Show HN: MicroMDM – Open Source MDM Server for Apple Devices

Show HN: MicroMDM – Open Source MDM Server for Apple Devices(micromdm.io)

146 points by zalmoxes 7 years ago | 47 comments

zalmoxes 7 years ago |

Hi, I'm the author(along with several other developers). MicroMDM is used in some enterprise environments and was recently mentioned in a number of security presentations regarding Apple's MDM and Device Enrollment Program services.

https://duo.com/labs/research/mdm-me-maybe https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Dee...

walterbell 7 years ago | |

Do you know if a small business can use DEP features?

Could per-app VPNs be used without DEP? If so, could they be used with MicroMDM, native iOS IPSEC client and an open-source VPN server, or is a 3rd-party VPN client like Cisco required for per-app VPN?

zalmoxes 7 years ago | | |

Anyone can use DEP, just need a DUNS number to enroll into the program, and then to purchase devices from apple direct, or from an approved reseller. Unfortunately you cannot retroactively add devices that were already purchased.

DEP is not required for the VPN profile configs, that can be applied with just MDM (or even manually). The VPN payloads are documented here https://developer.apple.com/enterprise/documentation/Configu...

jesseendahl 7 years ago | |

I’m one of the security researchers that zalmoxes linked above (the Black Hat talk) =)

Duo very nicely gave multiple shout outs in their post. Including to zalmoxes (above), as well as my co-presenter and I. Sadly the traditional vendors in the space don’t have a track record of caring about security engineering. I’m glad that Duo’s latest research emphasizes the importance of authenticating the device enrollment process in particular. We touched on this in our whitepaper^, but it wasn’t a primary focus of our research and we didn’t tie it back to the shortcomings of DEP’s lack of verification around device identity. Extremely happy to see more focus on this stuff.

^See the vendor security checklist section of our whitepaper. Specifically, the bit about using an HMAC within the SCEP payload.

Full transparency: I’m cofounder/CSO of a security focused product in the MDM space (fleetsmith.com).

tootie 7 years ago |

This seems like the kind of thing Apple should be offering on their own already. But ultimately you're not going to see many enterprises adopt an Apple-only MDM unless they just love vendor lock-in to the most expensive vendor.

Negativity aside, I applaud the effort. The MDM space is messy and crowded with bloated products. I hope these guys can at the very least pop the bubble a bit.

mrpippy 7 years ago | |

One of the few remaining services in macOS Server (discussed elsewhere on HN today) is Profile Manager, an Apple-developed MDM server. Given that it requires a static public IP and only runs on macOS, there's a pretty small niche that even could use it. The MicroMDM site describes it as the 'reference' or 'proof-of-concept' MDM server, "depending on how jaded you are about it".

I think Apple is happy with the current state of MDM servers--several good 3rd-party options, both self-hosted and cloud.

hsk0823 7 years ago | |

Apple has absolutely no desire to go into the device management business. They make the devices, they don't provide IT departments with any in house tools, the entire macOS management ecosystem has risen from a need and it's a mish mash of different vendors / open source tools / approaches to skin the cat that is device management.

tootie 7 years ago | | |

They already took a baby step in by acquiring TestFlight. It's a more dev/QA-centric product, but it overlaps with MDM. Google is already in the MDM space for Chrome devices. Apple has already been remarkably successful in the enterprise space despite seemingly never going after it. Vendors like Square are deploying thousands of iPads to retail spaces. I think there's a huge opportunity there.

beager 7 years ago | | |

Apple is actively trying to sell me MDM services. So they may not be in the business of making it easy, but they're certainly in the business of making money on it.

urda 7 years ago |

I'm curious do any HN readers manage their personal devices through MDM with their own profiles, and what benefits are you seeing from that?

markovbot 7 years ago |

what other open source MDM software is out there that aren't Apple-only? Specifically I'd like to manage Android phones and maybe Linux laptops (but I doubt I'll find that)

tootie 7 years ago | |

I think you largely get what you pay for. Industry standard is either AirWatch or Soti.

pharaohgeek 7 years ago |

Reading through Apple's MDM protocol documentation and coding up one yourself is a great learning exercise. I had an idea for a niche MDM product and coded up a proof of concept. Eventually I realized the idea wasn't profitable, but still got a lot of value out of the development exercise. I even rewrote it from Java into a couple of different languages (Kotlin, Swift, Go...) to learn a bit more. It's a sufficiently difficult service to implement that you learn quite a bit along the way, but not so difficult that you don't see any progress as you go.