i3Systems Engineering blog

株式会社アイキューブドシステムズの製品開発メンバーが、日頃のCLOMO開発の様子などを紹介します。

Developing CLOMO MDM (with its latest Agent for macOS), the top MDM market share in Japan

f:id:juliet-i3:20220224183418p:plain

Introduction

Hello. I'm juliet-i3 and I'm in charge of iOS and macOS app development at i3 Systems, Inc. .

I have been working on app development for more than 11 years now. I have developed and witnessed the first launch of CLOMO MDM, which then became the top MDM market share for ten years in Japan. Why is CLOMO MDM successful? Why does it keep on maintaining at the top of MDM market share for ten years? The secret is innovation. With the founding concept of "Cube Innovation", i3 Systems continues to create services that lead to a chain of innovations. Since the first launch of CLOMO MDM last Nov 2010, i3 Systems, Inc. has been innovating and expanding to different devices like iPhone, iPad, Kindle Fire, Android, Windows, and even macOS. In this article, I would like to introduce the product development behind CLOMO MDM, especially for our latest product, CLOMO MDM Agent for macOS.

What is CLOMO MDM?

CLOMO MDM is a Mobile Device Management service that manages various OSes and devices remotely and collectively. It has surprisingly easy operations like remote monitoring, restriction setting, device locking/wiping, distributing apps, and a lot more.

How did we develop the "MDM Agent for macOS" app?

We, the Product Development Team, are using the latest technology to ensure state-of-the-art CLOMO MDM apps.

How did we decide on its programming language?

When we first thought of extending CLOMO MDM to macOS, we considered different programming languages to develop it. We first thought of Xamarin, as it successfully migrated our CLOMO MDM Agent for iOS from Objective-C. But there were calls to the native API of the system that we found hard to bind in Xamarin. So, we considered Swift. However, during that time, Swift had undergone many changes that made it unstable to develop. Despite its instability, we started developing CLOMO MDM Agent for macOS in 2018. Unfortunately, due to unprecedented technology issues and resources, it stopped. Then, in March 2019, Swift introduced a stable binary interface on Apple platforms. So, a year after, we rebooted the development of CLOMO MDM Agent for macOS. In our experience, Swift is indeed a modern, powerful, and intuitive programming language for iOS, iPadOS, macOS, etc. It has a clean syntax that makes APIs in Swift even easier to read and maintain. It is fast and powerful, designed for safety, and open source.

How can you install and uninstall it?

To distribute a macOS app through the Mac App Store, it must enable the App Sandbox capability. However, the "Agent for macOS" app cannot set its Sandbox capability because it accesses system resources. So, it cannot appear in AppStore. App Sandbox protects the system resources and user data by restricting your app's access to resources. In view of this, we find a way to install and uninstall this app using CLOMO Panel. CLOMO PANEL is a web page that the Administrator is using to manage apps including Agent for macOS. The Administrator will send the installer and uninstaller download URL to the members and the members will access the download URL using any Web Browser (like for instance, Safari, Google Chrome, etc.) to download the installer and run it.

How to keep it running even if the user tries to quit it?

Since it must monitor denylisted and allowlisted applications and detect policy and security violations, it should run during start-up and must keep on running until shutdown. So, to implement these functionalities, it must use background processes like daemons and services. It uses the Launch Daemon (MDMDaemon) and XPC service with a launchd mechanism to ensure it is always running even if the user tries to quit it. Moreover, since it provides user-specific and user-independent services, we created MDMDaemon (LaunchDaemons) and MDMAgent (LaunchAgents). MDMDaemon runs in the system context and provides the user-independent services while MDMAgent runs in each user session. The MDMAgent coordinates with the MDMDaemon to provide services to each other. MDMAgent is the "MDM Agent for macOS" app.

launchd service is used to run and to keep it running

The launchd is the primary mechanism in running "Agent for macOS" app automatically. It is a unified OS service management framework that starts, stops, and manages daemons, applications, processes, and scripts in macOS. During startup, launchd is running with the process ID of 1, and it remains running until the macOS shuts down. Before the user logs in, launchd runs MDMDaemon and MDMAgent.

