Level 1 (0 points)
-
Re: Check configuration profile has already installed on device
Apple Staff (12,425 points)
Honestly, I don’t understand your question. Can you post a specific example of the certificates involved?
ps I’ve moved the thread to a more appropriate topic area (Core OS > Security).
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"-
Re: Check configuration profile has already installed on device
Level 1 (0 points)
Hi Eskimo,
I have a enrollment certificate namely enroll.crt and configuration profile namely vpn.config, I want to check that certificate and configuration profile have already installed into device.
For enroll.crt, I am able to check and if not installed, download and install it.
For vpn.config, i guess that there is no API to check that configuration profile has already installed. So I found a article which tells that you can check that by checking associated root certificate namely root.crt.
So i following this approach, now problem is that both enroll.crt and root.crt have same issuer name and different subject name.
And I have installed already enroll.crt, so when I am going to check for root.crt is installed or not, it says yes based on enroll.crt because both certificate have same issuer name and I believe that it checks based on issuer name.
So I am not able to identify that vpn.config has installed or not?
Is there any other approach to do so?
Thanks,
Sharad
-
Re: Check configuration profile has already installed on device
Apple Staff (12,425 points)
I think you’ve misunderstood how this hackaround works. Here’s what you should do:
create a new CA, whose certificate we’ll call Root
have it issue a single certificate, let’s call it Leaf, for a non-sensical name
destroy the private key associated with Root so that it can’t issue any other certificates
destroy the private key for Leaf so that no one can use that certificate to get any value
include Root in your VPN configuration profile
bundle Leaf in your app
have your app do a trust evaluation on Leaf
If Root is installed, the trust evaluation will succeed. If Root is not installed, the trust evaluation will fail. And as Root is tied to your VPN configuration profile, you know that it’s installed as well.
IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread. This gotcha makes it unsafe to rely on this technique as a security measure. It’s still fine to use it as a convenience though.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"-
Re: Check configuration profile has already installed on device
Level 1 (0 points)
Hi,
I am also trying to do the same thing but getting evaulation result as kSecTrustResultRecoverableTrustFailure. I have mobile config which has root CA installed in the device and have leaf certificate in the app. I dont know the reason for getting always result as kSecTrustResultRecoverableTrustFailure.
I have tried to print result of SecTrustCopyProperties of trust object and it shows error value as 'Root certificate is not trusted.'. Please suggest possible issue here
-
Re: Check configuration profile has already installed on device
Level 1 (0 points)
Hi,
did you manage to solve it? I'm getting the same error.
Thanks
-
-
Re: Check configuration profile has already installed on device
Level 1 (0 points)
IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread. This gotcha makes it unsafe to rely on this technique as a security measure.
What's the serious gotcha you refer to here? (The link to the old DevForums thread seems broken for me...)
Are there any serious security implications that still exists once we've thrown away the private keys?
-
Re: Check configuration profile has already installed on device
Apple Staff (12,425 points)
The link to the old DevForums thread seems broken for me
Indeed. The old DevForums content is no longer available, alas )-:
Fortunately, I keep a copy of all my posts, so here’s the text I was referring to.
One of my colleagues pointed out to me that there’s a serious hole in this strategy. A user could download the configuration profile, extract the custom CA certificate, install the custom CA certificate by itself (without the rest of the profile), and then run your app.
I guess that makes it even more important that folks who need a proper API for this file bugs, explain[ing] what they need and why.
If you do file a bug about this, please post your bug number here, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"-
Re: Check configuration profile has already installed on device
Level 1 (0 points)
Hi Eskimo,
Want to know if my configuration profile is installed or not iOS device?
Details:- What I have uptill now
I have an app which install configuration profile in iOS device which I created programmatically using XML.
In configuration profile I have two certificates 1. Root certificate 2. Identity certificate.
All good till here.
But now what I want is
1. As configuration profile installation process done manually by User we as developer doesn't have any control orver it. But on next step I want to know if configuration profile is install or not as iOS doesn't have direct API to know that.
Please if you have any idea on this please let me know or guide me the way how it can achieve?
Thanks in advance.
Thank,
Amit
-
-
-
-