Show HN: MicroMDM – Open Source MDM Server for Apple Devices (opens in new tab)

(micromdm.io)

146 pointszalmoxes7y ago47 comments

47 comments

Hi, I'm the author(along with several other developers). MicroMDM is used in some enterprise environments and was recently mentioned in a number of security presentations regarding Apple's MDM and Device Enrollment Program services.

https://duo.com/labs/research/mdm-me-maybe https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Dee...

walterbell7y ago

Do you know if a small business can use DEP features?

Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?

zalmoxesOP7y ago

Anyone can use DEP, just need a DUNS number to enroll into the program, and then to purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.

DEP is not required for the VPN profile configs, that can be applied with just MDM (or even manually). The VPN payloads are documented here https://developer.apple.com/enterprise/documentation/Configu...

5 more replies

jesseendahl7y ago

I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)

Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.

^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.

Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).

tootie7y ago

This seems like the kind of thing Apple should be offering on their own already. But ultimately you're not going to see many enterprises adopt an Apple-only MDM unless they just love vendor lock-in to the most expensive vendor.

Negativity aside, I applaud the effort. The MDM space is messy and crowded with bloated products. I hope these guys can at the very least pop the bubble a bit.

mrpippy7y ago

One of the few remaining services in macOS Server (discussed elsewhere on HN today) is Profile Manager, an Apple-developed MDM server. Given that it requires a static public IP and only runs on macOS, there's a pretty small niche that even could use it. The MicroMDM site describes it as the 'reference' or 'proof-of-concept' MDM server, "depending on how jaded you are about it".

I think Apple is happy with the current state of MDM servers--several good 3rd-party options, both self-hosted and cloud.

hsk08237y ago

Apple has absolutely no desire to go into the device management business. They make the devices, they don't provide IT departments with any in house tools, the entire macOS management ecosystem has risen from a need and it's a mish mash of different vendors / open source tools / approaches to skin the cat that is device management.

tootie7y ago

They already took a baby step in by acquiring TestFlight. It's a more dev/QA-centric product, but it overlaps with MDM. Google is already in the MDM space for Chrome devices. Apple has already been remarkably successful in the enterprise space despite seemingly never going after it. Vendors like Square are deploying thousands of iPads to retail spaces. I think there's a huge opportunity there.

1 more reply

beager7y ago

Apple is actively trying to sell me MDM services. So they may not be in the business of making it easy, but they're certainly in the business of making money on it.

1 more reply

urda7y ago

I'm curious do any HN readers manage their personal devices through MDM with their own profiles, and what benefits are you seeing from that?

andrewaylett7y ago

I'm administrator for GSuite for the school I'm a trustee of, so my personal (Android) device is enrolled by virtue of me wanting to know how it works and also wanting my school email on that device.

I'm not sure it would be worthwhile setting up for personal use -- the policies it lets you set aren't doing anything other than ensuring you're following best practices (like setting a screen lock) so you don't gain anything over just doing that, and the direct management tools aren't any finer-grained than you can get from Google's Find My Device.

I'm not sure you're able to set up a linked "for work" profile without MDM; that might be a benefit if you want compartmentalisation.

pmh7y ago

If you don't care about the managed Google Play store, you could always use Google's TestDPC app (or create your own) to create a work profile ("do-not-use-in-production" warnings notwithstanding): https://play.google.com/store/apps/details?id=com.afwsamples...

That said, it might be more straightforward to just use another user on your device

robinwassen7y ago

I manage our devices at work but not my personal devices.

If you have a lot of devices (think 10+) I guess it could be useful to keep them aligned. It could also be useful as training on how to centrally manage devices.

But I would not recommend using a MDM unless you have a specific reason. Personal devices that you have physical control over are easy to manage locally on the device. Adding a MDM also adds another attack vector, if the MDM is compromised all your devices are at risk.

kiallmacinnes7y ago

Do I do it for my personal devices? No. Do I see any benefits? Nope! But ... when have I let that stop me from running something wildly inappropriate for a single user "enterprise"!

I don't own anything apple, so I'm unlikely to ever run this MDM, but, if a good Android one came to my attention.. maybe? I'm geeky enough to enjoy doing it, even if it comes with no real benefits to me.

ecesena7y ago

I just learned from a colleague that you can install a MDM if you have a Google Apps account. Of course now I want to try MicroMDM first.

I think the major benefit is that this way you control the MDM, and you don't risk that a MDM gets installed on your phone unexpectedly, sort of like a rootkit.

cynix7y ago

I manage the personal devices of my family members (wife, parents, in-laws) through MDM. My parents and in-laws are quite tech-illiterate, so it helps to be able to enforce some restrictions via profiles to prevent them from doing stupid things to their own devices, and thus reduce the time I have to spend on providing tech support (across the ocean no less). It's also useful for distributing Wi-Fi/VPN configs so I can enforce that VPN must be used on untrusted Wi-Fi, for example.

zalmoxesOP7y ago

The server is only meant for enterprise deployments. It would be pretty hard to do this on a personal level because you need to apply for an enterprise account with Apple, and request a very specific push certificate option.

metabeard7y ago

You can't even sign up for the Enterprise program if your Apple ID is associated with the Apple Developer Program. You'll get the following error when signing up:

> Your Apple ID is already associated with a Team Agent enrolled in this program

1 more reply

ghostly_s7y ago

Setting up Mobile Device Management itself is not particularly onerous, it's definitely best practice to create a new Apple ID for that purpose, however. A technical individual can already do this easily enough with the freely-available Meraki MDM. The Device Enrollment Program I believe is more complicated and inaccessible to individuals (haven't dealt with this personally), and is quickly becoming a prerequisite for many of the more invasive and useful capabilities, like the kext signing and deployment mentioned on the MicroMDM homepage.

