Mobile Device Management (MDM) has become a hot topic as organizations are pressured to bring iStuff into their organization. Mobile devices are invading every level of corporate society, making the need to remotely manage and control them increasingly urgent. Apple has provided some enterprise management features, first via over-the-air configuration profiles, and beginning in 2010, full MDM support. Unfortunately, the exact features available through MDM, as well as details of the protocol itself, are tightly controlled by Apple.
This talk dissects how Apple MDM works. Starting with basic iOS configuration principles, the talk explores mobile config profiles generated by the iPhone Configuration Utility, over-the-air profile delivery, and eventually describes the key features and mechanisms behind MDM, including remote device locking and wiping. Finally, we explore how to implement your own MDM server, which allows you to manage iOS devices using official device management APIs. We also explore the security and social engineering impacts of freely available MDM servers with these capabilities.
David is a Computer Science graduate who sort of fell into the security world about 15 years ago when system administration got too boring. In past roles, he has built tools for supporting vulnerability and penetration tests, including findings databases and a crazy multi-user GUI report editor. David joined Intrepidus Group last summer, where he's performed penetration testing, mobile app reverse engineering, web application security reviews. Most recently, he has focused on iOS, including extensive support for large enterprise deployments, and research into various security related issues. David describes himself first and foremost as a "guerilla programmer," writing quick-and-dirty tools to process data, eliminate repetitive drudgery, and generally do nifty things. When he has time, he also likes to Geocache, tinker with his home network, and solve crypto puzzle contests at security cons. David almost never blogs to www.darthnull.org.