Post

Replies

Boosts

Views

Activity

[macOS]Is there any way other than using AccountConfigurationCommand to create a managed local admin account?
Hi Dear Apple experts, Appreciated your looking into this! Here are some questions about managed local admin account on macOS device. I know we can use AccountConfigurationCommand to create a local managed admin account on macOS device, but it is used only for admin account created during DEP setup phase. https://developer.apple.com/documentation/devicemanagement/accountconfigurationcommand/command?changes=latest_minor My questions are: Is there any other way(via MDM command/command-line/...) to create a “MANAGED” local admin account, post DEP setup phase(instead of during DEP setup phase)? If answer to #1 is “yes”, then can SetAutoAdminPasswordCommand used to change the password of such “managed” local admin account? Why I ask this is because in https://developer.apple.com/documentation/devicemanagement/setautoadminpasswordcommand/command?changes=latest_minor, it says it is only to change password for admin account created during DEP enrollment: "GUID string (Required)The unique identifier of the local administrator account. If this value doesn't match the GUID of an administrator account that MDM created during Device Enrollment Program (DEP) enrollment, the command returns an error." Thank you, Wei
0
0
334
Nov ’20
iOS13/14 DEP enrollment failure with Xcode error "cannot accept the authentication method NSURLAuthenticationMethodClientCertificate"
We have some new iOS DEP/ABM devices(iOS/iPadOS 14) but failed to enrol to MDM server. Find below errors in Xcode log when activate the DEP device during SSL connection setup: ______Jan 12 15:28:42 iPad Setup(CFNetwork)[329] Notice: Connection 16: asked for TLS Client Certificates Jan 12 15:28:42 iPad Setup(CFNetwork)[329] Notice: Connection 16: issuing challenge for client certificates, DNs(0) Jan 12 15:28:42 iPad Setup(CFNetwork)[329] Notice: Connection 16: asked for TLS Client Certificates Jan 12 15:28:42 iPad Setup(ManagedConfiguration)[329] Error: MCHTTPRequestor: 0x280360030 cannot accept the authentication method NSURLAuthenticationMethodClientCertificate______ This error results in no Certificate finish to gateway, then gateway sends Close notify to Client and then connection reset. Previously enrolled iOS devices and non-DEP devices work well. You can find the Xcode logs for a DEP device and a non-DEP device. Since issue happens at the beginning of activating the DEP devices and customer failed to get the sysdiagnose log when device is at this phase. Appreciated if anybody can share some other idea to get the sysdiagnose log. We have Feedback ticket FB9045594 created for this issue and attached Xcode logs there, thank you! Thanks, Wei
0
0
1.5k
Mar ’21
DEP enrollment failure with Xcode error: NSURLAuthenticationMethodClientCertificate
Hi Dear Apple experts, I hit a DEP enrollment failure recently. No request reached MDM server when issue happens. DEP configuration is correct on MDM server. No wrong DEP profile data sent to Apple. Check network trace with Wireshark, no “Certificate finish” sent out from device during SSL connection setup Only find error in Xcode log like this: MCHTTPRequestor: 0x280360030 cannot accept the authentication method NSURLAuthenticationMethodClientCertificate Seems client cert is not using a correct auth method. We may need some input from Apple for this error, such as any invalid auth method is using in CEM SSL listener cert? or any other reasons.. We already filed Feedback ticket FB9045594 for this issue, but can not provide sysdiagnose log since this is a DEP device and user can not find a way to sync the iPad with a Mac or a PC via iTunes in the current state if the iPad after the enrollment failed. Appreciated if any insight shared on this issue. Thanks, Wei
0
0
744
May ’21
Fail to extract "Distribution" XML file from .pkg by using com.sprylab.xar:xar
I am running into an issue when uploading a macOS .pkg file to my MDM server, finally, find issue happens when using "com.sprylab.xar:xar" to unarchive the .pkg, the "Distribution" file extracted from .pkg is not in the correct format, it should be an XML file, but what I get is a binary data file. PKGs which will run into this issue are all signed Apple Software, such as (Provisioning Utility 2.1.0.pkg,macOSDeveloperBetaAccessUtility.pkg) we can use "pkgutil --check-signature " command to check the signing cert chain: pkgutil --check-signature Provisioning\ Utility\ 2.1.0.pkg Package "Provisioning Utility 2.1.0.pkg": Status: signed Apple Software Certificate Chain: 1. Software Update Expires: 2029-04-14 21:28:23 +0000 SHA256 Fingerprint: E0 74 D2 04 AC 24 98 E9 DC 90 4A 7B C7 CE D8 46 41 19 B7 9D 05 66 80 28 92 05 83 B1 E8 96 EB B4 ------------------------------------------------------------------------ 2. Apple Software Update Certification Authority Expires: 2031-10-15 00:00:00 +0000 SHA256 Fingerprint: 12 99 E9 BF E7 76 A2 9F F4 52 F8 C4 F5 E5 5F 3B 4D FD 29 34 34 9D D1 85 0B 82 74 F3 5C 71 74 5C ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 But other .pkg files which are signed by "Developer Installer" cert work well: Package "ProdWrapped_qualys.pkg": Status: signed by a certificate that has since expired Certificate Chain: 1. 3rd Party Mac Developer Installer: XXXX(XXXXXXXX) SHA256 Fingerprint: 6E D8 DC A5 2E C3 3C DE 72 FA 10 AA DE 82 F3 59 3A 5E 46 1E 41 8E AF FC 89 B8 6C 82 57 6F 9C C4 ------------------------------------------------------------------------ 2. Apple Worldwide Developer Relations Certification Authority SHA256 Fingerprint: CE 05 76 91 D7 30 F8 9C A2 5E 91 6F 73 35 F4 C8 A1 57 13 DC D2 73 A6 58 C0 24 02 3F 8E B8 09 C2 ------------------------------------------------------------------------ 3. Apple Root CA SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 Appreciated if anyone has any insight on this? Could it because of the codesign issue? Or we may need to change to use other unarchiver jars? If yes, any suggestion for unarchiving a .pkg? Thanks, Wei