1 more reply

hsk08237y ago

Anyone can get a push certificate, it's not just businesses,

https://identity.apple.com/pushcert/

2 more replies

walterbell7y ago

Apple Configurator 2 can be used locally to set some policies which are only available on "supervised" devices, e.g. prevent USB pairing with unknown computers.

nicoburns7y ago

I don't, but I absolutely would for my children's devices (when I have children). Limiting time using certain apps, etc would be great.

giobox7y ago

I think the new parental controls iOS and Android have recently introduced are far more effective for this than using MDM, personally. These features are specifically designed for this use case.

stephenr7y ago

I don't use an MDM server/service specifically, but I use a profile (built and installed via Apple Configurator 2 over USB) to install certificates+keys for S/MIME.

The nice part is I can use the same profile on a Mac too.

hsk08237y ago

There are HN readers who are Directors of IT at their place of employment

ghostly_s7y ago

That wasn't the question.

markovbot7y ago

what other open source MDM software is out there that aren't Apple-only? Specifically I'd like to manage Android phones and maybe Linux laptops (but I doubt I'll find that)

tootie7y ago

I think you largely get what you pay for. Industry standard is either AirWatch or Soti.

pharaohgeek7y ago

Reading through Apple's MDM protocol documentation and coding up one yourself is a great learning exercise. I had an idea for a niche MDM product and coded up a proof of concept. Eventually I realized the idea wasn't profitable, but still got a lot of value out of the development exercise. I even rewrote it from Java into a couple of different languages (Kotlin, Swift, Go...) to learn a bit more. It's a sufficiently difficult service to implement that you learn quite a bit along the way, but not so difficult that you don't see any progress as you go.

j / k navigate · click thread line to collapse

47 comments

zalmoxesOP7y ago

https://duo.com/labs/research/mdm-me-maybe https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Dee...

walterbell7y ago

Do you know if a small business can use DEP features?

zalmoxesOP7y ago

5 more replies

jesseendahl7y ago

I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)

^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.

Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).

tootie7y ago

Negativity aside, I applaud the effort. The MDM space is messy and crowded with bloated products. I hope these guys can at the very least pop the bubble a bit.

mrpippy7y ago

I think Apple is happy with the current state of MDM servers--several good 3rd-party options, both self-hosted and cloud.

hsk08237y ago

tootie7y ago

1 more reply

beager7y ago

Apple is actively trying to sell me MDM services. So they may not be in the business of making it easy, but they're certainly in the business of making money on it.

1 more reply

urda7y ago

I'm curious do any HN readers manage their personal devices through MDM with their own profiles, and what benefits are you seeing from that?

andrewaylett7y ago

I'm administrator for GSuite for the school I'm a trustee of, so my personal (Android) device is enrolled by virtue of me wanting to know how it works and also wanting my school email on that device.

I'm not sure you're able to set up a linked "for work" profile without MDM; that might be a benefit if you want compartmentalisation.

pmh7y ago

That said, it might be more straightforward to just use another user on your device

robinwassen7y ago

I manage our devices at work but not my personal devices.

If you have a lot of devices (think 10+) I guess it could be useful to keep them aligned. It could also be useful as training on how to centrally manage devices.

kiallmacinnes7y ago

Do I do it for my personal devices? No. Do I see any benefits? Nope! But ... when have I let that stop me from running something wildly inappropriate for a single user "enterprise"!

ecesena7y ago

I just learned from a colleague that you can install a MDM if you have a Google Apps account. Of course now I want to try MicroMDM first.

I think the major benefit is that this way you control the MDM, and you don't risk that a MDM gets installed on your phone unexpectedly, sort of like a rootkit.

cynix7y ago

zalmoxesOP7y ago

metabeard7y ago

You can't even sign up for the Enterprise program if your Apple ID is associated with the Apple Developer Program. You'll get the following error when signing up:

> Your Apple ID is already associated with a Team Agent enrolled in this program

1 more reply

ghostly_s7y ago

1 more reply

hsk08237y ago

Anyone can get a push certificate, it's not just businesses,

https://identity.apple.com/pushcert/

2 more replies

walterbell7y ago

Apple Configurator 2 can be used locally to set some policies which are only available on "supervised" devices, e.g. prevent USB pairing with unknown computers.

nicoburns7y ago

I don't, but I absolutely would for my children's devices (when I have children). Limiting time using certain apps, etc would be great.

giobox7y ago

I think the new parental controls iOS and Android have recently introduced are far more effective for this than using MDM, personally. These features are specifically designed for this use case.

stephenr7y ago

I don't use an MDM server/service specifically, but I use a profile (built and installed via Apple Configurator 2 over USB) to install certificates+keys for S/MIME.

The nice part is I can use the same profile on a Mac too.

hsk08237y ago

There are HN readers who are Directors of IT at their place of employment

ghostly_s7y ago

That wasn't the question.

markovbot7y ago

what other open source MDM software is out there that aren't Apple-only? Specifically I'd like to manage Android phones and maybe Linux laptops (but I doubt I'll find that)

tootie7y ago

I think you largely get what you pay for. Industry standard is either AirWatch or Soti.

pharaohgeek7y ago

j / k navigate · click thread line to collapse