0

We have implemented Over The Air (OTA) profile delivery with 3 phases :

Phase 1 : Authentication

Phase 2 : Certificate enrollment. A new certificate is sent to device and replaces Apple certificate

Phase 3 : Device configuration. Device response is signed with the new certificate and server responds with a config file.

The first delivery works fine. We try to deliver a second configuration profile with the same device : iPhone 6 plus iOS 8.1.1 In reading Apple documentation, Phase 2 should be called by the device only the first time. For the second delivery, "if the device has been registered previously and is merely requesting a new configuration, it signs the request with the certificate previously provided by the CA" (Apple documentation). But for the second delivery, device response is still signed with Apple certificate and not with the certificate sent in the first Phase 2. Do you know why the device still uses the Apple certificate and not the certificate previously got in Phase 2 for a new configuration ?

Thanks for your help.

rmaddy
  • 314,917
  • 42
  • 532
  • 579
Francois-Eric Guyomarc'h
  • 1
  • 1

1 Answers1

0

To be honest, one time i implemented this we didn't much care about signature from the device side. We verified the challenge was correct before issuing the cert and then encrypted profile with the public key of the cert we sent. If the device was not the same it would be unable to read our target profile, ensuring the security of the delivery.

zaitsman
  • 8,984
  • 6
  • 47
  • 79
  • thanks a lot for the reply, We do agree this does not create an obvious vulnerability as such however this impacts the performaces as the Phase 2 is executed everytime client connects with the server. – Francois-Eric Guyomarc'h Apr 25 '17 at 12:22
  • @Francois-EricGuyomarc'h OTA protocol is design for one-time payload delivery only. it is not intended for re-use of the original certificate. For that you need full MDM protocol. – zaitsman Apr 27 '17 at 03:27
  • Normally you use OTA to deliver the MDM profile securely. – zaitsman Apr 27 '17 at 03:27