Post

Replies

Boosts

Views

Activity

Issue with MDM InstallApplication manifest retrieval with mutual TLS
We have a development where we are MDM managing iOS devices and attempting to enforce mutual TLS for all interactions with the MDM. We are DEP provisionng an enrolment profile that utilises an ACME hardware attested Device Identity Certificate. All interactions with the MDM endpoints are correctly utilising the ACME certificate for the client mutual TLS handshake. The certificate has Client Authentication Extended Key Usage. Behind the same API gateway and on the same SNI we are also serving paths to Enterprise application manifests and IPAs. We can see from the phone log and from packet traces the iOS device doesn't offer the Device Identity Certificate for client authentication when retrieving these URLs. We have also tried adding non ACME client certificates from the root trusted by the server to the initial profile with exactly the same outcome. If we temporarily disable the mutualTLS we can see that the request for the manifest has a userAgent of "com.apple.appstored/1.0 iOS/18.2 model/iPhone17,3 hwp/t8140 build/22C5125e (6; dt:329) AMS/1" which is not the same as the mdm interactions. Is it actually possible to achieve mutualTLS to authenticate these downloads or is a different solution required ? Any advice greatly appreciated.
1
0
280
Nov ’24
Xcode issues pairing to Supervised Devices
We have been using a Supervision Identity successfully over the last few years to allow us to Xcode debug on managed devices. Something has changed in the last few months which we are finding it hard to find a consistent solution to. We can't determine whether it's Xcode 15/iOS version related. Behaviour we see documented below All Macs with the Supervision Identity installed can open the device in Apple Configurator without need for trust acknowledge on the device. Configurator can open and stream the device console. All problematic devices are also registered as a development device with Apple. We have hit and miss connectivity in Finder, On failure it indicates that the trust prompt on the device needs to be accepted. No trust prompt is displayed Developer Mode on the device can't be enabled until we attempt to connect to Xcode Devices that pair successfully in Xcode do so almost immediately. If a device pairs in Xcode it is also visible in the native macOS Console application If a device fails to pair in Xcode we get a spinner and the message "Xcode has already started pairing with 'iPhone-X'. Select Trust on iPhone-X to complete pairing". The macOS console app reports "The user has not responded to the pairing request on 'iPhone-X' In neither case is a trust prompt displayed on a device. We are not able to Xcode pair any managed device running iOS 17.x. This includes devices that were successfully paired on iOS16.x then upgraded iOS16.x devices that pair with one Mac successfully will not pair with another Mac with the same Supervision Identity installed. The same behaviour is seen on Ventura and Sonoma Macs Clearing Trusted Computers in IOS Developer Mode has no effect None supervised iOS devices pair successfully on iOS 16 and 17 Has anyone else witnessed similar issues and found a work around ?
3
3
1k
Apr ’24