MDM InstallProfile Custom Configuration profile unsigned

The MDM was installed correctly and other commands are working fine. I have tried to send the InstallProfile with custom configuration to the device, but it was displayed as not signed. How to sign the payload for InstallProfile command and where it should be included in the payload / command?

The payload I sent to a mac with MDM installed:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Payload</key>
	<data>
	BASE64_HERE
	</data>
	<key>RequestType</key>
	<string>InstallProfile</string>
</dict>
</plist>

Decoded base64 from the payload above was:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadContent</key>
			<dict>
				<key>com.example.myapp</key>
				<dict>
					<key>test_key</key>
					<string>test_value</string>
				</dict>
			</dict>
			<key>PayloadDisplayName</key>
			<string>My App Configuration</string>
			<key>PayloadIdentifier</key>
			<string>com.org_name.mdm.profile.uq_id_here</string>
			<key>PayloadType</key>
			<string>com.apple.ManagedClient.preferences</string>
			<key>PayloadUUID</key>
			<string>UUID4 HERE</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>App Configuration Profile</string>
	<key>PayloadIdentifier</key>
	<string>com.example.myapp.config</string>
	<key>PayloadOrganization</key>
	<string>ORG NAME</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>ANOTHER UUID4 HERE</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

System logs from Device:

[*] Processing server request: InstallProfile for: <Device>
[ERROR] System keychain reported it is unavailable but will proceed as if it is.
[*] === CPF_InstallProfile === com.example.myapp.config (user: <Computer>) (source: 'MDM')
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(InstallProfile)
[*] <<<<< Received HTTP response (200) [Acknowledged(InstallProfile)
[*] Processing server request: ProfileList for: <Device>
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(ProfileList)
[*] <<<<< Received HTTP response (200) [Acknowledged(ProfileList)

Also the ProfileList didn't include the installed profile. Is it because it was unsigned? How it should be signed?

Answered by Device Management Engineer in 825330022

See this documentation regarding signing configuration profiles.

A profile does not need to be signed in order to be installed. In fact, signing a profile is not of much use at all. It proves that the profile was not modified since the time it was signed, and it affects some details about how a profile is displayed. The ProfileList command should include the profile whether or not it was signed.

My mistake, it was on the ProfileList, but still unsigned and with that error on the device in system logs.

Accepted Answer

See this documentation regarding signing configuration profiles.

A profile does not need to be signed in order to be installed. In fact, signing a profile is not of much use at all. It proves that the profile was not modified since the time it was signed, and it affects some details about how a profile is displayed. The ProfileList command should include the profile whether or not it was signed.

MDM InstallProfile Custom Configuration profile unsigned
 
 
Q