iOS MDM Enrollment SCEP Specification and PKIOperation and operation=PKIOperation &message=MMIC

Question

Following the issue in iOS MDM Enrollment Profile Request of /profile to sign the certificate using java

Now I almost get some of the functionalities working. based on the OTA configuration provided at https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/Art/ota_developer_flow_chart.jpg

I am currently on Phase 2 Step 3 where i am trying to pass a CA to the device. Below are the request calls made from the device:

/enroll
/profile
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MMIC....

Certificate which i am trying to send is a trusted Verisign certificate. I have a verisign.cer and verisign.pem file which i am trying to send.

I get the following messages on the device starting from step 1 to 5 :

Installing Profile > Generating Key > Enrolling Certificate > The SCEP server returned an invalid response.

I am stuck at step 5, device shows an error prompt "Profile Installation failed. The SCEP server returned an invalid response".

I first tried sending the .pem file through java later tried to send a plist shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>Class 3 Public Primary Certification Authority</string>
            <key>PayloadContent</key>
<data>MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJpSTbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNHciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZpA==</data>
            <key>PayloadDescription</key>
            <string>Provides device authentication </string>
            <key>PayloadDisplayName</key>
            <string>Class 3 Public Primary Certification Authority</string>
            <key>PayloadIdentifier</key>
            <string>com.myapp.deviceapi.cert.credential</string>
            <key>PayloadOrganization</key>
            <string></string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs1</string>
            <key>PayloadUUID</key>
            <string>7CBBABB4-98C5-41BF-9B87-7ACECB17471A</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Profile description.</string>
    <key>PayloadDisplayName</key>
    <string>Profile Name 9</string>
    <key>PayloadOrganization</key>
    <string>myapp</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>5724A872-2D9E-49D1-B4EF-0E59C05C0B9B</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

The mimetype sent as a response for the certificate is = "application/x-pki-message".

It still gives error "Profile Installation failed. The SCEP server returned an invalid response". sending the plist.

What is this error all about? I am unable to trace the actual issue.

For now i am passing only one certificate. What if I have multiple certificates to be attached? How can i pass multiple certificates? Example is Meraki of Cisco which passes multiple certifcates to the device on enrollment.

Kindly help!!

Also pasting the SCEP configuration which is mentioned in OTA document on similar basis i created below scep specification: (this is what we pass in Phase 2 Step 1)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadUUID</key>
        <string>Ignored</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadIdentifier</key>
        <string>Ignored</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadContent</key>
                <dict>
                    <key>URL</key>
                    <string>http://myserver-url/deviceapi/ios/scep</string>
                    <key>Name</key>
                    <string>EnrollmentCAInstance</string>
                    <key>Subject</key>
                    <array>
                        <array>
                            <array>
                                <string>O</string>
                                <string>myapp ltd</string>
                            </array>
                        </array>
                        <array>
                            <array>
                                <string>CN</string>
                                <string>myapp mdm cert</string>
                            </array>
                        </array>
                    </array>
                    <key>Challenge</key>
                    <string>challengesessionvalue1234</string>
                    <key>Keysize</key>
                    <integer>1024</integer>
                    <key>Key Type</key>
                    <string>RSA</string>
                    <key>Key Usage</key>
                    <integer>5</integer>
                </dict>
                <key>PayloadDescription</key>
                <string>Configures SCEP</string>
                <key>PayloadUUID</key>
                <string>fd8a6b9e-0fed-406f-9571-8ec98722b713</string>
                <key>PayloadType</key>
                <string>com.apple.security.scep</string>
                <key>PayloadDisplayName</key>
                <string>SCEP (myapp Inc)</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadOrganization</key>
                <string>myapp</string>
                <key>PayloadIdentifier</key>
                <string>com.example.profileservice.scep</string>
            </dict>
        </array>
    </dict>
</plist>

Please let me know is there anything wrong with my specifications.

Thanks.. :)

