DEP MDM Enrollment iOS/macOS

I can enroll iOS and macOS devices with success when DEP is not used (OTA). With DEP, I can enroll iOS devices but not macOS devices. In this case, the process fails when the activation profile is received, because the system cannot decrypt the returned payload.

Note that I sign the payload using the server certificate (trusted as the anchored certs are defined accordingly) and I encrypt the payload using the device identity certificate. This identity certificate was obtained when the device reached the enrollment URL (used to sign the inbound payload).

From the console logs, it seems that the device cannot find the aforementioned certificate using the issuer and serial number, which is surprising because this should be the device identity certificate.

I currently use PKCS7 openssl 3 API. I am wondering if I should switch for the CMS functions since it provides a way to define the certificate using it's key identifier rather than the issuer and serial number.

I'm also wondering if certificates are missing in the chain. Any help would be greatly appreciated.

I have tried with openssl CMS functions to activate the CMS_USE_KEYID option. Now the MacBook tries to find the certificate using CERT_FindCertBySubjectKeyID, but it still fails. How could the device fail to retrieve the identity certificate it has just used to sign the inbound request?

On macOS, it is not possible to decrypt a profile that was encrypted using the device identity certificate.

It's a bit unclear to me exactly what steps you're performing. It appears you're using OTA profile delivery, and you're trying to use the device identity certificate to encrypt the final profile, which doesn't work on macOS. Phase 2 of OTA profile delivery uses SCEP to provision an identity on the device, and it's expected that you use that SCEP identity to encrypt the profile in Phase 3. Note that this identity is only used for that OTA delivery and can't be used for any other purposes.

Thank you for the answer. So far, I managed to implement the OTA enrollment mechanism. This includes the following steps for reference:

  • User navigates to the first URL in order to start the enrollment process. User authenticates using the web view. Server returns a payload to request device attributes. Payload is signed using the trusted server certificate.
  • Mobile device POST (first) the requested information. Payload is signed using the device identity certificate (issued by Apple). Server returns a SCEP payload to continue the enrollment process.
  • Mobile device reaches the server to get the SCAP certificate authority.
  • Mobile device reaches the SCAP endpoint with PKCS7 embedded CSR to get signed. Inbound payload is decrypted using the SCEP certificate authority private key. Server returns a PKCS7 embedded X509 - SCEP issued certificate. Returned payload is signed using the certificate extracted from the inbound SCEP request. Returned payload is signed using the SCEP authority.
  • Mobile device POST (second) using the newly issued certificate. Server returns the enrollment profile encrypted using the SCEP issued certificate and signed using the server certificate.
  • Mobile device installs the MDM profile and CHECKIN into the solution.

For DEP, the steps are different because the mobile device automatically reaches the MDM server when running the initial setup. With this first request, it directly provides some device attributes. The inbound PKCS7 request is signed with the device identity certificate (apple_identity_cert), and includes an HTTP header x-apple-aspen-deviceinfo where the device information are provided.

From this point, the Web UI ensures the user is authenticated. Then, it finally returns the enrollment profile (MDM profile, device identity PKCS12 profile and any additional certificates to trust). The payload is encrypted using apple_identity_cert (because I have no other certificate to use) and signed using the trusted server certificate. In other words, the SCEP part is ignored in the DEP enrollment, which may be my problem here? The enrollment profile is directly returned because the documentation indicates this. Note that the steps above are working for iOS and not for macOS.

Let me know if I do something wrong.

Thank you!

I am still struggling with DEP. It is unclear to me how DEP enrollment works. The documentation indicates that the device connects to the configured configuration_web_url, trusting certificates from anchor_certs. From this web interface, the device expects an enrollment profile as defined in the Authenticating Through Web Views.

The documentation does not indicate if the returned profile must be encrypted and/or signed. In my case, I return the enrollment profile (MDM payload + PKCS12 for identity certificate + trusted authorities), signed using the server certificate and encrypted using the device identity certificate. This was extracted when the device reached the enrollment URL (PKCS7 content from the HTTP header key x-apple-aspen-deviceinfo).

Unfortunately, the MacBook fail to decrypt the encrypted payload. The logs from console seem to indicate that the certificate cannot be found in the keychain. Is there something I could do to unlock this situation?

DEP MDM Enrollment iOS/macOS
 
 
Q