I'm trying to experiment with configuration profiles and in order to do that I am starting out with one created by Apple's Profile Manager application that uses SCEP. When I take the .mobileconfig file and install in on the device (using Apple Configurator 2) it installs fine without any issue.
However, I noticed that if I modify anything in this profile (even something minor like "PayloadDisplayName") the enrollment process gets to the end but ends up failing with this error:
Profile Installation Failed:
The SCEP server returned an invalid response
Looking at console logging doesn't show much of use:
default 14:00:17.421822-0700 profiled Could not retrieve issued certificate: NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
error 14:00:17.422199-0700 profiled Cannot retrieve SCEP identity: NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
error 14:00:17.422306-0700 profiled Rolling back installation of profile
It seems there is some sort of signing or checksum being used, but this is strange since the profile specifically says it is not signed. Looking at all the fields in use, the only thing I can guess is that the challenge field is somehow involved. Apple's documentation gives a hint about this field here:
The front end service can be set up to gate access by means of a challenge, which in practice is an authorization token (a one-time password, or a signed/encrypted blob containing user/device info) to allow automatic issuing of a certificate.
However the above is only a recommendation, and I am not able to find out how the challenge parameter is actually defined (the value I am using is oBGLAsWsMWnHiycHpBaHXNmVEDevrLt). I'm using the SCEP server that comes with Profile Manager but I have been unable to find any documentation about this, and the logging that is supposed to be present in the console log (with key "com.apple.SCEP") doesn't seem to exist.
If I remove the challenge parameter completely from the profile, I get a prompt during device enrollment, but I'm not sure what I should be putting in there.
If anyone has any ideas, please let me know.
UDPATE: Looking in /Library/Logs/ProfileManager/dmSCEPService.log I see these errors:
0:: [335] [2019/06/19 14:00:16.917] Certificate placeholder with challengePassword not found
0:: [335] [2019/06/19 14:00:16.917] EXCEPTION: SCEP BAD CHALLENGE <SCEP BAD CHALLENGE>
USERINFO: {
NSLocalizedDescription = "Unknown error 20";
}
This confirms it is the challenge causing the issue, but I'm not sure how to generate a proper challenge so things will succeed.
