Check configuration profile has already installed on device

Hi Eskimo,

I have read your suggestion to detect whether configuration profile has already installed on iPhone device .

https://devforums.apple.com/thread/3336#3336

So I am doing the same and it works for me, now my problem is little different from it .

I mean I am to able to identify whether certificate has installed or not.

In my case, firstly I check enrollment certificate to install or not, then to check root certificate associated with configuration profile and what we have facing that when we installed enrollment certificate and go to check for root certificate associated with configuration profile it gives me kSecTrustResultUnspecified. means that certificate is already installed, but in actually I only have enrollment certificate to installed on device.

So what i guess, problem occur because both certificate has same issuer?

Is there any way to detect two different certificate with same issuer name and different subject name?

Please give your suggestion.


Thanks,

Sharad

Replies

Honestly, I don’t understand your question. Can you post a specific example of the certificates involved?

ps I’ve moved the thread to a more appropriate topic area (Core OS > Security).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


I have a enrollment certificate namely enroll.crt and configuration profile namely vpn.config, I want to check that certificate and configuration profile have already installed into device.


For enroll.crt, I am able to check and if not installed, download and install it.

For vpn.config, i guess that there is no API to check that configuration profile has already installed. So I found a article which tells that you can check that by checking associated root certificate namely root.crt.

So i following this approach, now problem is that both enroll.crt and root.crt have same issuer name and different subject name.

And I have installed already enroll.crt, so when I am going to check for root.crt is installed or not, it says yes based on enroll.crt because both certificate have same issuer name and I believe that it checks based on issuer name.

So I am not able to identify that vpn.config has installed or not?

Is there any other approach to do so?


Thanks,

Sharad

I think you’ve misunderstood how this hackaround works. Here’s what you should do:

  1. create a new CA, whose certificate we’ll call Root

  2. have it issue a single certificate, let’s call it Leaf, for a non-sensical name

  3. destroy the private key associated with Root so that it can’t issue any other certificates

  4. destroy the private key for Leaf so that no one can use that certificate to get any value

  5. include Root in your VPN configuration profile

  6. bundle Leaf in your app

  7. have your app do a trust evaluation on Leaf

If Root is installed, the trust evaluation will succeed. If Root is not installed, the trust evaluation will fail. And as Root is tied to your VPN configuration profile, you know that it’s installed as well.

IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread. This gotcha makes it unsafe to rely on this technique as a security measure. It’s still fine to use it as a convenience though.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,


I am also trying to do the same thing but getting evaulation result as kSecTrustResultRecoverableTrustFailure. I have mobile config which has root CA installed in the device and have leaf certificate in the app. I dont know the reason for getting always result as kSecTrustResultRecoverableTrustFailure.


I have tried to print result of SecTrustCopyProperties of trust object and it shows error value as 'Root certificate is not trusted.'. Please suggest possible issue here

IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread.  This gotcha makes it unsafe to rely on this technique as a security measure.

What's the serious gotcha you refer to here? (The link to the old DevForums thread seems broken for me...)

Are there any serious security implications that still exists once we've thrown away the private keys?

Hi,


did you manage to solve it? I'm getting the same error.


Thanks

The link to the old DevForums thread seems broken for me

Indeed. The old DevForums content is no longer available, alas )-:

Fortunately, I keep a copy of all my posts, so here’s the text I was referring to.

One of my colleagues pointed out to me that there’s a serious hole in this strategy. A user could download the configuration profile, extract the custom CA certificate, install the custom CA certificate by itself (without the rest of the profile), and then run your app.

I guess that makes it even more important that folks who need a proper API for this file bugs, explain[ing] what they need and why.

If you do file a bug about this, please post your bug number here, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


Want to know if my configuration profile is installed or not iOS device?


Details:- What I have uptill now


I have an app which install configuration profile in iOS device which I created programmatically using XML.

In configuration profile I have two certificates 1. Root certificate 2. Identity certificate.

All good till here.

But now what I want is

1. As configuration profile installation process done manually by User we as developer doesn't have any control orver it. But on next step I want to know if configuration profile is install or not as iOS doesn't have direct API to know that.

Please if you have any idea on this please let me know or guide me the way how it can achieve?

Thanks in advance.



Thank,

Amit

Hello Eskimo. Could you please clarify what important items to specify when create new CA? For example what values should be for User Certificate: "S/Mime (Email)", "Code Signing" or "Custom..."?

Thanks, Dzmitry.

The specific certificate type doesn’t matter because, when you do the trust evaluation, you’ll see the basic X.509 policy (SecPolicyCreateBasicX509) which ignores all the type-specific additions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you Eskimo! I have couple more related questions.

General questions about iOS configuration profiles:

  • When create certificate in Apple Configurator 2 there’s option to sign in with certificate, I understand it necessary for security purposes and we need to renew profile when certificate expires, right?
  • What happens after “signing” certificate is expired for already installed profile, would profile restrictions still work for device or there's any action to take?

Questions related to profile install checks:

  • I used tutorial to create Certificate Authority from here: https://blog.arrogantrabbit.com/ssl/Root-CA-macOS/ I am not sure if I better stick with default values provided by the creation wizard or follow this tutorial to apply some modifications? I guess from your answer default values should be fine for X.509 policy.
  • CA root & leaf certificate have expiration dates. In creation wizard setup is up to 999 days. After 999 days trust evaluation will fail with error “MyCert” certificate is expired”. Is there an option to extend this certificate lifetime/expiration date to 10/20/30 years for example? I can also think of other option to return successful evaluation for this specific kind of error, but not sure it’s safe or might fall for another close related error? Basically I wouldn’t like to force user to re-install / install additional updated profile for this check to work after 2 years.

Thanks, Dzmitry.

General questions about iOS configuration profiles

I’m not really the right person to ask these questions. DTS’s role here at Apple is to support the APIs in our platform SDKs [1]. Configuration profiles are supported by Apple Support.

I guess from your answer default values should be fine for X.509 policy.

Yes.

Oh, I have my own instructions for this, Technote 2326 Creating Certificates for TLS Testing, and my comments below are relative to that.

Is there an option to extend this certificate lifetime/expiration date to 10/20/30 years for example?

In Certificate Assistant you can do this via the Validity Period field. See the two D sections in TN2326.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] And Apple developer tools, some Apple services (like notarisation), and accessory development.