I worked on MDM in Android, and used the API's to lock, wipe etc when I receive a C2DM push message from the server.
When I was trying to explore more on the iOS part of it, I was a bit confused. I got a feeling that, we don't need to code a agent for the MDM to work on iPhone.
So is it completely managed from the server? Or do I have to have an agent application too?
If yes, can you help me with a sample of the agent programming?
Thanks.
For complete MDM control of the iPhone, you either need to look at profile management as sent out from Mac OS X Lion Server (they added this into this OS version) or a third-party solution (MobileIron, Tarmac, etc). There is some good background, slightly dated information here too: How to configure/install MDM server for iPhone and iPad
EDIT
There is no need of a separate agent application - it's handled by iOS itself.
If you not using Lion Server,you can implement your own MDM sever and for that you need iOS Enterprise developer account.
To implement MDM Server follow these as below.
This pdf
https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf is very much helpful.
server url should start with "https" only and that url should exit and these details you have to provide while generating mobileconfig profile using IPCU.
This page also you can to refer:http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning and then verify few thingsas remove the passphrase from customerPrivateKey.pem using this command
openssl rsa -in customerPrivateKey.pem -out PlainKey.pem
Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command
cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem
Now this PlainCert.pem file can be used in your server as APNS/MDM certificate.
Answer-
Guys yes. I'm sure most of you have had this question. With experience after developing MDM on iOS too, we don't need a client to be coded separately in iOS. iOS takes care of it completely.
So you may need the client only for the purpose of pointing out a link to the server having the configuration profile (so you can actually keep a record of who and how many installed the application using a key or an ID in the URL), and if you have to manage things which aren't provided by MDM, like location updates, etc.
Related
I am looking for a way to read the system logs of a connected device via a web application. Basically, I want the user to be able to connect their iphone, android, tablet etc and be able to see what is occurring on their device at the system/consoleLog level. Similar to adb logcat. This would be a via a web application and not on software installed locally. Is this feasible using react/nodejs? What technologies should I consider using?
There're several components you need for achieving this.
Backend
File Monitoring (Native Node.js fs.watch)
Real-time update (Socket.io)
Frontend
Any framework you're comfortable with, I'm using React.js with socket.io client
What you are trying to do is possible, but in a very limited sense.
Your users will be required to manually upload their log files to your web application.
You can "ask" them to do this by using the FileReader api in javascript. Here is a demo page.
As you can see you must manually select a file to be uploaded and give the website. To programmatically set the path of a log file and try to call it without the user noticing is not possible.
The reason for this is anything you make that is served via a web application will run in the sandbox of the users browser.
For obvious security reasons a browser won't let random websites read/write to local files of a persons phone without explicit permission.
Node.js won't help you here because in order to use the functions Node.js has such as accessing local system files the app would have to be installed locally and not running in a "browsers sandbox".
I hope this helps. If you want more examples of the filereader api let me know and I can write something up for you.
I want my web server to accept requests that originate only from my mobile app.
Since mobile apps are client apps that means that users can have the binary and decompile it or use a tool like Fiddler to interpret the API calls and reconstruct them (ex: in a console app).
So what I want is a way of generating a key that is bound to my app and the user's device.
The app is deployed in Windows Phone7, iPhone and Android. A cross platform solution would be ideal but something that works only in one platform is also more than acceptable.
Thanks!
Considering that you are deploying an application to a client, the actual answer here is 'not possible'. You can make it difficult for someone to fake an 'official id', but because you do not have control over the system that is making the requests, it could be your application or anything else pretending to be your application.
I am developing an Android app that uses Google Cloud Endpoints on Google App Engine (in Python) for its backend. The Android app authorizes the user using Google Play Services on the Android device, and it all works fantastically.
However, now that I have actual users, I'd like to be able to test this all locally before deploying any app engine API changes to production, and I haven't figured out how to have the Android app talk to my local development server anywhere. The testing recommendations suggest that I just do some manual tinkering with API Explorer, but as I'm using the Endpoints Proto Datastore for my API, which makes the Android development easy, it also makes the API Explorer basically useless, since the calls I need to make are far more complicated than what I can generate by hand.
One answer to this question suggests that there is a way to point the Android client at the local server, but while I can use the --host argument to have the dev_appserver's default server listen on something other than localhost, I can't seem to find a way to do the same for the API server. And even if I could do that, it might only be the first step to a full end-to-end local testing setup for my Android app.
