MDM执行命令工作原理：（如下图1）

1.png

如下发锁定设备、禁用摄像头、禁止截屏等，具体步骤如下：

步骤1: MDM服务器发送一个MDM推送信息，告诉设备服务器需要你执行的命令了。
步骤2: 苹果推送通知给iOS设备
步骤3: 当设备空闲和有网络时，去连接MDM服务器并告诉服务器其状态
步骤4: MDM服务器根据设备状态返回给设备需要执行的命令
步骤5: 设备执行了命令，并将执行的结果给MDM服务器

本文我们主要讲的是步骤2，设备怎么收到Apple APNS通知的，以及收到MDM通知之后要做的事情。

一. 对apsd进程的分析

1. 我们先看一段设备日志

iphone apsd(CommonUtilities)[95] <Notice>: Created power assertion {identifier: APSCourier(tcpStream:dataReceived:)}
iphone apsd[95] <Notice>: <private>: Outstanding data received: <private> (length 198) onInterface: WWAN. Connected on 1 interfaces.
iphone apsd[95] <Notice>: <private>: Stream processing: complete yes, invalid no, length parsed 198, parameters <private>
iphone apsd(CommonUtilities)[95] <Notice>: Created power assertion {identifier: APSCourier(tcpStream:dataReceived:)}
iphone apsd[95] <Notice>: copyTokenForDomain push.apple.com (null)
iphone apsd[95] <Notice>: <private> timestampForTopic? <private> token <private>
iphone apsd[95] <Notice>: <private> receivedPushWithTopic <private> token <private> payload <private> timestamp Wed Jun 10 16:18:29 2020
iphone apsd[95] <Notice>: <private>: Received message for enabled topic '<private>' onInterface: WWAN with payload '<private>' with priority 10 for device token: YES
iphone apsd[95] <Notice>: <private> asked to store incoming message <private> with guid <private> environment <private>
iphone apsd[95] <Notice>: APSMessageStore - New message record [<private>] has ID [23469].
iphone apsd[95] <Notice>: <private>: Sending acknowledgement message with response 0 and messageId <private> (426590595)
iphone apsd(PersistentConnection)[95] <Notice>: <private> isLTEWithCDRX? Unknown  --  powerlog value 0
iphone apsd[95] <Notice>: <private>:APSNetworkMonitor decaying cost (0 - 15) = 0 for 54.468050 seconds
iphone apsd[95] <Notice>: <private>:APSNetworkMonitor addCost: 100 - _currentCost is now 100
iphone apsd[95] <Notice>: <private> _notifyForIncomingMessage <private> with guid <private>
iphone apsd[95] <Notice>: Pinging client via mach since we are not currently connected for port <private>
iphone apsd[95] <Notice>: <private>: Calling into AWD for PushReceived
iphone apsd[95] <Notice>: submitted metric <private>
iphone apsd[95] <Notice>: <private>: AWD for PushReceived finished
iphone apsd[95] <Notice>: <private>: Stream processing: complete no, invalid no, length parsed 0, parameters (null)
iphone apsd[95] <Notice>: Created metric container: 0x130004 succeeded? YES
iphone apsd[95] <Notice>: Successfully pinged client
iphone apsd[95] <Notice>: Submitted metric: 0x130004 succeeded? YES
iphone apsd(CommonUtilities)[95] <Notice>: Created power assertion {identifier: APSCourier(tcpStream:dataReceived:)}
iphone apsd[95] <Notice>: <private>: Outstanding data received: <private> (length 4) onInterface: WWAN. Connected on 1 interfaces.
iphone apsd[95] <Notice>: <private>: Stream processing: complete yes, invalid no, length parsed 4, parameters <private>
iphone apsd[95] <Notice>: <private>: Received keep-alive response 1 on interface WWAN: <private>
iphone apsd(CommonUtilities)[95] <Notice>: Releasing power assertion {identifier: APSCourier(tcpStream:dataReceived:)}
iphone apsd(CommonUtilities)[95] <Notice>: Created power assertion {identifier: APSCourier(tcpStream:dataReceived:)}
iphone apsd[95] <Notice>: <private>: Stream processing: complete no, invalid no, length parsed 0, parameters (null)

从上面日志我们可以看到上面的apsd进程，apsd是一个长链接进程，每当MDM服务器推送MDM指令，此进程就会工作处理VPNS消息。

2. apsd进程会把当前的任务存储下来例如：

iphone apsd[95] <Notice>: APSMessageStore - New message record [<private>] has ID [23469].
iphone apsd[95] <Notice>: <private>: Sending acknowledgement message with response 0 and messageId <private> (426590595)

