Error when combining scep and mdm payloads - enrollment server did not provision valid identity certificate

ぃ、小莉子 提交于 2019-12-09 06:27:32

问题


I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "The enrollment server did not provision a valid identity certificate." This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in this diagram).

The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).

I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.

A side note - using a preexisting MDM vendor is not an option here.

Below is the profile I'm using:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
    <dict>
      <key>PayloadContent</key>
      <array>
        <dict>
          <key>PayloadContent</key>
          <dict>
            <key>Challenge</key>
            <string>this is a challenge</string>
            <key>Key Type</key>
            <string>RSA</string>
            <key>Key Usage</key>
            <integer>5</integer>
            <key>Keysize</key>
            <integer>1024</integer>
            <key>Name</key>
            <string>mycompany</string>
            <key>Retries</key>
            <integer>3</integer>
            <key>RetryDelay</key>
            <integer>0</integer>
            <key>Subject</key>
            <array><array><array>
              <string>CN</string>
              <string>mycompany</string>
            </array></array></array>
            <key>URL</key>
            <string>https://mysite.com/scep.aspx</string>
          </dict>
          <key>PayloadDescription</key>
          <string>Configures SCEP</string>
          <key>PayloadDisplayName</key>
          <string>SCEP (mycompany)</string>
          <key>PayloadIdentifier</key>
          <string>com.mycompany.mdm.scep1</string>
          <key>PayloadOrganization</key>
          <string></string>
          <key>PayloadType</key>
          <string>com.apple.security.scep</string>
          <key>PayloadUUID</key>
          <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
        </dict>
        <dict>
          <key>AccessRights</key>
          <integer>3</integer>
          <key>CheckInURL</key>
          <string>mysite.com/checkin.aspx</string>
          <key>CheckOutWhenRemoved</key>
          <false/>
          <key>IdentityCertificateUUID</key>
          <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
          <key>PayloadDescription</key>
          <string>Configures MobileDeviceManagement.</string>
          <key>PayloadIdentifier</key>
          <string>com.mycompany.mdm.mdm2</string>
          <key>PayloadOrganization</key>
          <string></string>
          <key>PayloadType</key>
          <string>com.apple.mdm</string>
          <key>PayloadUUID</key>
          <string>ed0ae41d-1aa7-4721-9fe9-139c1072132c</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
          <key>ServerURL</key>
          <string>https://mysite.com/checkin.aspx</string>
          <key>SignMessage</key>
          <false/>
          <key>Topic</key>
          <string>com.apple.mgmt.mypushsubject</string>
          <key>UseDevelopmentAPNS</key>
          <true/>
        </dict>
      </array>
      <key>PayloadDescription</key>
      <string>Profile description.</string>
      <key>PayloadDisplayName</key>
      <string>Test Profile</string>
      <key>PayloadIdentifier</key>
      <string>com.mycompany.mdm</string>
      <key>PayloadOrganization</key>
      <string>mycompany</string>
      <key>PayloadRemovalDisallowed</key>
      <false/>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>13321058-4037-478c-9b1e-ef6f810065cb</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
    </dict>
  </plist>

回答1:


I got in touch with Apple about this.

Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment. According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.



来源:https://stackoverflow.com/questions/11161082/error-when-combining-scep-and-mdm-payloads-enrollment-server-did-not-provision

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!