How to Set Mdm Payload's "Identity" in Ipcu

Configuration Profile with MDM Payload not getting installed using IPCU

You can add in a p12 file/certificate as a 'Credential' in iPCU and pick this from the list in the MDM view. You do not have to use SCEP to do this.

Error when combining scep and mdm payloads - enrollment server did not provision valid identity certificate

I got in touch with Apple about this.

Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment. According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.

Configure MDM Server for iPhone

You need just 3 things

1) mdm payload with mdm url starting with https://

2) certificate which you download using apple developer portal. This is detailed on apple site

3) Link this certificate (.p12) file in the identity section of the mdm payload

Your server needs to have the necessary ports open - this is also documented. The server needs to listen on PUT method and not GET or POST.

If you do above - you will see that your device sends the deviceToken, pushMagic etc.

Apple MDM OTA - Identity Certificate with SCEP vs PKCS12 embedded within the profile

Here my thought on that:

1) If you are building a prototype or a small not critical service then go with PKCS12.

2) If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).

Frankly, If I was on the dark side (trying to hack it) I don't think that I would attack PKCS12 vs SCEP (it's not the weakest link)

However, let say, I say I decided to try to hack it

I would try to do man in the middle. I will try to capture communicarion, save PKCS12 and password for it
I will use it to authenticate to MDM server.
You are right, I can't trigger any commands, but I can start probing your code to find where you skipped some security checks. Maybe you don't check that a certificate matches a device UUID and so on.
Hopefully, I will find enough security holes to do something (let say trigger actions for other users). Maybe I will send them Wipe command or may be I will try to install a root CA + HTTP proxy configuration to see all their traffic.

Anyhow. I don't think that it's that weakest link and it requires a lot of additional step to get to some interesting stuff. However, if you get there, you can do A LOT.

As a result for a serious product, it will make sense to invest several additional weeks in SCEP.

Identity certificate - IOS MDM

Answering your question:

1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?

Yes. You need some kind of mapping. You can do couple of ways:

Just store it in DB a mapping between certificate common name and device UDID.
Make CN contain UDID (I like this method, because it simplifies initial checks)

And as you pointed out you will need public key to encrypt payloads for this device.

2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?

There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.

3) You need to renew identity certificate before it expeires (the same way as for any other certificates).

4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).

Configuration Profile with MDM Payload not getting installed to the device

perhaps a bit old but your MDM server url must be a valid HTTPS URL with a cert from a trusted source, self signed certs will not work.