其中的(426590595)这个id，当MDM执行的时候会取这个id的任务。

3. 如果日志里面有这样的日志如下：

iphone apsd[95] <Notice>: Dispatching high priority message on server: <private>

表明当前有MDM任务再执行，新来的MDM任务需要等待当前MDM任务执行完成才能执行，所有新来的MDM任务按照先后顺序依次执行。并且新来的任务apsd也都是先接收到进行APSMessageStore。

二. 对mdmd进程的分析

1. 接下来我们再看一下mdmd进程，mdmd是被apsd唤醒执行MDM任务的进程，（在MDM执行命令工作原理步骤3、4、5都是通过mdmd进程完成的）。来看一下mdmd设备的日志：

（1）iphone mdmd(libdyld.dylib)[11636] <Notice>: mdmd starting...

iphone mdmd[11636] <Notice>: Starting power assertion: Start MCMDMServer
iphone mdmd(ApplePushService)[11636] <Notice>: Initializing APSConnection <private>: env=development port=com.apple.managedconfiguration.mdmdpush-dev queue=(null)
iphone mdmd[11636] <Notice>: Starting power assertion: Connection did receive public token: <dd9da111 1d1a8a1f 07ce12cb 87ed7123 123f1d4d f28a22a2 49eb111a dd9da456>
iphone mdmd(ApplePushService)[11636] <Notice>: <private> returned from <private> didReceivePublicToken:
（2）iphone mdmd(ApplePushService)[11636] <Notice>: <private> Delivering message from apsd: <private> 426590595 <private>
iphone mdmd(ApplePushService)[11636] <Notice>: <private> making delegate (<private>) calls to deliver message 426590595 <private> for topic <private>

iphone mdmd(ApplePushService)[11636] <Notice>: <private> calling <private> connection:didReceiveMessageForTopic:
（3）iphone mdmd[11636] <Notice>: Starting power assertion: Connection did receive message for topic: com.apple.mgmt.2222d9fe-a111-4111-b111-f11e1c1b222f,, user info: {
    aps =     {
    };
    identifier = "8346ee76-07b2-4377-a25e-b63b68368811";
    mdm = "0D034E67-DD6D-4328-939C-600096536611";
}
Jun 10 16:18:29 iPhone-XR mdmd(ApplePushService)[11636] <Notice>: Received push notification.

（4）iphone mdmd[11636] <Notice>: Polling MDM server https://host:port/server for next command.
…根据mdm指令做任务日志（省略了）

（5）iphone mdmd[11636] <Notice>: Command Status: Acknowledged

（6）iphone mdmd[11636] <Notice>: Polling MDM server https://host:port/server for next command.

（7）iphone mdmd(libobjc.A.dylib)[11636] <Notice>: Ending power assertion: Connection did receive message for topic: com.apple.mgmt.External.2222d9fe-a111-4111-b111-f11e1c1b222f, user info: {
    aps =     {
    };
    identifier = "8346ee76-07b2-4377-a25e-b63b68368811";
    mdm = "0D034E67-DD6D-4328-939C-600096536611";
}

（8）iphone mdmd(libdyld.dylib)[11636] <Notice>: mdmd preparing to stop.

1. 对于（1）我们可以清除看的mdmd线程启动情况
2. 对于（2）的Delivering message from apsd: <private> 426590595 <private> 其中426590595就是我们apsd进程sending的任务id，这里就一一对应起来了。
3. 对于（3）这个就是我们（图1）中对应的步骤2收到的唤醒通知的信息，根据这个信息进行（4）。这句日志里有Starting power assertion：标志着开始。
4. 对于（4）就是（图1）中对应的步骤3，向你的服务器polling MDM指令。
5. 对于（5）中Acknowledged就是标志MDM指令处理完毕，要向服务器ack确认。
6. 对于（6）在ack确认的时候，实际发的还是第（4）的polling，为了查看服务端是否还有MDM指令，若有继续执行拉取的MDM指令，若没有就进行（7）。
7. 对于（7）这句日志里面有Ending power assertion：标志着此MDM命令结束，和（3）一一对应的。starting一条数据就会有ending一条数据。
8. 对于（8）就是停止mdmd进程。如果再来MDM指令就会重新走整个流程。

个人使用总结，若有疑问随时私信我沟通。