Can someone post more details on how I might do this, or short of that, please enlighten me on the best practices for testing Android apps that use Google Cloud Endpoints on App Engine? Thanks in advance for any answers.
Alright, finally got it working, thanks for the tips, Dan! Here are the remaining details that would have saved me a few hours - hopefully this is helpful to someone else.
1) As I expected and mentioned earlier, dev_appserver.py needs to be run with --host=0.0.0.0 so that it can listen on the local network.
2) In order to properly parse the ID token to make the user authentication work, you need to have the PyCrypto library installed - it is not installed by default, so just having it in your app.yaml isn't enough. I found the binaries for Windows here.
3) Then, in my generated Tictactoe.java-equivalent class, I had to change the DEFAULT_ROOT_URL to be http://<my-local-machine>:8080/_ah/api/ (which is where my local machine is running), so that requests went to the local network. Alternatively (and perhaps less invasively), you can use builder.setRootUrl to the same address from wherever you initialize your builder. This way you don't muck with your generated classes.
4) I also had to make the change Dan mentioned described here.
After doing those four things, everything seems to be working now and I can test my app locally - hooray!
In the local environment, the dev_appserver is the API server. If you've configured it so that it's accessible from machines other than localhost (i.e. another machine/device on the network) API requests should be accessible as well.
However, there's currently an issue with the local server and gzipped requests. Until that's fixed you'll need to disable gzipping within the client library in your Android app (see this post).
This is an edit of a question I asked about a week ago.
I'm working on an Android app which communicates with the users' home PCs to control some 3rd-party PVR software running on the PCs. The model is as follows...
Android app < - wifi/3g -> Windows Service <- localhost -> 3rd-party PVR software
The Windows Service is written by me (C# .NET) and acts as a proxy between the Android app and the PVR software.
What I'd like to do is use C2DM to notify users of various things - one example is if one family member sets a TV show to record, a C2DM message is sent to other family members' devices so everybody is up to date.
I now seem to have 3 possible options for how to proceed. The Windows Service is a key player in the system so plays a part in them all but I don't know what the best approach is.
Use the Windows Service as the C2DM 3rd-party app server. Downside - I need to embed my C2DM credentials into the software and there will be potentially 100s of servers around the world requesting authentication tokens (not sure if Google would allow that).
I have a hosted web server I could use which allows PHP/MySQL. The Windows Server would simply act as a relay but my PHP experience is minimal and I can't find any comprehensive PHP examples for C2DM.
Use Google App Engine (again with the Windows Service as a relay). The problem is I don't know if Google are happy with GAE being used as a C2DM app server although I've seen a few mentions of it.
I've basically Google'd until my head hurts and keep coming back to the same tutorials and partial code examples. I know how C2DM works and actually have option 1 working in my dev environment but it doesn't seem like a good option to go public with.
So (trying to keep my question as objective as possible)...working on the principle that option 1 is not a good idea, are there any reasonably comprehensive PHP examples out there for a C2DM app server or, alternatively, does anyone know definitively if GAE is an acceptable approach?
With C2DM you can target the device that the message goes. So in you example the one that sets the TV show sends a message to the Windows Service to notify each one of the other users.
You can do that with 1 C2DM server
UPDATE
I whould go with the 3rd server.But of what i can tell you are not sure about the structure. Shared now GAE later maybe finally ec2. What can you actualy do is to create a CNAME that points to the server of choice.(less hard coded). I don't think that GAE cannot be used for C2DM. It's a simple server with http requests.
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
Any hint is appreciated.
Regards,
Peter
You are trying to address a known problem:
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
No way. Whatever is in user's hands, is not yours anymore. Even if you somehow manage to transfer the APK to the server for validation, nothing prevents the hacked program send an original copy to the server.
In order to validate that your software is running, the client devices need to be able to provide remote attestation services, which is one of many piles of acronyms in the TPM world. I found that someone has been working on providing TPM services, including IBM's IMA, which is almost good enough for what you want.
Details here: http://www.vogue-project.de/cms/upload/vogueSoftware/Manual.pdf (Google Quickview).
Of course, this is emulating the TPM, and requires patching the Android kernel. But perhaps one of the various manufacturers would be willing to build a model with the TPM hardware included for you?