Apple iOS MDM Server Setup Device Enrollment/Configuration

Hawkeye001 picture Hawkeye001 · Jan 25, 2013 · Viewed 10.4k times · Source

We are trying to setup our own internal iOS MDM server, and we were having some issues in that what we see doesn't neccessarily match up with what we expect, based on the Apple documentation.

Following the instructions on the Apple site, we setup a webpage where a user can enroll their device by clicking on a link. This link causes the device to go through the "Device Registration Process", as depicted in Figure 1.1 of Apples "Over-The-Air Profile Delivery and Configuration" document: https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html

Our question is this: We have things functioning as expected up to the beginning of Phase 3 (Device Configuration) in the above mentioned document. However, when we take a look at the traffic between our web server and the device, it appears that the enrollment flow is executed twice. These are the calls we expect to see to our server, based on the documentation:

/enroll
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA

However, in reality, we see that block of calls executed twice, right after each other, with what appears to be identical data. Has anyone seen that behavior, and is it expected?

A more pressing question is that after Phase 2, Step 3 is executed, we pass down the generated cert to the device, which successfully gets installed. However, according to the document, at this point we should get a response back from the device, to which we can reply with a new configuration profile, with the settings we want to set on the device. However, we never get that response, even though everything up to that point appears to have completed successfully. Does anyone know why the response isn't being sent, or what could be going wrong at that point?

Thanks in advance,

Device logs retrieved using the iphone configuration utility:

<Notice>: (Note ) MC: Profile “com.test.profileservice.scep” queued for installation.
<Notice>: (Note ) MC: Checking for MDM installation...
<Notice>: (Note ) MC: ...finished checking for MDM installation.
<Notice>: (Note ) MC: Enrolling in OTA Profile service...
<Error>: Jan 25 16:34:13  SecTrustEvaluate  [leaf AnchorTrusted]
<Error>: Jan 25 16:34:14  SecTrustEvaluate  [leaf AnchorTrusted]
<Notice>: (Note ) MC: Attempting to retrieve issued certificate...
<Notice>: (Note ) MC: Issued certificate received.
<Notice>: (Note ) MC: Retrieving profile from OTA Profile service...
<Notice>: (Note ) MC: Received final profile: Test Config
<Notice>: (Note ) MC: Beginning profile installation...
<Error>: Jan 25 16:34:17  SecTrustEvaluate  [leaf AnchorTrusted]
<Notice>: (Note ) MC: Attempting to retrieve issued certificate...
<Notice>: (Note ) MC: Issued certificate received.
<Notice>: (Note ) MC: Profile “Test Config” installed.
<Error>: Checking for changed log settings
<Error>: valid 0 value 0
<Error>: Verbose logging disabled
<Notice>: (Note ) MC: mc_mobile_tunnel starting.
<Notice>: (Note ) MC: mc_mobile_tunnel shutting down.

Complete flow of requests sent to the MDM server:

/enroll
/checkin
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA
/checkin
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA

Adding payload sent back as part of the SCEP configuration:

<plist version="1.0">
  <dict>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadUUID</key>
    <string>Ignored</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadIdentifier</key>
    <string>Test Config</string>
    <key>PayloadDisplayName</key>
    <string>Test Profile:SCEP</string>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadContent</key>
        <dict>
          <key>URL</key>
          <string>https://test.com/mdm_scep</string>
          <key>Name</key>
          <string>EnrollmentCAInstance</string>
          <key>Subject</key>
          <array>
            <array>
              <array>
                <string>O</string>
                <string>Test Organization, Inc.</string>
              </array>
            </array>
            <array>
              <array>
                <string>CN</string>
                <string>test.com</string>
              </array>
            </array>
          </array>
          <key>Challenge</key>
          <string>DummyChallenge</string>
          <key>Keysize</key>
          <integer>1024</integer>
          <key>Key Type</key>
          <string>RSA</string>
          <key>Key Usage</key>
          <integer>5</integer>
        </dict>
        <key>PayloadDescription</key>
        <string>Provides device encryption identity</string>
        <key>PayloadUUID</key>
        <string>12345678-1234-1234-1234-123456789012</string>
        <key>PayloadType</key>
        <string>com.apple.security.scep</string>
        <key>PayloadDisplayName</key>
        <string>Encryption Identity</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadOrganization</key>
        <string>Test Organization, Inc.</string>
        <key>PayloadIdentifier</key>
        <string>com.test.profileservice.scep</string>
      </dict>
    </array>
  </dict>
</plist>

Answer

Victor Ronin picture Victor Ronin · Jan 25, 2013

Answering your question about two SCEP block execution.

Please take a look this question: Update an expired iOS MDM profile

In the answers I described why device does two SCEP calls. It's per design (nothing wrong with it).

Regarding problem with Phase 2, Step 3. Can you please a) Add to your question full printout of calls to server b) Device logs

While I was working with MDM, I found out that it's almost impossible to troubleshot it without these two pieces of information.

-- Update 1 --

The correct order of calls is following

OTA PART of PROTOCOL

/enroll
Return: First profile requesting UDID, IMEI etc

/profile
Input: UDID, IMEI etc signed by iOS device private key/ Return: Profile with SCEP payload

/scep?operation=GetCACert&message=EnrollmentCAInstance

/scep?operation=GetCACaps&message=EnrollmentCAInstance

/scep?operation=PKIOperation&message=MII.....AAA

This is SCEP calls for device to get an identify which is used for OTA part Return: OTA identity certificate.

/profile

Input: UDID, IMEI etc signed by private key associated with OTA certificate Return: Profile with SCEP payload + MDM payload

/scep?operation=GetCACert&message=EnrollmentCAInstance

/scep?operation=GetCACaps&message=EnrollmentCAInstance

/scep?operation=PKIOperation&message=MII.....AAA

This is SCEP calls for device to get an identify which is used for MDM part Return: MDM identity certificate.

MDM PART of PROTOCOL

/checkin Input: Checkin request Return: HTTP code 200

As you can see it's VERY different from what you have. Did you implement everything as described in [OTA Delivery and Configuration][1]? It's really hard to guess what's wrong, because it looks like the whole part of "/profile" usage is missing.

I would recommend to start from the very beginning and make sure that each call to the server is done in described order and return described return profiles.