User profile enrollment failed on iPhone on applying 'Per App VPN Configuration' payload

Question

dtikhomiroff OP

Created Jun ’21

Replies 1

Boosts 0

Views 1.3k

Participants 2

Hello!

I need some help.

I'm trying to install user enrollment profile on iOS device generated by own MDM solution.

But after "Enroll My iPhone" error occurs on device: 'Profile Installation Failed: Couldn't communicate with a helper application'.

This happens if I put "com.apple.vpn.managed.applayer" payload in profile to set 'Per App VPN Configuration'. I see crash report on device with EXC_CRASH (SIGABRT) of 'com.apple.managedconfiguration.profiled' process. Thread crashes on _'NSDictionaryM: setObject:forKeyedSubscription' operation.

What part of payload could be wrong to cause this error?

<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
	<dict>
		<key>PayloadType</key>
		<string>Configuration</string>
		<key>PayloadUUID</key>
		<string>95CDB4D3-7457-46C1-88D6-8E300CD922B5</string>
		<key>PayloadIdentifier</key>
		<string>com.company.xxxxxx.mdm.userprofile</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
		<key>PayloadContent</key>
		<array>
			<dict>
				<key>PayloadType</key>
				<string>com.apple.security.scep</string>
				<key>PayloadUUID</key>
				<string>51770617-34FA-4E61-81D2-5E2870E23D27</string>
				<key>PayloadIdentifier</key>
				<string>com.company.xxxxxx.mdm.userprofile.scep</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
				<key>PayloadContent</key>
				<dict>
					<key>Challenge</key>
					<string>xxxxxx</string>
					<key>Key Type</key>
					<string>RSA</string>
					<key>Key Usage</key>
					<integer>5</integer>
					<key>Keysize</key>
					<integer>2048</integer>
					<key>Name</key>
					<string>Device Management Identity Certificate</string>
					<key>Subject</key>
					<array>
						<array>
							<array>
								<string>O</string>
								<string>xxxxxx</string>
							</array>
						</array>
						<array>
							<array>
								<string>CN</string>
								<string>xxxxxx Identity (%ComputerName%)</string>
							</array>
						</array>
					</array>
					<key>URL</key>
					<string>https://xxxxxx.execute-api.us-east-2.amazonaws.com/dev/api/scep/d6936434-6871-496a-9d48-86be0873d4e4</string>
				</dict>
				<key>PayloadDescription</key>
				<string>Configures SCEP</string>
				<key>PayloadDisplayName</key>
				<string>SCEP</string>
				<key>PayloadOrganization</key>
				<string>xxxxxx</string>
				<key>PayloadScope</key>
				<string>System</string>
			</dict>
			<dict>
				<key>PayloadType</key>
				<string>com.apple.mdm</string>
				<key>PayloadUUID</key>
				<string>80AB537C-B25C-4B91-B592-777B2580EF3B</string>
				<key>PayloadIdentifier</key>
				<string>com.company.xxxxxx.mdm.userprofile.mdm</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
				<key>AccessRights</key>
				<integer>8191</integer>
				<key>CheckInURL</key>
				<string>https://xxxxxx.execute-api.us-east-2.amazonaws.com/dev/api/mdm/checkin/d6936434-6871-496a-9d48-86be0873d4e4/73e6d7f4-207e-4d5d-bc6f-1c59213f5343/dt1test</string>
				<key>CheckOutWhenRemoved</key>
				<true/>
				<key>IdentityCertificateUUID</key>
				<string>51770617-34FA-4E61-81D2-5E2870E23D27</string>
				<key>ManagedAppleID</key>
				<string>xxxxxx@xxxxxx.company.com</string>
				<key>PayloadDescription</key>
				<string>Enrolls with the MDM server</string>
				<key>PayloadDisplayName</key>
				<string></string>
				<key>PayloadOrganization</key>
				<string>xxxxxx</string>
				<key>PayloadScope</key>
				<string>System</string>
				<key>ServerCapabilities</key>
				<array>
					<string>com.apple.mdm.per-user-connections</string>
				</array>
				<key>ServerURL</key>
