Demystifying MDM: open source endeavors to manage Macs

Speakers: Victor Vrantchan & Jesse Peterson

Level: Advanced, Lecture

Excerpt: Want to know how MDM works under the hood? Curious whether you should use a vendor’s MDM product or deploying a custom solution is right for your organization? Want to enroll some devices into an Open Source MDM? Not sure how MDM (with DEP) can be useful in managing Macs amongst a plethora of other Mac management tools? Want to roll your own MDM? Worried about the future of Mac management? Then this talk is for you.

Description: Maybe you’ve heard the rumors or maybe you’ve seen the writing on the wall yourself. Mac management may be changing in very drastic ways such that MDM & DEP will be the de facto way, if not the only way, to effectively manage Macs in the future. Even if those rumors are just rumors MDM & DEP are effective tools for certain management tasks. Of course they are not without their (sometimes glaring) problems, too.

We plan for the lecture to be in two main parts: a conceptual overview of the “under the hood” workings of MDM; and a practical “getting started” guide to working with an open source software (OSS) MDM product at this time very likely MicroMDM.

The conceptual overview has a couple goals. One is to give some background overview of how MDM works, the various components involved, and requirements thereof to give some footing for working with some of the OSS MDM products which expose these lower layers a little more than your average MDM (and thus being familiar with MDM at this level will assist in managing and troubleshooting MDM). The other goal of the conceptual focus will be to provide a basis for folks who might want to roll their own MDM whether that means actually developing their own MDM or simply contributing to existing project.

The practical side is all about actually getting an OSS MDM up and running. The requirements, the code, the steps to setup and the ways to manage devices. While that paragraph is much shorter than the above it is planned to be no less important part of the presentation. Perhaps a 55/45 conceptual/practical split is imagined.

An early, rough outline of some of the content of the talk is included here (hopefully outline format comes through text; happy to provide another format:

* Conceptual overview of how MDM works; or: How to roll your own MDM

** (briefly) What does MDM (and DEP) do for me? Why would I want to use it?
*** Using MDM+DEP as a gateway to getting your management tool onto a Mac in a zero-imaged drop-shipped way
*** Potential future of Mac mgmt (APFS, root-level daemon restrictions/iOS-ification of mgmt)
** Why OSS MDM amongst a bunch of other MDM products?
** MDM Protocol detail
*** enrollment (certs/SCEP) & checkin
*** push notifications
*** MDM web service; commands & responses
*** DEP API
*** etc.
** What’s terrible about MDM and how they could be better
*** APNS firewall/proxy issues
*** APNS & DEP reliability, availability, scalability
*** Lack of adequate state inspection on enrolled Macs
*** Complexity of & restrictions on setting up MDM (Vendor cert, APNS cert, DEP DUNS number, etc.)

* Practical overview of getting an OSS MDM product up and running

** The requirements (certs, certs, and more certs, DEP enrollment, etc.)
*** This clip (starting at 15m01s) describes some of the requirements in talk form (though the presentation for this talk will likely be different) https://www.youtube.com/watch?v=0rdQkP740Co#t=15m01s
** Setting it up: Getting the software/resources, Initial setup/config, running it, Enrolling a device, Sending initial commands
** Managing devices: life-cycle, installing other management tools, zero-image deployment, etc.

With this presentation we hope to give the audience a deeper understanding of how Apple’s core management protocols work (like MDM, DEP, etc.), some of the challenges and problems with those technologies, as well as practical guidance on getting started & involved with OSS MDM products. Along the way we’ll explore why folks would want to consider these MDM & DEP techniques as well.


About the speakers

Jesse Peterson (Twitter: @jessecpeterson) – – MacTechs

Jesse has been working with technology for most of his life. Consulting, start-ups, and hobbies with a healthy portion of open source served in all three.

Most of his professional career has included supporting and managing Macs and Apple devices in one fashion or another. As an IT Consultant at MacTechs in Seattle, he’s helped organizations with Mac management and more ranging from startups and small businesses to large corporations and government. With a strong enjoyment of and advocacy for development and DevOps he has developed software and solutions to fun and interesting IT projects (and, of course, to open source them along the way!).

Jesse is a proud member of the Mac admin community and is excited and honored to be speaking at PSU MacAdmins.


Victor Vrantchan (Twitter: @wikiwalk) – Devops Engineer – Kolide

Victor is a DevOps engineer at Kolide. He’s an active member of the MacAdmin community and loves writing tools that improve the reliability and security of IT infrastructure.

This entry was posted in MacAdmins 2017 Sessions. Bookmark the permalink.