8 Replies
      Latest reply on Jul 8, 2019 12:25 AM by dhadseamit
      sharadfromseattle Level 1 Level 1 (0 points)

        Hi Eskimo,

        I have read your suggestion to detect whether configuration profile has already installed on iPhone device .

        https://devforums.apple.com/thread/3336#3336

        So I am doing the same and it works for me, now my problem is little different from it .

        I mean I am to able to identify whether certificate has installed or not.

        In my case, firstly I check enrollment certificate to install or not, then to check root certificate associated with configuration profile and what we have facing that when we installed enrollment certificate and go to check for root certificate associated with configuration profile it gives me kSecTrustResultUnspecified. means that certificate is already installed, but in actually I only have enrollment certificate to installed on device.

        So what i guess, problem occur because both certificate has same issuer?

        Is there any way to detect two different certificate with same issuer name and different subject name?

        Please give your suggestion.

         

        Thanks,

        Sharad

        • Re: Check configuration profile has already installed on device
          eskimo Apple Staff Apple Staff (11,655 points)

          Honestly, I don’t understand your question.  Can you post a specific example of the certificates involved?

          ps I’ve moved the thread to a more appropriate topic area (Core OS > Security).

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Check configuration profile has already installed on device
              sharadfromseattle Level 1 Level 1 (0 points)

              Hi Eskimo,

               

              I have a enrollment certificate namely enroll.crt and configuration profile namely vpn.config, I want to check that certificate and configuration profile have already installed into device.

               

              For enroll.crt, I am able to check and if not installed, download and install it.

              For vpn.config, i guess that there is no API to check that configuration profile has already installed. So I found a article which tells that you can check that by checking associated root certificate namely root.crt.

              So i following this approach, now problem is  that both enroll.crt and root.crt have same issuer name and different subject name.

              And I have installed already enroll.crt, so when I am going to check for root.crt is installed or not, it says yes based on enroll.crt because both certificate have same issuer name and I believe that it checks based on issuer name.

              So I am not able to identify that vpn.config has installed or not?

              Is there any other approach to do so?


               

              Thanks,

              Sharad

                • Re: Check configuration profile has already installed on device
                  eskimo Apple Staff Apple Staff (11,655 points)

                  I think you’ve misunderstood how this hackaround works.  Here’s what you should do:

                  1. create a new CA, whose certificate we’ll call Root

                  2. have it issue a single certificate, let’s call it Leaf, for a non-sensical name

                  3. destroy the private key associated with Root so that it can’t issue any other certificates

                  4. destroy the private key for Leaf so that no one can use that certificate to get any value

                  5. include Root in your VPN configuration profile

                  6. bundle Leaf in your app

                  7. have your app do a trust evaluation on Leaf

                  If Root is installed, the trust evaluation will succeed.  If Root is not installed, the trust evaluation will fail.  And as Root is tied to your VPN configuration profile, you know that it’s installed as well.

                  IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread.  This gotcha makes it unsafe to rely on this technique as a security measure.  It’s still fine to use it as a convenience though.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Check configuration profile has already installed on device
                      ssakthivel85 Level 1 Level 1 (0 points)

                      Hi,

                       

                      I am also trying to do the same thing but getting evaulation result as kSecTrustResultRecoverableTrustFailure. I have mobile config which has root CA installed in the device and have leaf certificate in the app. I dont know the reason for getting always result as kSecTrustResultRecoverableTrustFailure.

                       

                      I have tried to print result of SecTrustCopyProperties of trust object and it shows error value as 'Root certificate is not trusted.'. Please suggest possible issue here

                      • Re: Check configuration profile has already installed on device
                        drinktea12 Level 1 Level 1 (0 points)
                        IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread.  This gotcha makes it unsafe to rely on this technique as a security measure.

                        What's the serious gotcha you refer to here?  (The link to the old DevForums thread seems broken for me...)

                        Are there any serious security implications that still exists once we've thrown away the private keys?

                          • Re: Check configuration profile has already installed on device
                            eskimo Apple Staff Apple Staff (11,655 points)

                            The link to the old DevForums thread seems broken for me

                            Indeed.  The old DevForums content is no longer available, alas )-:

                            Fortunately, I keep a copy of all my posts, so here’s the text I was referring to.


                            One of my colleagues pointed out to me that there’s a serious hole in this strategy.  A user could download the configuration profile, extract the custom CA certificate, install the custom CA certificate by itself (without the rest of the profile), and then run your app.

                            I guess that makes it even more important that folks who need a proper API for this file bugs, explain[ing] what they need and why.


                            If you do file a bug about this, please post your bug number here, just for the record.

                            Share and Enjoy

                            Quinn “The Eskimo!”
                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                            let myEmail = "eskimo" + "1" + "@apple.com"

                              • Re: Check configuration profile has already installed on device
                                dhadseamit Level 1 Level 1 (0 points)

                                Hi Eskimo,

                                 

                                Want to know if my configuration profile is installed or not iOS device?

                                 

                                Details:-  What I have uptill now

                                 

                                I have an app which install configuration profile in iOS device which I created programmatically using XML.

                                In configuration profile I have two certificates 1. Root certificate 2. Identity certificate.

                                All good till here.

                                But now what I want is

                                1. As configuration profile installation process done manually by User we as developer doesn't have any control orver it. But on next step I want to know if configuration profile is install or not as iOS doesn't have direct API to know that.

                                Please if you have any idea on this please let me know or guide me the way how it can achieve?

                                Thanks in advance.

                                 

                                 

                                Thank,

                                Amit