0
0
588
Jul ’21
[FileVault]Fail to escrow FileVault Personal Recovery Key after encryption certificate get renewed on MDM server
We are using FileVault PRK escrow feature in our MDM server. And hit issue when the certificate used for PRK encryption get expired and renewed. From the test result, seems PRK encryption always uses the OLD certificate, which was initially used to enable the FileVault and escrow the PRK, even if the FileVault policy is updated with NEW certificate and already pushed to device. The only thing we can do to get the key escrowed successfully, is to toggle (turn off then turn on) FileVault on device. Seems MacOS will use the NEW certificate to encrypt the PRK after toggling FV. We will need Apple's feedback/suggestion if anything we can do to make device pick the new cert for encryption without user interaction(toggle FileVault on device). I have an Apple feedback ticket created for this: FB9582469 Repro steps: MDM server will inject a certificate in FDERecoveryKeyEscrow payload MDM will push the FileVault profile to device, the profile is installed successfully Enable FileVault on device, select option to “store key” in my MDM server The PRK will be generated and escrowed to MDM server CEM can decrypt the encrypted PRK with the private key of the certificate mentioned in step-1 —————Here issue comes——— The certificate mentioned in step-1 get expired, and we renew it on MDM server Push a new FileVault policy injected with the renewed certificate in FDERecoveryKeyEscrow payload From our test result, seems device is still using the old certificate to encrypt the PRK, and CEM fails to decrypt it If we toggle(turn off then turn on) FileVault on device, the new key can be decrypted successfully by MDM server. Thanks, Wei
0
0
730
Aug ’21
No "802.1X Password" generated in keychain when push Wi-Fi policy(scope=system) from MDM server
When I push a Wi-Fi policy from my MDM server, if I use payload scope= "User", then I will get 2 keychain entries auto-generated; if payload scope="system", then I can only get 1 keychain entry. I have "UserName" defined in Wi-Fi payload, it will be responsible to create an "802.1X Password" keychain entry, but it does not work when set payload scope = "system": UserName host / xxxxxxx Can any expert help look into this? Why the "802.1X password" is not generated when payload scope = "system"?
0
0
459
Dec ’21
[ABM]Any workaround to allow pairing on DEP enrolled device(enrolled with "allow_pairing" = false in DEP profile)
Hi Dear Apple expert, I have a DEP profile defined with "allow_pairing" = false and my iOS DEP devices enrolled to DEP program without any issues. After that, I enabled "allow_pairing" in the DEP settings, but this change won't take effect on my enrolled devices. Is there any method/workaround to bypass the pairing issue on the already enrolled devices(no re-enrollment, no factory reset)? Thanks, Wei
0
0
624
Mar ’22
Any MDM solution to push premium licenses to already installed free version Apps?
Dear Apple experts, One of our departments is asking if we can procure the premium version of some already installed application but with free version. I can see in Apple Business Manager we can add licenses for the free version to be pushed down with VPP. Within the free version, there are options to purchase the premium version. If our department here purchases premium licenses, is there a way we can push a policy or config that will apply the premium license to the free VPP app that we push down to the iPads? Thanks for your suggestions!
0
0
362
Apr ’23
Is there any way for zero-user-interaction iOS software upgrade on non-DEP devices?
I know that Apple provides MDM software update and upgrade commands to force update/upgrade iOS software, but seems we need user interaction to accept some T&C or give passcode when OS upgrade takes place, on some non-DEP devices. My question is, is there any way that non-DEP OS update/upgrade can go forward with zero-user-interaction? FYI: I get the below information from doc https://support.apple.com/en-sg/guide/deployment/depafd2fad80/web: If a device is assigned in Apple School Manager or Apple Business Manager, users won’t need to review and accept updated operating system terms and conditions to complete the update or upgrade. If there is no passcode on the device, you can complete the installation remotely using your MDM solution. If the device has a passcode, after MDM sends the update or upgrade to the device, the device queues the update or upgrade and the user is prompted to enter their passcode in order to start the installation immediately or defer for an overnight installation. Thanks, Wei
0
0
189
Jul ’23
Can not access VPP server "ax.itunes.apple.com"
Hi Dear Apple Developer, We had some problem to ping iTunes server since Oct-30, 2024. Previously we can ping the VPP server url http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/wa/wsSearch?media=software&entity=software&country=US&lang=en_us&limit=1&term= w/o any issues, but now it failed. Even if I tried to use "https" to access the above url, it still failed with error "This server could not prove that it is ax.itunes.apple.com; its security certificate is from a248.e.akamai.net. This may be caused by a misconfiguration or an attacker intercepting your connection." And finally ended with this error "Access Denied You don't have permission to access "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/wa/wsSearch?" on this server. Reference #18.55503617.1730815948.be1bde3 https://errors.edgesuite.net/18.55503617.1730815948.be1bde3" Same that we had problem to get VPP app details via url: http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/wa/wsLookup?country=us&id=6445849909 Is there any changes to this url recently? Thanks, Wei
0
0
96
1d