OurPact use the Mobile Device Management (MDM) protocol, which provides a way to tell a device to execute certain management commands remotely. The way it works is straightforward.
During installation:
- The user or administrator tells the device to install an MDM payload.
- The device connects to the check-in server. The device presents its identity certificate for authentication, along with its UDID and push notification topic.
- If the server accepts the device, the device provides its push notification device token to the server. The server should use this token to send push messages to the device. This check-in message also contains a PushMagic string. The server must remember this string and include it in any push messages it sends to the device.
During normal operation:
- The server (at some point in the future) sends out a push notification to the device.
- The device polls the server for a command in response to the push notification.
- The device performs the command.
- The device contacts the server to report the result of the last command and to request the next command
Access Rights
- Allow inspection of installed configuration profiles.
- Allow installation and removal of configuration profiles.
- Allow device lock and passcode removal.
- Allow device erase.
- Allow query of Device Information (device capacity, serial number).
- Allow query of Network Information (phone/SIM numbers, MAC addresses).
- Allow inspection of installed provisioning profiles.
- Allow installation and removal of provisioning profiles.
- Allow inspection of installed applications.
- Allow restriction-related queries.
- Allow security-related queries.
- Allow manipulation of settings. Availability: Available in iOS 5.0 and later.
- Allow app management. Availability: Available in iOS 5.0 and later.
About Mobile Device Management
The Mobile Device Management (MDM) protocol provides a way for system administrators to send device management commands to managed iOS devices running iOS 4 and later, macOS devices running macOS v10.7 and later, and Apple TV devices running iOS 7 (Apple TV software 6.0) and later. Through the MDM service, an IT administrator can inspect, install, or remove profiles; remove passcodes; and begin secure erase on a managed device.
The MDM protocol is built on top of HTTP, transport layer security (TLS), and push notifications. The related MDM check-in protocol provides a way to delegate the initial registration process to a separate server.
MDM uses the Apple Push Notification Service (APNS) to deliver a “wake up” message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.
To provide MDM service, your IT department needs to deploy an HTTPS server to act as an MDM server, then distribute profiles containing the MDM payload to your managed devices.
A managed device uses an identity to authenticate itself to the MDM server over TLS (SSL). This identity can be included in the profile as a Certificate payload or it can be generated by enrolling the device with SCEP.
Ref -