				<string>https://xxxxxx.execute-api.us-east-2.amazonaws.com/dev/api/mdm/connect/d6936434-6871-496a-9d48-86be0873d4e4/73e6d7f4-207e-4d5d-bc6f-1c59213f5343/dt1test</string>
				<key>SignMessage</key>
				<true/>
				<key>Topic</key>
				<string>com.apple.mgmt.XServer.c43bf32c-6ef3-425c-977a-f40814f7b38b</string>
			</dict>
			<dict>
				<key>PayloadType</key>
				<string>com.apple.security.pem</string>
				<key>PayloadUUID</key>
				<string>43CAF9CE-EDB8-447D-815B-919FCBE3E892</string>
				<key>PayloadIdentifier</key>
				<string>com.company.xxxxxx.mdm.userprofile.cert.selfsigned</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
				<key>PayloadContent</key>
				<data>xxxxxx</data>
				<key>PayloadDescription</key>
				<string>Installs the TLS certificate for xxxxxx</string>
				<key>PayloadDisplayName</key>
				<string>Self-signed TLS certificate for xxxxxx</string>
				<key>PayloadOrganization</key>
				<string></string>
			</dict>
			<dict>
				<key>PayloadType</key>
				<string>com.apple.vpn.managed.applayer</string>
				<key>PayloadUUID</key>
				<string>9315a5c2-16ac-4a9f-a357-00f26c705e80</string>
				<key>PayloadIdentifier</key>
				<string>com.company.xxxxxx.mdm.userprofile.vpn.tunnel</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
				<key>VPNUUID</key>
				<string>CACE7CC4-74E0-4313-98EF-5F892B2084B4</string>
				<key>OnDemandMatchAppEnabled</key>
				<integer>1</integer>
				<key>ProviderType</key>
				<string>packet-tunnel</string>
				<key>VPNType</key>
				<string>VPN</string>
				<key>VPNSubType</key>
				<string>com.company.vpn</string>
				<key>VPN</key>
				<dict>
					<key>AuthenticationMethod</key>
					<string>Password</string>
					<key>RemoteAddress</key>
					<string>127.0.0.1</string>
				</dict>
				<key>VendorConfig</key>
				<dict></dict>
				<key>UserDefinedName</key>
				<string>Private Company Gateway VPN settings</string>
				<key>PayloadDescription</key>
				<string>Configures Private Company Gateway VPN settings</string>
				<key>PayloadDisplayName</key>
				<string>Private Company Gateway VPN</string>
				<key>PayloadOrganization</key>
				<string></string>
			</dict>
			<dict>
				<key>PayloadType</key>
				<string>com.apple.applicationaccess</string>
				<key>PayloadUUID</key>
				<string>54C0FFBF-EDD8-4672-9280-F60F92EEA28E</string>
				<key>PayloadIdentifier</key>
				<string>com.company.xxxxxx.mdm.userprofile.restrictions</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
				<key>PayloadDescription</key>
				<string>Set Restrictions policy for user</string>
				<key>PayloadDisplayName</key>
				<string>Restrictions policy</string>
				<key>PayloadOrganization</key>
				<string></string>
			</dict>
		</array>
		<key>PayloadDescription</key>
		<string>The server may alter your settings</string>
		<key>PayloadDisplayName</key>
		<string>User Enrollment Profile</string>
		<key>PayloadOrganization</key>
		<string>xxxxxx</string>
		<key>PayloadScope</key>
		<string>System</string>
	</dict>
</plist>

Boost

Answer 1

Device Management Engineer OP

Apple

Jun ’21

"Couldn't communicate with a helper application" generally indicates an internal error occurred. Please file feedback at https://feedbackassistant.apple.com/ to report the issue to Apple. Please also install the Managed Configuration logging profile from https://developer.apple.com/bug-reporting/profiles-and-logs/, reproduce the issue, then take a sysdiagnose and attach it to the radar.

It's strongly recommended that the enrollment profile only contain payloads that are required for the enrollment to succeed. This is especially true of user enrollments. Regardless of the issue you've reported, I suggest separating the per-app VPN payload into a separate profile that is installed after enrollment completes.

0