I am following Apple's guidelines for creating an MDM server, and I want to distribute the MDM profile in OTA. Apple's guidelines for OTA consist of 3 steps:
- authentication
- SCEP
- device configuration
in total there can be three configuration profiles delivered to the device - first one after authentication to get device info, second one is for SCEP enrollment and last one is the actual MDM profile. The IdentityCertificate key in the MDM payload is mandatory, so from here I assume I need to combine last two profiles to one profile that has SCEP and MDM payloads (and I refer this key to the SCEP payload). I assume the device will first handle the SCEP payload - is this correct?
Moreover, I want the user to be asked to accept the MDM profile, but from Apple's specs it seems the user is requested to approve only the first configuration profile (the one that asks for device info), and the rest of the OTA is without user intervention.
Is this the case? Am I suppose to combine all profiles into one? How can I distribute the MDM profile and have the user be asked to accept it and let the user know what this MDM profile will be able to control?
Thanks, Michal