Skip to content
Victor Da Luz Logo

Victor Da Luz

Software Engineer and Career Coach

Infrastructure

Self Hosting MDM In A Raspberry Pi And Mac Mini Homelab

By Victor Da Luz
MDM NanoMDM MicroMDM SCEP ARM64 Docker Swarm Traefik Step-CA Apple

I tried to self host an Apple MDM stack at home. I got a lot of the plumbing running. The finished system never shipped.

Here is what I attempted, why I wanted it, where it broke on ARM, and what I would try next time.

What MDM Is

Mobile Device Management lets you configure and manage Apple devices at scale. It pushes profiles. It installs certificates. It can set Wi Fi, VPN, and DNS. It can enforce basic policies and trigger remote actions.

At home this can still help. If you have several iPads, Apple TVs, and Macs, you can avoid one by one setup. You can rotate Wi Fi credentials, ship a VPN profile, and update DNS settings from one place.

Why I Wanted It At Home

  • Centralize Wi Fi and DNS settings for multiple Apple devices
  • Issue certificates for Wi Fi and VPN instead of sharing passwords
  • Enroll Apple TVs and iPads with the same baseline
  • Test real world MDM flows for learning

The Plan

Start small and keep it Docker native on Apple Silicon.

  • Use NanoMDM or MicroMDM for the server
  • Use PostgreSQL as the database backend
  • Put Traefik in front with TLS and wildcard certificates
  • Add a SCEP server for device certificate enrollment

What I Built

  • PostgreSQL on Docker Swarm running and healthy
  • Traefik on Swarm with wildcard certificate via Cloudflare DNS challenge
  • DNS set for MDM, SCEP, and enrollment hostnames
  • Networks and secrets prepared for Swarm stacks
  • NanoMDM stack and scripts updated to PostgreSQL and Traefik networks
  • SCEP research and a working ARM64 SCEP binary and image built from source

Apple Accounts And Certificates

MDM needs Apple push certificates so the server can wake devices. You obtain those from Apple with an Apple ID. If you plan to build helpers, sign apps, or notarize tools, you also need an Apple Developer Program membership.

Paying only for this would feel a bit silly in a homelab. I have future projects that will use the account, so I was fine getting it when needed.

Where It Broke

This is where the wheels came off on ARM only hardware.

  • MicroMDM image was amd64 only while my hosts are arm64
  • SCEP server flags were unclear at first and needed a different subcommand layout
  • NanoMDM required the CA certificate path and my early bind mounts failed inside Swarm
  • Docker Desktop on macOS added extended attributes that broke custom image builds
  • Some containers had no shell which made debugging harder

I fixed several of these. I replaced bind mounts with Docker Configs. I updated stacks to PostgreSQL. I compiled an ARM64 SCEP binary and wrapped it in a tiny Alpine image. The main MDM pieces were still not deployable end to end on arm64 without more custom builds.

ARM Notes From A Homelab

The good parts

  • Silent and low power. Raspberry Pis and Mac minis run cool and cheap
  • Great for Docker and small services
  • Small footprint and easy to place near switches and routers

The tradeoffs

  • Many official Docker images are amd64 only or get ARM builds later
  • Some projects assume x86 virtualization or drivers
  • Cross compiling works but adds more moving parts to maintain
  • Vendor support and docs often focus on x86 first

None of this is bad on its own. Together it makes a full MDM stack harder when you only have ARM.

Why I Stopped

Two things weighed more than the benefits

  • Overall complexity of self hosting a full Apple MDM stack
  • ARM incompatibilities with core services and images, and no x86 hosts in my rack

I could keep building custom images. I could add an x86 mini PC. Both add more surface area than I want for home.

What I Would Try Next Time

  • Start with a hosted MDM to learn the workflows
  • If self hosting is still a goal, add a small x86 node only for the MDM services
  • Keep Traefik and PostgreSQL as they worked well on ARM
  • Keep the wildcard certificate flow via DNS challenge

Takeaways

  • MDM is powerful even at home if you have many Apple devices
  • ARM makes homelabs quiet and efficient but narrows the software catalog
  • If the stack needs x86, do not fight it. Add one x86 box or use a hosted service

The project is paused. The notes and scripts are here if I pick it up again with the right hardware.

Ready to Transform Your Career?

Let's work together to unlock your potential and achieve your professional goals.

Explore Services Let's Talk!