I have some MDM solution that we've developed through which we want to support managing iOS devices. Even though we'd already been able to successfully enrol and manage iOS devices via the same, I am trying to figure out a way to secure all web service invocations with OAuth, which take place between the native app running on iOS devices, connecting to the Enrolment and other APIs deployed as part of the MDM solution. Apparently, we've got limited control over modifying the native app to embed OAuth access tokens in the form of HTTP headers or some other means to be able to send those access tokens across to the MDM APIs, as the app logic cannot be modified. Do we have any configuration in the Enterprise App that runs on iOS devices to enable OAuth (or any other form of authentication) or some other means, which I can effectively use to get my requirement implemented?
OAuth to secure iOS MDM enrolment process
413 Views Asked by Prabath Abeysekara At
1
There are 1 best solutions below
Related Questions in IOS
- Overlapping UICollectionView in storyboard
- Cannot pod spec lint because of undeclared type errors
- Is the transactionReceipt data present in dataWithContentsOfURL?
- UIWebView Screen Fitting Issue
- ZXingObjC encoding issues
- iOS: None of the valid provisioning profiles allowed the specific entitlements
- How to hide "Now playing url" in control center
- CloudKit: Preventing Duplicate Records
- Slow performance on ipad erasing image
- Swift code with multiple NSDateFormatter - optimization
- iOS 8.3 Safari crashes on input type=file
- TTTTimeIntervalFormatter always returns strings in English
- How do I add multiple in app purchases in Swift Spritekit?
- Setup code for xibs in iOS. -awakFromNb:
- iOS Voice Over only reads out the title of any alert views
Related Questions in OAUTH
- Using html5 localstorage instead of cookies with passport.js
- OAuth integration with QuickBooks using Scribe
- OAuth with Developer tokens
- Oauth in Tyrus WebSocket
- Accessing Picasa Web API using PHP
- how can I access user details through "oauth_token" from twitter api in ionic framework
- Is my JWT refresh plan secure?
- When to refresh token?
- SignalR oAuth on self host
- Bearer token in MVC controller to access Web API
- OAuthorization through app or web api
- Authenticating mobile app login using webservice using oauth connection
- Testing local rails application with OAuth
- Configure the authorization server endpoint
- Azure Active Directory Login: Web App Permissions, User Consent not triggered
Related Questions in OAUTH-2.0
- Not getting refresh token with google oauth2
- SoundCloud Authentication Consistently Returns 401 invalid_grant For Some Users
- How can I share Azure Active Directory authentication between server side and client script?
- OAuth2 and API Json request not working with jQuery Call
- Flask-Restful, oauth, and Salesforce
- Bearer token in MVC controller to access Web API
- Revoking OAuth tokens in Mule
- how to signup user using google-plus integradation in web?
- Need to run getAuthToken twice before receiving access token, why?
- chrome.identity.getAuthToken and refresh token?
- dropbox api authentication (Error: [400] 'invalid_client')
- Retrieve Google Sites's Domain Index feed using OAuth 2.0 with Service Account
- hello.js: Is it possible to set the provider's settings dynamically?
- How to share developer account at LinkedIn
- Linkedin Unsupported POST target
Related Questions in MDM
- IP Address Range for Apple MDM service?
- Bloomberg-R Depth of market access
- Supervised devices and App restrictions in iOS
- Validating requests in /server url
- OAuth to secure iOS MDM enrolment process
- When trying to Install application remotely into an iPhone through mdm .mobileconfig file, returns "invalid profile" error
- Check device admin policies enforced on the device
- AirWatch Authentication Failure
- XML Parsing in OS X Terminal for MobileConfig file
- Samsung KNOX Cloud SDK - fetch MDM profiles
- Failed to query active directory groups
- How to create MDM Download block
- PHP oAuth Signature Invalid - Apple DEP
- MDM check in request is not received on the server
- How to kill an iOS app running in "Single app mode" everyday at a specific time?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
iOS enrollment flow associate with a challenge token in the SCEP payload (mentioned as Challenge). Once you do the authentication from MDM server side there needs to be a unique token generated based on your user identity and embed that in this SCEP payload. For subsequent enrollment calls this token is passed and once the enrollment success this can be fetched and validate the user. Ideally this is just a way to link the device to a specific user which could be a temporary token generated at your MDM server end which link to a user identity or something related. To follow that you could apply OAuth password grant type and get the token once the authentication happens. Then this OAuth token can be then set as this challenge token for future use. But unlike in other OAuth communications iOS will not send this token in header as the bearer rather this will be embedded in the xml payload with proper encryption and signing in place.
Further iOS support protocol extension to validate users with open directory service using an auth token. This will by default have the ability to communicate back and forth using the checkin endpoint.