Geek asks and answers

Registering / Configuring an Apple iOS MDM Device

We are trying to set up our own internal iOS MDM server, and we are having some problems, as we see that what we see does not necessarily correspond to what we expect based on Apple documentation.

Following the instructions on the Apple website, we set up a web page where the user can register their device by clicking on the link. This link forces the device to go through the “Device Registration Process”, as shown in Figure 1.1 of the Apple Delivery and Configure Appearances document: https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction /Introduction.html

Our question is: We have features that are expected before the start of phase 3 (Device Configuration) in the above document. However, when we look at the traffic between our web server and the device, it seems that the application flow is executed twice. These are the calls that we expect to see on our server, based on the documentation:

/enroll
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA

However, in fact, we see that the call block is executed twice, immediately after each other, with what looks like identical data. Has anyone seen this behavior and was expected?

, 2 3, , . , , , , , . , , , . - , , ?

,

, iphone:

<Notice>: (Note ) MC: Profile "com.test.profileservice.scep" queued for installation.
<Notice>: (Note ) MC: Checking for MDM installation...
<Notice>: (Note ) MC: ...finished checking for MDM installation.
<Notice>: (Note ) MC: Enrolling in OTA Profile service...
<Error>: Jan 25 16:34:13  SecTrustEvaluate  [leaf AnchorTrusted]
<Error>: Jan 25 16:34:14  SecTrustEvaluate  [leaf AnchorTrusted]
<Notice>: (Note ) MC: Attempting to retrieve issued certificate...
<Notice>: (Note ) MC: Issued certificate received.
<Notice>: (Note ) MC: Retrieving profile from OTA Profile service...
<Notice>: (Note ) MC: Received final profile: Test Config
<Notice>: (Note ) MC: Beginning profile installation...
<Error>: Jan 25 16:34:17  SecTrustEvaluate  [leaf AnchorTrusted]
<Notice>: (Note ) MC: Attempting to retrieve issued certificate...
<Notice>: (Note ) MC: Issued certificate received.
<Notice>: (Note ) MC: Profile "Test Config" installed.
<Error>: Checking for changed log settings
<Error>: valid 0 value 0
<Error>: Verbose logging disabled
<Notice>: (Note ) MC: mc_mobile_tunnel starting.
<Notice>: (Note ) MC: mc_mobile_tunnel shutting down.

, MDM:

/enroll
/checkin
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA
/checkin
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA

, SCEP:

<plist version="1.0">
  <dict>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadUUID</key>
    <string>Ignored</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadIdentifier</key>
    <string>Test Config</string>
    <key>PayloadDisplayName</key>
    <string>Test Profile:SCEP</string>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadContent</key>
        <dict>
          <key>URL</key>
          <string>https://test.com/mdm_scep</string>
          <key>Name</key>
          <string>EnrollmentCAInstance</string>
          <key>Subject</key>
          <array>
            <array>
              <array>
                <string>O</string>
                <string>Test Organization, Inc.</string>
              </array>
            </array>
            <array>
              <array>
                <string>CN</string>
                <string>test.com</string>
              </array>
            </array>
          </array>
          <key>Challenge</key>
          <string>DummyChallenge</string>
          <key>Keysize</key>
          <integer>1024</integer>
          <key>Key Type</key>
          <string>RSA</string>
          <key>Key Usage</key>
          <integer>5</integer>
        </dict>
        <key>PayloadDescription</key>
        <string>Provides device encryption identity</string>
        <key>PayloadUUID</key>
        <string>12345678-1234-1234-1234-123456789012</string>
        <key>PayloadType</key>
        <string>com.apple.security.scep</string>
        <key>PayloadDisplayName</key>
        <string>Encryption Identity</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadOrganization</key>
        <string>Test Organization, Inc.</string>
        <key>PayloadIdentifier</key>
        <string>com.test.profileservice.scep</string>
      </dict>
    </array>
  </dict>
</plist>
+5
1

SCEP.

, : MDM iOS

, SCEP. ( ).

2, 3. a) b)

MDM, , .

- 1 -

/
: , UDID, IMEI ..

/
: UDID, IMEI .., iOS/ : SCEP

/ = GetCACert &? = EnrollmentCAInstance

/ = GetCACaps &? = EnrollmentCAInstance

/ = PKIOperation &? = MII..... AAA

SCEP , , OTA : OTA.

/

: UDID, IMEI .., , OTA : SCEP + MDM

/ = GetCACert &? = EnrollmentCAInstance

/ = GetCACaps &? = EnrollmentCAInstance

/ = PKIOperation &? = MII..... AAA

SCEP , , MDM : MDM.

/ : : HTTP 200

, , . , [OTA Delivery and Configuration] [1]? , , , "/" .

, .

+4

More articles:


All Articles