I can enroll iOS and macOS devices with success when DEP is not used (OTA). With DEP, I can enroll iOS devices but not macOS devices. In this case, the process fails when the activation profile is received, because the system cannot decrypt the returned payload.
Note that I sign the payload using the server certificate (trusted as the anchored certs are defined accordingly) and I encrypt the payload using the device identity certificate. This identity certificate was obtained when the device reached the enrollment URL (used to sign the inbound payload).
From the console logs, it seems that the device cannot find the aforementioned certificate using the issuer and serial number, which is surprising because this should be the device identity certificate.
I currently use PKCS7 openssl 3 API. I am wondering if I should switch for the CMS functions since it provides a way to define the certificate using it's key identifier rather than the issuer and serial number.
I'm also wondering if certificates are missing in the chain. Any help would be greatly appreciated.
Post
Replies
Boosts
Views
Activity
While reading the documentation at https://developer.apple.com/documentation/devicemanagement (Device Assignment / Profile Management section), I can create (define) a new profile, assign/unassign this newly created profile to device serial numbers and get information about a profile using its profile_uuid.
Anyway, I cannot find how to update a profile (for example after attributes modification) and how to delete a profile (a profile I no longer need). Are these operations even possible?
I can install an ebook (pdf) using the MDM InstallMediaCommand, and I can get this entry listed when running the ManagedMediaListCommand. Then I remove the ebook from the Books application (manually), and run ManagedMediaListCommand again. The ebook becomes ManagedButUninstalled.
From here, I cannot reinstall the ebook again. I have tried to remove the ebook using RemoveMediaCommand in which case the entry disappears from subsequent calls to ManagedMediaListCommand. Then I try to reinstall again, but the ebook is reinstalled with same ManagedButUninstalled state.
How can I force the reinstallation of the ebook once it has been removed manually from the device. The entry does no longer appear in the Books application and failed to be re-added through MDM.
While trying to use DEP as part of the Apple Business Manager, I created an enrollment profile (https://developer.apple.com/documentation/devicemanagement/define_a_profile) and assigned this newly created profile to my iPhone serial number (https://developer.apple.com/documentation/devicemanagement/assign_a_profile). Note that this serial number was assigned to my MDM server.
Then I did reset the iPhone to get the initial Setup screens. After having configured the WiFi and a couple of other items, the management screen was displayed, as expected.
My MDM server is using a server certificate issued by a self-signed authority (this is a test, not a production operation). Unfortunately, I forgot to add the authority chain in the profile anchor_certs attribute. Therefore, the connection to the MDM server at the URL configured via configuration_web_url was impossible.
So I tried to update the previous profile, but did not find any Web service for that. So I have created a second profile (with the required authority certificates), unlinked the device from the first profile and linked it to the second one. Unfortunately, the iPhone seems to keep the definition of the first profile, even after various operations (restart, reboot). The only operation that did correct this issue was the iPhone restore once connected to a MacBook.
Is this a desired behavior? Is there any way to request the iPhone to query the enrollment profile again?