Unique Identifiers for iOS MDM

Question

Since Apple is deprecating Unique Device Identifier for apps, what is the best approach to link back an Enterprise App on a device that has been enrolled with MDM?

From MDM Protocol reference document, the enrollment is still using the the UDID for check-in procedure.

We can't use the new identifierForVendor because it is not as the same as the UDID for the check-in.

Let me update how i implemented my MDM solution,

Device will check-in to MDM server with a token and device UDID (the one that Apple is removing the API)
Device will send device info to MDM server (Wifi MAC Addr, Serial number, OS version, and other infos)
There will be a client app that will be talking to MDM server via RESTful API. (Previously i was using the UDID as a key identifier)

I was thinking of using the MAC Address but in the latest iOS 7 the system will always return value 02:00:00:00:00:00.

We also can't get the device serial number.

So my question again, how can we know this app on this device belongs to this MDM enrollment on the server on (3). Because now, the app doesnt have any common key to be referred with the checked-in process. How will the server know which device is which?

Thanks.

Have you found a solution to your problem? Mine is pretty much the same. — noircc, Mar 04 '14 at 09:21
The only workaround for this is to use identifierForVendor and store it in the Keychain so that the identifierForVendor will remain even the user reinstalled the Enterprise App. — adiman, Mar 05 '14 at 01:56
Bump for answer, i am experiencing the same problem but haven't found a solution yet. — sm0ke21, May 04 '15 at 12:59

score 5 · Accepted Answer · answered Jan 06 '14 at 21:31

The best way, and perhaps the only way, is to use the new Managed Apps configuration capabilities in iOS 7. You could have your MDM push down something like an API key to your app. Then your app presents that key in your call back to your MDM server or any other web service.

Once you push your config down to your app, you could pull out the API key with something like the below. Most of the mainstream MDM solutions already support this type of functionality in their latest versions.

NSDictionary *config = [[NSUserDefaults standardUserDefaults] dictionaryForKey:@"com.apple.configuration.managed"];
NSString *apiKey = config[@"kAPIKey"];

if (apiKey) {
    //We got an API key and we can use it
} else {
    //We didn't get an API key...something has gone wrong
}

How can i make my app as managed app ? I had enrolled on apple business manager, and I had MDM server — user3497292, Jul 28 '20 at 09:49
@user3497292 you can set the app as managed using [InstallApplicationCommand](https://developer.apple.com/documentation/devicemanagement/installapplicationcommand/command). — iolate, Nov 24 '22 at 09:38

score 2 · Answer 2 · answered Aug 11 '17 at 07:27

2

However lidsinker's answer is true, let me focused on it so some others who are searching for this can be helped.

You can create Enterprise app and can install it via MDM. Once device enrolled, MDM can install Enterprise app to the device. MDM can also set default configuration in NSUserDefault.

App can read it whenever it launch as above described in lidsinker's answer.

Apple provide example here. https://developer.apple.com/library/content/samplecode/sc2279/Introduction/Intro.html

answered Aug 11 '17 at 07:27

Rohan

668
1
6
10

can this approach guarantee that the app runs only on enrolled devices? Suppose someone can extract the app from an enrolled device and install it on an unenrolled one - is that possible? – Radu Simionescu Feb 01 '18 at 09:09
It's late, but let me give some clarity. As of I know one cannot install an app in an iOS device like this. Although it is not possible, If someone installs it by some hack then, of course, there will be no way to copy UserDefault with it. – Rohan Jun 28 '18 at 09:48

score 0 · Answer 3 · answered Aug 16 '13 at 03:57

0

I would have a read of this source I found a few months ago; http://www.doubleencore.com/2013/04/unique-identifiers/

From there I used the CFUUID method which has served me well.

NSString *uniqueID = [NSString stringWithFormat:@"%@", CFUUIDCreateString(NULL, CFUUIDCreate(NULL))];

answered Aug 16 '13 at 03:57

roycable

301
1
9

1

the problem is, MDM protocol does not have an option request for CFUUID in the payload. MDM only sends UDID and other hardware infos. So, can't relate CFUUID with what has been sent to the MDM server. – adiman Aug 16 '13 at 04:11

score 0 · Answer 4 · answered Aug 16 '13 at 04:14

0

In iOS 7, Apple now always returns a fixed value when querying the MAC to specifically thwart the MAC as base for an ID scheme. So you now really should use -[UIDevice identifierForVendor] or create a per-install UUID.

answered Aug 16 '13 at 04:14

Nishith Shah

523
3
16

[UIDevice identifierForVendor] does not match device UDID by MDM payload. Thats the problem – adiman Aug 16 '13 at 04:16
I am also facing same issue in my App. There will be also one problem what happened when user update OS in his/her device. – Nishith Shah Aug 16 '13 at 05:29
So i think better option is the we have to user Device Token (if you are using Push notification) in our application. – Nishith Shah Aug 16 '13 at 05:30
1

What you can do is get a unique identifier using [[UIDevice currentDevice] identifierForVendor]or any other unique identifier generator. After that you should store that value on keychain using KeychainItemWrapper and use. Once you store a value on key chain it'll not remove even after you delete and reinstall the app. – Nishith Shah Aug 16 '13 at 05:31

score 0 · Answer 5 · answered Aug 16 '13 at 05:54

0

[UIDevice uniqueIdentifier] has been replaced with [[UIDevice identifierForVendor] UUIDString] in iOS 6.0.

answered Aug 16 '13 at 05:54

Vishal Kardode

961
2
8
25

Unique Identifiers for iOS MDM

5 Answers5