Unique Identifiers for iOS MDM

Asked 16/8, 2013 at 2:58 Answered 11/8, 2017 at 7:27

Since Apple is deprecating Unique Device Identifier for apps, what is the best approach to link back an Enterprise App on a device that has been enrolled with MDM?

From MDM Protocol reference document, the enrollment is still using the the UDID for check-in procedure.

We can't use the new identifierForVendor because it is not as the same as the UDID for the check-in.

Let me update how i implemented my MDM solution,

Device will check-in to MDM server with a token and device UDID (the one that Apple is removing the API)
Device will send device info to MDM server (Wifi MAC Addr, Serial number, OS version, and other infos)
There will be a client app that will be talking to MDM server via RESTful API. (Previously i was using the UDID as a key identifier)

I was thinking of using the MAC Address but in the latest iOS 7 the system will always return value 02:00:00:00:00:00.

We also can't get the device serial number.

So my question again, how can we know this app on this device belongs to this MDM enrollment on the server on (3). Because now, the app doesnt have any common key to be referred with the checked-in process. How will the server know which device is which?

Thanks.

Megdal answered 16/8, 2013 at 2:58 Comment(3)

Have you found a solution to your problem? Mine is pretty much the same. – Clod 4/3, 2014 at 9:21

The only workaround for this is to use identifierForVendor and store it in the Keychain so that the identifierForVendor will remain even the user reinstalled the Enterprise App. – Megdal 5/3, 2014 at 1:56

Bump for answer, i am experiencing the same problem but haven't found a solution yet. – Indict 4/5, 2015 at 12:59

The best way, and perhaps the only way, is to use the new Managed Apps configuration capabilities in iOS 7. You could have your MDM push down something like an API key to your app. Then your app presents that key in your call back to your MDM server or any other web service.

Once you push your config down to your app, you could pull out the API key with something like the below. Most of the mainstream MDM solutions already support this type of functionality in their latest versions.

NSDictionary *config = [[NSUserDefaults standardUserDefaults] dictionaryForKey:@"com.apple.configuration.managed"];
NSString *apiKey = config[@"kAPIKey"];

if (apiKey) {
    //We got an API key and we can use it
} else {
    //We didn't get an API key...something has gone wrong
}

Vincenz answered 6/1, 2014 at 21:31 Comment(2)

How can i make my app as managed app ? I had enrolled on apple business manager, and I had MDM server – Pollerd 28/7, 2020 at 9:49

@Pollerd you can set the app as managed using InstallApplicationCommand. – Maggy 24/11, 2022 at 9:38

However lidsinker's answer is true, let me focused on it so some others who are searching for this can be helped.

You can create Enterprise app and can install it via MDM. Once device enrolled, MDM can install Enterprise app to the device. MDM can also set default configuration in NSUserDefault.

App can read it whenever it launch as above described in lidsinker's answer.

Apple provide example here. https://developer.apple.com/library/content/samplecode/sc2279/Introduction/Intro.html

Forme answered 11/8, 2017 at 7:27 Comment(2)

can this approach guarantee that the app runs only on enrolled devices? Suppose someone can extract the app from an enrolled device and install it on an unenrolled one - is that possible? – Graham 1/2, 2018 at 9:9

It's late, but let me give some clarity. As of I know one cannot install an app in an iOS device like this. Although it is not possible, If someone installs it by some hack then, of course, there will be no way to copy UserDefault with it. – Forme 28/6, 2018 at 9:48

I would have a read of this source I found a few months ago; http://www.doubleencore.com/2013/04/unique-identifiers/

From there I used the CFUUID method which has served me well.

NSString *uniqueID = [NSString stringWithFormat:@"%@", CFUUIDCreateString(NULL, CFUUIDCreate(NULL))];

Frump answered 16/8, 2013 at 3:57 Comment(1)

the problem is, MDM protocol does not have an option request for CFUUID in the payload. MDM only sends UDID and other hardware infos. So, can't relate CFUUID with what has been sent to the MDM server. – Megdal 16/8, 2013 at 4:11

In iOS 7, Apple now always returns a fixed value when querying the MAC to specifically thwart the MAC as base for an ID scheme. So you now really should use -[UIDevice identifierForVendor] or create a per-install UUID.

Encephalogram answered 16/8, 2013 at 4:14 Comment(4)

[UIDevice identifierForVendor] does not match device UDID by MDM payload. Thats the problem – Megdal 16/8, 2013 at 4:16

I am also facing same issue in my App. There will be also one problem what happened when user update OS in his/her device. – Encephalogram 16/8, 2013 at 5:29

So i think better option is the we have to user Device Token (if you are using Push notification) in our application. – Encephalogram 16/8, 2013 at 5:30

What you can do is get a unique identifier using [[UIDevice currentDevice] identifierForVendor]or any other unique identifier generator. After that you should store that value on keychain using KeychainItemWrapper and use. Once you store a value on key chain it'll not remove even after you delete and reinstall the app. – Encephalogram 16/8, 2013 at 5:31

[UIDevice uniqueIdentifier] has been replaced with [[UIDevice identifierForVendor] UUIDString] in iOS 6.0.

Rexrexana answered 16/8, 2013 at 5:54 Comment(0)

Recommended topics

Hot tags