Hi,
I have a couple of questions about how to proceed and prepare the implementation for the DeviceLock MDM command for macOS in a secure and proper manner.
https://developer.apple.com/documentation/devicemanagement/device-lock-command
In documentation "PIN" is "(string) The six-character PIN for Find My. This value is available in macOS 10.8 and later." - is this the PIN that is used to unlock the device?
Is there any video online that I can see how the process would look like for the end user with locking and unlocking a device?
What should be done before sending a DeviceLock command? What should be done to safely test the command without bricking a device.
How to unlock a device that was locked with a DeviceLock command? Is there any Unlock command or can the user unlock device with the provided PIN earlier?
Thank you for any help!
Post
Replies
Boosts
Views
Activity
What is the proper payload for the FDEFileVault?
Do I need to provide a user password in the payload to proceed with turning on the FileVault? Isn't that a privacy issue?
Why UserEntersMissingInfo does not work for me?
How to properly turn off FileVault - every try failed?
Below I attach tested payloads and results.
Test 1:
Enable: "On"
Result 1:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 2:
Enable: "On"
Username: "username on a device"
Result 2:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 3:
Enable: "On"
Username: "username on a device"
Password: "password of the user"
Result 3:
Success: FileVault turned On
Test 4:
After previously turning On FileVault successfully after restarting a machine.
Enable: "Off"
Result 4:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 5:
Enable: "On"
UserEntersMissingInfo: True
Result 5:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 6:
Enable: "On"
Username: "username on a device"
UserEntersMissingInfo: True
Result 6:
Error
ErrorCode: -319
LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed.
Test 7:
This is example payload from: https://developer.apple.com/documentation/devicemanagement/fdefilevault#Profile-Example
Defer: True
Enable: "On"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False
Result 7:
Success: FileVault turned On
Test 8:
Same as test 4, but after turning on like test 7.
Test 9:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: False
Result 9:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 10:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True
Result 10:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 11:
Defer: True
Enable: "Off"
ShowRecoveryKey: True
UseKeychain: False
UseRecoveryKey: True
UserEntersMissingInfo: True
DeferForceAtUserLoginMaxBypassAttempts: 0
Result 11:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
Test 12:
UserEntersMissingInfo: True
Enable: "Off"
Username: "username on a device"
Result 12:
Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
The MDM was installed correctly and other commands are working fine. I have tried to send the InstallProfile with custom configuration to the device, but it was displayed as not signed. How to sign the payload for InstallProfile command and where it should be included in the payload / command?
The payload I sent to a mac with MDM installed:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Payload</key>
<data>
BASE64_HERE
</data>
<key>RequestType</key>
<string>InstallProfile</string>
</dict>
</plist>
Decoded base64 from the payload above was:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.example.myapp</key>
<dict>
<key>test_key</key>
<string>test_value</string>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>My App Configuration</string>
<key>PayloadIdentifier</key>
<string>com.org_name.mdm.profile.uq_id_here</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>UUID4 HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>App Configuration Profile</string>
<key>PayloadIdentifier</key>
<string>com.example.myapp.config</string>
<key>PayloadOrganization</key>
<string>ORG NAME</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>ANOTHER UUID4 HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
System logs from Device:
[*] Processing server request: InstallProfile for: <Device>
[ERROR] System keychain reported it is unavailable but will proceed as if it is.
[*] === CPF_InstallProfile === com.example.myapp.config (user: <Computer>) (source: 'MDM')
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(InstallProfile)
[*] <<<<< Received HTTP response (200) [Acknowledged(InstallProfile)
[*] Processing server request: ProfileList for: <Device>
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(ProfileList)
[*] <<<<< Received HTTP response (200) [Acknowledged(ProfileList)
Also the ProfileList didn't include the installed profile. Is it because it was unsigned? How it should be signed?
Hello,
I have the new root certificate is installed on the server (regarding "Action Required: Apple Push Notification Service Server Certificate Update"). I have switched to using sandbox environment to test if it would be working but I get error:
"reason":"BadCertificateEnvironment"
does it mean that the root certificate is not installed correctly or that is a different issue?
What could be the reason for that?
I have found that this response corresponds to "The client certificate is forthe wrong environment.", but there weren't an option to set environment on "https://identity.apple.com/pushcert/".
Hello,
I have a couple of questions regarding the change of the Certification Authority (CA) for Apple Push Notification service (APNs) and I will be grateful for any answers.
Does it require only making sure the server machine has the SHA-2 Root: USERTrust RSA Certification Authority certificate included in Trust Store (/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem with SHA256: 8a3dbcb92ab1c6277647fe2ab8536b5c982abbfdb1f1df5728e01b906aba953a) ?
Should the Certificate Signing Request be updated (that one that is uploaded to https://identity.apple.com/pushcert/) ?
Does it have any connection with the certificates that are created on https://identity.apple.com/pushcert/ ?
Is the push type "mdm" affected too?
Which certificate should be added and where specifically? Is it for Certificate Signing Request to https://identity.apple.com/pushcert/ or the certificate that is generated on https://developer.apple.com/account/resources/certificates/list or like mentioned in the first question?
Can a certificate for sandbox environment be created on https://identity.apple.com/pushcert/ ?
Thank you for any help.