GetToken response

Hi Apple IT Developer Team,

In what format should the GetToken response be returned? The session explains "The JSON Web Token should be signed by the MDM server's private key.", but it seems vague to me. A sample response would be appreciated.

Has anyone indeed more details ?

We tried the following: Build a jwt token, using:

  • headers as
    headers = {
        'typ': 'JWT',
        'alg': 'RS256'
    }

and claim as :

    claim = {
        'iss': DEP_SERVER_UUID,
        'iat': epoch_time_in_ms,
        'jti': RANDOM_UUID,
        'service_type': 'com.apple.maid'
    }

The token is signed with the private key which was used to generate the public key added to the DEP server in Apple Business Manager.

Using python 3, we're using PyJWT package : https://pyjwt.readthedocs.io/en/latest/api.html

This generates jwt token - which seems ok according to https://jwt.io ; token is encoded in utf-8 and then returned in plist as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>TokenData</key>
	<data>
	BASE64_ENCODED_VERSION_OF_THE_TOKEN
	</data>
</dict>
</plist>

So everything is ok, but I can't log in with a managed Apple ID from the same Business Manager if I enforce "Supervised devices". Device is sending the GetToken checkin request, receives the response, but does not let user log in.

is there anything missing ? It looks we fulfill documentation requirements, so can't figure out what's wrong. Thanks for any hint !

GetToken response
 
 
Q