
Show HN: MicroMDM – Open Source MDM Server for Apple Devices - zalmoxes
https://micromdm.io/
======
zalmoxes
Hi, I'm the author(along with several other developers). MicroMDM is used in
some enterprise environments and was recently mentioned in a number of
security presentations regarding Apple's MDM and Device Enrollment Program
services.

[https://duo.com/labs/research/mdm-me-
maybe](https://duo.com/labs/research/mdm-me-maybe)
[https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-
Dee...](https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Deep-Dive-
Into-macOS-MDM-And-How-It-Can-Be-Compromised-wp.pdf)

~~~
walterbell
Do you know if a small business can use DEP features?

Could per-app VPNs be used without DEP? If so, could they be used with
MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-
party VPN client like Cisco required for per-app VPN?

~~~
zalmoxes
Anyone can use DEP, just need a DUNS number to enroll into the program, and
then to purchase devices from apple direct, or from an approved reseller.
Unfortunately you cannot retroactively add devices that were already
purchased.

DEP is not required for the VPN profile configs, that can be applied with just
MDM (or even manually). The VPN payloads are documented here
[https://developer.apple.com/enterprise/documentation/Configu...](https://developer.apple.com/enterprise/documentation/Configuration-
Profile-Reference.pdf)

~~~
walterbell
Are those the same profiles generated by Apple Configurator 2? I was able to
get per-site Safari VPNs added by manually editing XML in the profile, but no
success with per-application VPNs.

Commercial MDM providers only whitelist a handful of VPN client apps for per-
app VPN profiles. Why are those needed when there is already a native iOS VPN
client for IPSEC?

~~~
madjam002
Funnily enough I have been trying to do that today - I don't think you can.
You create the per app VPN with a UUID, but the only way to associate an app
to a Per-App-VPN definition is through MDM - I think.

~~~
walterbell
The next question would be whether it requires DEP, or could be done with
open-source MicroMDM or the $20 macOS Server app.

------
tootie
This seems like the kind of thing Apple should be offering on their own
already. But ultimately you're not going to see many enterprises adopt an
Apple-only MDM unless they just love vendor lock-in to the most expensive
vendor.

Negativity aside, I applaud the effort. The MDM space is messy and crowded
with bloated products. I hope these guys can at the very least pop the bubble
a bit.

~~~
hsk0823
Apple has absolutely no desire to go into the device management business. They
make the devices, they don't provide IT departments with any in house tools,
the entire macOS management ecosystem has risen from a need and it's a mish
mash of different vendors / open source tools / approaches to skin the cat
that is device management.

~~~
tootie
They already took a baby step in by acquiring TestFlight. It's a more dev/QA-
centric product, but it overlaps with MDM. Google is already in the MDM space
for Chrome devices. Apple has already been remarkably successful in the
enterprise space despite seemingly never going after it. Vendors like Square
are deploying thousands of iPads to retail spaces. I think there's a huge
opportunity there.

~~~
giobox
TestFlight helped solve very real problems iOS developers had back in the day
when it came to managing beta testing etc, and the acquisition was clearly
developer tools focused for Apple. I don’t think it’s sensible to read too
much MDM ambition (if any really) on Apple’s part into that particular
acquisition.

MDM is a very “enterprisey” market for Apple specifically, historically
they’ve been more than happy to let others fight for the few dollars it
typically brings in relative to their giant consumer/hardware businesses. Even
Tim Cook has made the argument that letting businesses like IBM handle the
enterprise cruft helps keep Apple’s focus on just making great consumer
products.

> [https://www.recode.net/2014/7/15/11628872/apple-and-ibm-
> ceos...](https://www.recode.net/2014/7/15/11628872/apple-and-ibm-ceos-see-
> companies-as-puzzle-pieces-that-fit-well)

------
urda
I'm curious do any HN readers manage their personal devices through MDM with
their own profiles, and what benefits are you seeing from that?

~~~
zalmoxes
The server is only meant for enterprise deployments. It would be pretty hard
to do this on a personal level because you need to apply for an enterprise
account with Apple, and request a very specific push certificate option.

~~~
hsk0823
Anyone can get a push certificate, it's not just businesses,

[https://identity.apple.com/pushcert/](https://identity.apple.com/pushcert/)

~~~
zalmoxes
MDM push notifications require to be signed by a special certificate, which is
only available upon request.

------
markovbot
what other open source MDM software is out there that aren't Apple-only?
Specifically I'd like to manage Android phones and maybe Linux laptops (but I
doubt I'll find that)

~~~
tootie
I think you largely get what you pay for. Industry standard is either AirWatch
or Soti.

------
pharaohgeek
Reading through Apple's MDM protocol documentation and coding up one yourself
is a great learning exercise. I had an idea for a niche MDM product and coded
up a proof of concept. Eventually I realized the idea wasn't profitable, but
still got a lot of value out of the development exercise. I even rewrote it
from Java into a couple of different languages (Kotlin, Swift, Go...) to learn
a bit more. It's a sufficiently difficult service to implement that you learn
quite a bit along the way, but not so difficult that you don't see any
progress as you go.