launchctl command is used to control it and the MDMDaemon

The launchd controlled the MDMAgent and MDMDaemon by using the launchctl script command. launchctl is a command-line application which talks to launchd using XPC Service and knows how to parse the property list of MDMDaemon and MDMAgent. It loads and unloads MDMDaemon, starts and stops launchd controlled jobs, gets system utilization statistics for launchd and its child processes, and sets environment settings. This is how it is used in "MDM Agent for macOS" app: * stop the MDMDaemon before installing the updated version * run the MDMDaemon after installing updated version * use to relaunch the MDMDaemon when the user tried to quit it. * uninstall the MDMDaemon * check if the CLOMO MDM Agent for macOS app is running * run the CLOMO MDM Agent for macOS app

XPC Service is used to communicate to MDMDaemon

MDMAgent communicates to MDMDaemon using XPC Service. XPC Service provides a lightweight mechanism for fundamental interprocess communication integrated with Grand Central Dispatch (GCD) and launchd. XPC Service is responsible for making the "CLOMO MDM Agent for macOS" app relaunch after the user terminates it.

NSXPC Architecture

NSXPC connection process

NSXPC connection process implementation

MDMDaemon is used to manage system resources

launchd managed the daemons on behalf of the OS in the system context, which means they are unaware of the users logged on to the system. "LauchDaemon" of MDM Agent for macOS, which is called MDMDaemon, is a background process that responds to low-level requests: * handling many of the standard housekeeping chores of the macOS * simplifies error handling * terminate other process for Work-Smart denylisted app * restart or even shutdown macOS

This is how it looks like when the user tries to open a denylisted/restricted app. For instance, when opening Google Chrome (when set as denylisted), it will prompt an error stating that the user can't open it.

How did we fix that this app will not be considered malicious software?

When the macOS app is not from AppStore and is not notarized, it will display a warning stating that it could be malicious software. So, we find ways to give users more confidence in our macOS software by submitting it to Apple for notarization. CLOMO MDM Agent for macOS is notarized using Apple notary service to ensure security in our product so that users become more confident in using it. The Apple notary service is an automated system that scans the software for malicious content, checks for code-signing issues, and publishes an approval ticket online.

How do we troubleshoot it?

We value the quality of our products, so we monitor app crashes through MS App Center with the user's approval by checking the "Send Diagnostics Data" check box. In the Diagnostics, we can view analytics data generated automatically by App Center to understand a crash or error when it occurs in our app. Up to now, MDM Agent for macOS is crash-free. We also make sure to effortlessly troubleshoot it by allowing the user to send debug logs. Debug logs are DB files, application logs, and crash logs generated within a day when clicking the "Send Debug Log" button.

How do we ensure quality and usability?

Dogfooding is done before we release our "CLOMO MDM Agent for macOS" app to ensure quality and usability. Dogfooding is short for "Eating your own dog food", which means that we use our product to see firsthand what the user experience of our application is like. After the Beta testing, we did Dogfooding in the PDO team and for the first release, we also did it in the whole company.

How do we organize our teams?

We used Agile Development for its fast delivery, real-time communication, and transparency at work.

We are using Agile development that helps our team delivers value to our customers faster with an iterative approach. We used the Kanban framework that helps us with real-time communication and full transparency of work. Tasks are represented visually on a kanban board, allowing our team members to see the state of every piece of work at any time.

We used Confluence to organize our documents securely.

We are using Confluence for all the documents like basic designs, meetings notes, and investigations of every product including "CLOMO MDM Agent for macOS".

Conclusion

CLOMO MDM has been at the top market share for ten years in Japan, and people are still choosing it because of its unmatched ease of use. It has advanced security that provides excellent data protection even if a device is lost or stolen. i3 Systems, Inc. has a dedicated support team that thoroughly supports the customers. Above all, we at the Product Development Team are doing our best to deliver state-of-the-art apps. Thus, bringing a smile not only to us but also to all our users.