Post

Replies

Boosts

Views

Activity

Questions about MDM command "DeviceLock"
Hi, I have a couple of questions about how to proceed and prepare the implementation for the DeviceLock MDM command for macOS in a secure and proper manner. https://developer.apple.com/documentation/devicemanagement/device-lock-command In documentation "PIN" is "(string) The six-character PIN for Find My. This value is available in macOS 10.8 and later." - is this the PIN that is used to unlock the device? Is there any video online that I can see how the process would look like for the end user with locking and unlocking a device? What should be done before sending a DeviceLock command? What should be done to safely test the command without bricking a device. How to unlock a device that was locked with a DeviceLock command? Is there any Unlock command or can the user unlock device with the provided PIN earlier? Thank you for any help!
0
0
307
6d
FileVault with MDM commands fails
What is the proper payload for the FDEFileVault? Do I need to provide a user password in the payload to proceed with turning on the FileVault? Isn't that a privacy issue? Why UserEntersMissingInfo does not work for me? How to properly turn off FileVault - every try failed? Below I attach tested payloads and results. Test 1: Enable: "On" Result 1: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 2: Enable: "On" Username: "username on a device" Result 2: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 3: Enable: "On" Username: "username on a device" Password: "password of the user" Result 3: Success: FileVault turned On Test 4: After previously turning On FileVault successfully after restarting a machine. Enable: "Off" Result 4: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 5: Enable: "On" UserEntersMissingInfo: True Result 5: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 6: Enable: "On" Username: "username on a device" UserEntersMissingInfo: True Result 6: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 7: This is example payload from: https://developer.apple.com/documentation/devicemanagement/fdefilevault#Profile-Example Defer: True Enable: "On" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: False Result 7: Success: FileVault turned On Test 8: Same as test 4, but after turning on like test 7. Test 9: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: False Result 9: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 10: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: True Result 10: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 11: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: True DeferForceAtUserLoginMaxBypassAttempts: 0 Result 11: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 12: UserEntersMissingInfo: True Enable: "Off" Username: "username on a device" Result 12: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.
1
0
310
1w
MDM InstallProfile Custom Configuration profile unsigned
The MDM was installed correctly and other commands are working fine. I have tried to send the InstallProfile with custom configuration to the device, but it was displayed as not signed. How to sign the payload for InstallProfile command and where it should be included in the payload / command? The payload I sent to a mac with MDM installed: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Payload</key> <data> BASE64_HERE </data> <key>RequestType</key> <string>InstallProfile</string> </dict> </plist> Decoded base64 from the payload above was: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>com.example.myapp</key> <dict> <key>test_key</key> <string>test_value</string> </dict> </dict> <key>PayloadDisplayName</key> <string>My App Configuration</string> <key>PayloadIdentifier</key> <string>com.org_name.mdm.profile.uq_id_here</string> <key>PayloadType</key> <string>com.apple.ManagedClient.preferences</string> <key>PayloadUUID</key> <string>UUID4 HERE</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDisplayName</key> <string>App Configuration Profile</string> <key>PayloadIdentifier</key> <string>com.example.myapp.config</string> <key>PayloadOrganization</key> <string>ORG NAME</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>ANOTHER UUID4 HERE</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> System logs from Device: [*] Processing server request: InstallProfile for: <Device> [ERROR] System keychain reported it is unavailable but will proceed as if it is. [*] === CPF_InstallProfile === com.example.myapp.config (user: <Computer>) (source: 'MDM') [*] >>>>> Sending HTTP request (PUT) [Acknowledged(InstallProfile) [*] <<<<< Received HTTP response (200) [Acknowledged(InstallProfile) [*] Processing server request: ProfileList for: <Device> [*] >>>>> Sending HTTP request (PUT) [Acknowledged(ProfileList) [*] <<<<< Received HTTP response (200) [Acknowledged(ProfileList) Also the ProfileList didn't include the installed profile. Is it because it was unsigned? How it should be signed?
2
0
374
1w
Sandbox APNs not working
Hello, I have the new root certificate is installed on the server (regarding "Action Required: Apple Push Notification Service Server Certificate Update"). I have switched to using sandbox environment to test if it would be working but I get error: "reason":"BadCertificateEnvironment" does it mean that the root certificate is not installed correctly or that is a different issue? What could be the reason for that? I have found that this response corresponds to "The client certificate is forthe wrong environment.", but there weren't an option to set environment on "https://identity.apple.com/pushcert/".
3
0
225
2w
Questions regarding "Action Required: Apple Push Notification Service Server Certificate Update"
Hello, I have a couple of questions regarding the change of the Certification Authority (CA) for Apple Push Notification service (APNs) and I will be grateful for any answers. Does it require only making sure the server machine has the SHA-2 Root: USERTrust RSA Certification Authority certificate included in Trust Store (/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem with SHA256: 8a3dbcb92ab1c6277647fe2ab8536b5c982abbfdb1f1df5728e01b906aba953a) ? Should the Certificate Signing Request be updated (that one that is uploaded to https://identity.apple.com/pushcert/) ? Does it have any connection with the certificates that are created on https://identity.apple.com/pushcert/ ? Is the push type "mdm" affected too? Which certificate should be added and where specifically? Is it for Certificate Signing Request to https://identity.apple.com/pushcert/ or the certificate that is generated on https://developer.apple.com/account/resources/certificates/list or like mentioned in the first question? Can a certificate for sandbox environment be created on https://identity.apple.com/pushcert/ ? Thank you for any help.
3
0
357
2w