When developing and testing MicroMDM you will likely want to enroll devices. Normally that means either generating or getting new TLS certificates and hosting micromdm on some publicly accessible server.
ngrok is a tool that makes it easy to expose the MicroMDM server as a public URL that your devices can enroll to.
The scripts in this will help you get MicroMDM running for local development. First, install the listed requirements.
Next, make sure you've cloned the micromdm repo exactly as described in the contributing guide. Follow the steps in the same document to downloads required dependencies and build micromdm and mdmctl.
Finally, follow the described workflow for setting up your development server.
Follow the steps in order, and use separate terminal windows for running ngrok and micromdm. These are long running processes, and you will want to see the output. Some of the steps are only required for first time setup.
Note: When the ngrok tunnel expires, you have to re-enroll the test device. The configure_mdmctl updates the DEP profile, so all you need to do is either reset the VM, or run sudo /usr/bin/profiles -e -N if testing with a real Mac.
- Run ngrok. A tunnel will be opened. If you're using the free version of
ngrokthis URL is only valid for 2 hours, but you can always start with a new URL.
ngrok http 8080
Make sure to open a browser tab at http://localhost:4040. The ngrok web interface shows all the requests/responses between micromdm and its clients and can be invaluable for debugging.
- Create a env file and define environment variables you will need for micromdm. This is a first time setup only step.
Contents of env file:
export API_TOKEN=supersecret
export PUSH_CERTIFICATE_PRIVATE_KEY_PASSWORD=supersecret
export SERVER_URL="$(curl -s localhost:4040/api/tunnels | jq '.tunnels[]|.public_url' -r |grep https)"
- Set the
MICROMDM_ENV_PATHvariable to be the path of yourenvfile. This will be used to source the file in all the helper scripts. Do this once in every new terminal window you open while developing with micromdm.
export MICROMDM_ENV_PATH="$(pwd)/env"
- Start
micromdm. Do this every time you rebuild the binary and when yourngroktunnel expires.
./tools/ngrok/start_server
The server will run on port 8080. The default configuration is minimal, but you can pass any additional flags as arguments to the script. For example ./tools/ngrok/start_server -http-debug.
- Configure the Push certificate and DEP tokens. This is a first time setup only step.
If you already have the
MDM CSRoption in your enterprise portal, follow the user guide steps.
If you don't have access to the enterprise portal, you can get an MDM certificate from mdmcert.download You can also export the device management certificate from Server.app.
Configure mdmdctl:
source $MICROMDM_ENV_PATH
./build/darwin/mdmctl config set -name ngrok -api-token=$API_TOKEN -server-url=$SERVER_URL
./build/darwin/mdmctl config switch -name=ngrok
Upload push certificate:
./build/darwin/mdmctl mdmcert upload \
-cert "$path_to/mdm-certificates/push_certificate.pem" \
-private-key "$path_to/mdm-certificates/PushCertificatePrivateKey.key" \
-password $PUSH_CERTIFICATE_PRIVATE_KEY_PASSWORD
Get a DEP OAuth token at deploy.apple.com
./build/darwin/mdmctl get dep-tokens -export-public-key /path/to/save/public.pem
# after you upload the public key to your DEP portal, you'll get back a .p7m token file.
./build/darwin/mdmctl apply dep-tokens -import "$dev_path/dep/local_dep_smime.p7m"
- Configure mdmctl and start using micromdm. Do this every time your ngrok tunnel expires.
# substitute A_SERIAL_NUMBER for your test device. This serial number will be used to apply a DEP profile.
./tools/ngrok/configure_mdmctl A_SERIAL_NUMBER
micromdm and mdmctl should now be configured and you can begin testing.
# In your first terminal window. Don't forget to open http://localhost:4040
ngrok http 8080
# In a second terminal window
export MICROMDM_ENV_PATH="$(pwd)/env"
./tools/ngrok/start_server
# In a third terminal window.
export MICROMDM_ENV_PATH="$(pwd)/env"
./tools/ngrok/configure_mdmctl