1

I have a configuration profile with MDM payload and Wifi payload. I have few questions in my mind

  1. What is the difference between Identification Payload and Profile Removal Password Payload. I know that the second one is prompted if the user wants to remove the profile.
  2. Will I be able to have Profile Removal Password Payload for my profile with MDM payload?
  3. How to encrypt my .mobileconfig file? Should I use CA certificate for encrypting the profile?
rmaddy
  • 314,917
  • 42
  • 532
  • 579
Anand
  • 693
  • 1
  • 8
  • 26

2 Answers2

2

1) I think you are talking about identity profile (vs identification profile).

This profile is to give a device some identity (a certificate and a private keys) which it will use to authenticate itself to the server.

It could be PKCS12 (which is a format which combines both a cert and a key) or SCEP (which is a protocol to obtain a certificate)

2) MDM profile is always removable (except a case when device is supervised).

3) That's exactly where identity payload is used. You should encrypt a profile using a certificate of this device. So, if you need to encrypt a profile and send to 5 different devices, you actually will need to have idetity (certs) for each of these 5 devices and you will need to create 5 copies of this profile and encrypt using each cert.

Victor Ronin
  • 22,758
  • 18
  • 92
  • 184
  • Should I install the identity certificate on each device prior to installing configuration profile? I used many 3rd party MDM. All of them didnt asked me to install any certificate. In that case, whether all MDM vendor sent the plain text while enrolment? Since it is the OTA process how the security is assured? – Anand Apr 22 '14 at 16:37
  • You are required to have identity payload for MDM. What happens is MDM profile which is installed contains several payloads - MDM payload, Idenitify payload and sometimes others. If you specifically won't drilldown into this profile, you won't see that identity payload is installed. Can you elaborate on your security concern regardging OTA process? – Victor Ronin Apr 22 '14 at 20:16
  • Rightnow I hosted the webserver which has my configuration file. When the users go into the same webpage via PC and download the .mobileconfig file several information gets exposed to the users. To prevent this I want encryption mechanism. Even now, I have a identity certificate signed by my local CA. I use this to send the device information securely by signing the messages, I added this into my configuration profile so that the mobile have this certificate. But however my configuration profile is just a plain text plist file. – Anand Apr 23 '14 at 12:53
  • My another serious doubt is that should I create a csr for every device and get it signed from CA? If I use a trusted CA, will it not be costlier if I get the certificate signed every time? – Anand Apr 23 '14 at 13:01
  • You should read through this article - https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html Generally speaking, your should authenticate first and deliver configurations only after that. And initial configurations shouldn't provide any sensetive information. Only after your established MDM with identities, you will be able to encrypt configuration profiles with sensetive data. – Victor Ronin Apr 23 '14 at 15:40
  • If you use SCEP, devices will create CSR and send it to your SCEP server. Instead of using 3rd party CA (which will be very costly), you should establish your own CA and it will issue certificates. – Victor Ronin Apr 23 '14 at 15:41
0
I can only answer your third question, how to encrypt mobileconfig file? For this I wrote a utility class


```
    /**
     * encryption moblicconfig file 
     * @param configPath moblic filepath ./data/123.mobileconfig
     * @param outPath encrypted moblic filepath ./data/123.mobileconfig
     * @param certPath certpath  ./data/cert.pem
     * @throws IOException
     * @throws ParserConfigurationException
     * @throws ParseException
     * @throws SAXException
     * @throws PropertyListFormatException
     */
    public static void encryptionMobile(String configPath,String outPath,String certPath) throws IOException, ParserConfigurationException, ParseException, SAXException, PropertyListFormatException {

        NSDictionary rootDict = (NSDictionary) PropertyListParser.parse(FileUtil.readBytes(new File(configPath)));
        String payloadContent = rootDict.get("PayloadContent").toXMLPropertyList();
        File tempPlistPath =  new File("./data/web/temp/" + System.currentTimeMillis());
        FileUtil.writeBytes(payloadContent.getBytes(StandardCharsets.UTF_8),tempPlistPath);

        File tempDer = new File("./data/web/temp/" + System.currentTimeMillis());

        String outDer = tempDer.getAbsolutePath();

        String certPathFile = new File(certPath).getAbsolutePath();

        String cmd = "openssl smime -encrypt -aes128 -nodetach -binary -outform der -in " + tempPlistPath.getAbsolutePath() + " -out " + outDer + " " + certPathFile;
        XjmUtil.runtimeExec(cmd);

        byte[] bytes = FileUtil.readBytes(new File(outDer));

        String EncryptedPayloadContent = Base64.getEncoder().encodeToString(bytes);

        rootDict.remove("PayloadContent");

        rootDict.put("EncryptedPayloadContent", new NSData(EncryptedPayloadContent));


        PropertyListParser.saveAsXML(rootDict,new File(outPath));

        FileUtil.del(tempPlistPath);
        FileUtil.del(outDer);


    }
```

This is maven dependency

<dependency>
 <groupId>cn.hutool</groupId>
 <artifactId>hutool-all</artifactId>
 <version>5.7.14</version>
</dependency>

<dependency>
 <groupId>cn.hutool</groupId>
 <artifactId>hutool-all</artifactId>
 <version>5.7.14</version>
</dependency>