The MDM was installed correctly and other commands are working fine. I have tried to send the InstallProfile
with custom configuration to the device, but it was displayed as not signed. How to sign the payload for InstallProfile
command and where it should be included in the payload / command?
The payload I sent to a mac with MDM installed:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Payload</key>
<data>
BASE64_HERE
</data>
<key>RequestType</key>
<string>InstallProfile</string>
</dict>
</plist>
Decoded base64 from the payload above was:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.example.myapp</key>
<dict>
<key>test_key</key>
<string>test_value</string>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>My App Configuration</string>
<key>PayloadIdentifier</key>
<string>com.org_name.mdm.profile.uq_id_here</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>UUID4 HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>App Configuration Profile</string>
<key>PayloadIdentifier</key>
<string>com.example.myapp.config</string>
<key>PayloadOrganization</key>
<string>ORG NAME</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>ANOTHER UUID4 HERE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
System logs from Device:
[*] Processing server request: InstallProfile for: <Device>
[ERROR] System keychain reported it is unavailable but will proceed as if it is.
[*] === CPF_InstallProfile === com.example.myapp.config (user: <Computer>) (source: 'MDM')
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(InstallProfile)
[*] <<<<< Received HTTP response (200) [Acknowledged(InstallProfile)
[*] Processing server request: ProfileList for: <Device>
[*] >>>>> Sending HTTP request (PUT) [Acknowledged(ProfileList)
[*] <<<<< Received HTTP response (200) [Acknowledged(ProfileList)
Also the ProfileList
didn't include the installed profile. Is it because it was unsigned? How it should be signed?
See this documentation regarding signing configuration profiles.
A profile does not need to be signed in order to be installed. In fact, signing a profile is not of much use at all. It proves that the profile was not modified since the time it was signed, and it affects some details about how a profile is displayed. The ProfileList
command should include the profile whether or not it was signed.