations to enforce policies and automate device setup.
What Is an MDM Profile?
An MDM profile is a signed XML file (.mobileconfig) that contains one or more payloads, each representing a specific setting or policy — like Wi-Fi configuration, email accounts, passcode rules, or app restrictions.
How MDM Profiles Are Delivered
1. Device enrolls in an MDM solution
2. MDM server pushes profiles to the device
3. iOS/iPadOS/macOS installs and enforces the profile settings
4. User may or may not be allowed to remove the profile (depending on supervision and configuration)
What is an Enrollment profile?
An enrollment profile is a specialized configuration profile used to enroll an Apple device into an MDM (Mobile Device Management) solution. It contains the necessary information for a device to initiate communication with the MDM server, thereby allowing remote management.
An enrollment profile is a signed .mobileconfig file that:
* Links the device to a specific MDM server
* Installs the MDM payload on the device
* Sets up secure communication using a device identity certificate
* Enables the device to receive configuration profiles, apps, and commands from the MDM
How Enrollment Profiles Are Used
1. User navigates to an MDM enrollment URL (or receives a link)
2. Downloads and installs the enrollment profile
* iOS: Settings → General → VPN & Device Management
3. Device connects to the MDM server
4. MDM installs the MDM payload and begins management
What happens if you install an exclusive payload setting onto a managed Apple device that already contains settings for the same payload?
When you install an exclusive payload onto a managed Apple device that already has settings for the same payload type, the new payload overwrites the old one.
What Is an Exclusive Payload?
An exclusive payload is one where only one instance of that payload type can exist on the device at a time. Examples include:
* Passcode policies
* Wi-Fi configurations with the same SSID
* Restrictions
* VPN configurations (with same identifier)
These payloads are not merged — they are mutually exclusive by design. Apple does not combine exclusive payloads. They overwrite, they do NOT merge.
What does MDM need to operate, specifically for APNs and SSL?
Certificates are essential for MDM to operate, especially for:
- APNs (Apple Push Notification service):
- MDM servers must have an APNs certificate to:
- Register with Apple Push Notification service
- Securely send push notifications to enrolled devices
- The certificate is obtained from Apple and renewed annually via Apple Push Certificates Portal
- SSL (Secure Sockets Layer):
- MDM communication is encrypted via SSL/TLS certificates
- These secure:
- The enrollment process
- Ongoing check-ins and command communications
- Communication between devices and the MDM server
Without valid certificates, the MDM cannot securely enroll or manage devices, nor can it connect to APNs.
Which Apple device capability allows MDM to secure devices?
Built-in device security features
Apple devices are designed with hardware- and software-based security that MDM solutions can leverage to enforce security policies. These features include:
* Secure Enclave – protects passcodes and biometric data
* FileVault / Data Protection – ensures data encryption at rest
* System Integrity Protection (SIP) – protects system files on macOS
* Activation Lock – prevents unauthorized device reuse
* App sandboxing – prevents malicious app access to system-wide resources
What is Automated Device Enrollment?
Automated Device Enrollment is ideal for large-scale deployments, especially when distributing devices to multiple users in multiple regions.
Key Benefits:
* Zero-touch setup: Devices auto-enroll into MDM as soon as they’re powered on and connected to the internet.
* Scalable: Perfect for remote, regional, or distributed teams — no IT hands-on needed.
* Supervision enabled: Enables advanced restrictions and security features.
* Non-removable MDM: Ensures long-term compliance and device management.
* Integrated with Apple Business Manager (ABM) or Apple School Manager (ASM)
In which type of enrollment and ownership model can users personalize apps and data on their managed devices?
Personally enabled, organization-owned
This model strikes a balance between corporate control and user personalization.
Key Characteristics:
* Devices are owned by the organization and managed via MDM (often with supervision).
* Users are allowed to personalize:
* Install personal apps
* Use their Apple ID
* Access personal iCloud, photos, and messages (if permitted)
* IT can still enforce:
* Security settings
* App distribution
* Remote wipe of work data
Ideal for knowledge workers or executives who need both personal and business functionality on a corporate device.
In which type of ownership model can users personalize apps and data on their personal devices?