Edit: MDM - Credentials

Below is the mdm payload with credetials of PKCS12 certificate being installed.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>localhost</string>
            <key>PayloadContent</key>
            <data>
            MIIK6gIBAzCCCqoGCSqGSIb3DQEHAaCCCpsEggqXMIIKkzCCBdQG
            CSqGSIb3DQEHAaCCBcUEggXBMIIFvTCCBbkGCyqGSIb3DQEMCgEC
            oIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjtDXjBznRs1QICB9AE
            ggTYkRxcS4EDfGpcLg4atoCNVS9mCgkzQV0yna3X6BnxJXMct8JG
            3yP7Sv+Avagz5oL699PMgWRgohBRASDKpRZdzBIJqX5IxvyIQDXL
            1s6YP/v9Pb4ZPBf5FItOiVvuuwhaZEuXEpWEmk987bF5kDpZfEAs
            rAu9TJqpsGvUzHLYdl8MgUlgxYdZl8YT6pyvgCBJcOtaC+uh9AtZ
            w+oI/xXeIxaA8HIzpyLm5n7SblEc+cotCipIlCXCEJmCmGFdO8Rf
            UArT3gL2i3x/5AAxTJs1Z+M71L4pglv1dEO+eSZqg6rZTwXtE5Jt
            qPmgCS+PbuYlbP8hAVpwRpiEVynccZDOV0O1gTKgp8AOrSaKTv4Y
            ffCIr6oVeEyWTCuei+UWkuO/BaoaNx4QG+gDVpJneJ08wsYPdHcE
            nzykutrR2nVIcqf/StW9YYQtfKzYCmIMMqKDzO0nnjpKTkZYZfmu
            m5eH65PBC2ZvGhet8q1ErG/GjUbKmDQdDaDhrmLNH6XCueo4/DTx
            ImVvhm/zRhcKtoEoNag1R9PExpr2DqRm2eMtb7UEWRI7KNHyVW5q
            JCyjb2gXGDWLIZGUl8aKvpCrOHc/N0ZGHVHz9FDzYUBQz8Wat2ky
            avtOrLrHKimMjqGgk3vmwEK7H+YwhuXKXOXVsjGoK8qShie2JTLC
            hCPA0HsachyS/hOoYe7VoZXK2LFT4wn4wDxcI1qowA8SJITxsxCj
            xaSf1o9qPkT16CL3+oVpPyU/aTxIKMPwrNW5RQZqwUySwchytHkQ
            fZ8ql8SPS+79QGlgk/guE8OdBN656chK2XSV6bNmn+K1JkFCN0BO
            kU1LspcCLQ3u87sLL69MLYPoIcdSXBB6FC4GcdFl18pDB5VbXjjq
            wVgdgCRel5+5y10YzqHpdr2KlaCCO9HajfX0Sqt2AbLwAqOGk0XC
            Mz8Hz83O0aZD/F/EKPHWGiYNGloKsVTVOaqR46YK078fn6/2/BTd
            pXxboCAig9P7TOTQ6H70SdjuTaz36bani3LNA9GAgJ+mzm2WnloN
            hFZy1mZ3RVqRInBhfjwSpyg6KbFBE1XnjUiR2Qp12zOfL5ec/L2Y
            9J/kDVVEY5rDHOvLzFfzvGzAPehn1V/SYZZIBvJd8nBHWoxw2aSj
            U9BMSet1S6zGV9jFDDAFBWuf5q3cCK2TqLxj9j+5f+mceFDagA8s
            NU47XZHnYI1QeNMXe33gC34gIinlQsCfCgQPnNDeT1ulxnySSQZL
            D9Puen/xEbxVBairzJwamyb7y52wP2e77zGdSJcQoBTxSKkOBRiF
            jr7enjDnbDt6ved/PLAmbKHiFgDG1iWWJb5Tt5xcbfEDYJryJYs+
            t0N8ZU4yKC99F5jXdIXbZCa39UK1V3b/PBr2idGi7nKKAhkDUbRp
            gJlGXehE0VYUNsP9jDD3WxxyNS2eRAgofYR45+Jmzd3dxNdOohen
            fR2TAkjZ4WDRLWDJ+aZXfpPFsEE5ORSEo11L6EFl1j/7j9H9vF/J
            QO0+EdLywtlC6NmfJZsgVD/zNUyIiGam5C3zDGWkbf5IpKm3j3ML
            YcrJgjVvKQsfxV8JbzYmWBUO6+LoSnImlLj2ZXOtFSC0DccrSR/i
            SkKwpbGl2mauz/cOKr4jZ8Ddlp5SiX5gSKGAYAd05tJbBjGBpzAT
            BgkqhkiG9w0BCRUxBgQEAQAAADAjBgkqhkiG9w0BCRQxFh4UAHEA
            aABtAGQAbQBzAHQAbwByAGUwawYJKwYBBAGCNxEBMV4eXABNAGkA
            YwByAG8AcwBvAGYAdAAgAEUAbgBoAGEAbgBjAGUAZAAgAEMAcgB5
            AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIA
            IAB2ADEALgAwMIIEtwYJKoZIhvcNAQcGoIIEqDCCBKQCAQAwggSd
            BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBBjAOBAjSasdoShqGBAIC
            B9CAggRwr6MRhXWIAuyqxWfmtsFfW4og5sR1BA4AdYAQmIStO00U
            pvpm/aFJh6uFCjStXiZAY7YgYeJOFJ9p5O5kE3TDByJ3ZNiH1akH
            m2nTpv8vDUoeHycbheC+EdKX95OC+MlABM/jSnw0XgDkcnZ3DbVQ
            I18aWFFWr05Y9baxB0Vwtspn1lDAG9p3iN3j/D7Yeh1d0/4eoSWr
            9X++tPvTbbM8lVUNj9TD2DD+NF4DCsMlZLrDQYaCSYLd526wLh0n
            zwG2r1L6xhByvicTLkqqAkthNJ3iaEHMPZ7zDtJ8ptiYtg6bkXVZ
            6XO4SE8ZZPb+5/ndOutAzzDMu1MYGndJnp/QCjqBOW21UI9U8vyg
            haroHaRl4NBpNdxpr1PIsjVIE+pCfldFCZ25akE46q/azkTJKF4n
            wnjDWfjzOq7i7aLasHHWKpTvh8e1lYC/aw9mCoBIbYUgcihzY36w
            /qWs4mfErRwfuWRgEB5pcqxgnCgCtr2Fe/xPeCb1MuvUVYGBt3ja
            KRRZbwmDhHgMH/hDso3ThkcaklQOxH89y2v4CtBj0V/iJjWLgzjk
            8gg2FKLd/mcZTcwdzvIuJaDEVGDQGoH1glxl5dXCvpsZU+ZHT3hw
            H0Ny685G+QDPZxa9Jdj36p75McCJENu7qu4++Y2CrSc9TeN8W9Q+
            o82ct7wfFYurCMP575Tk/jYyEfNXdVoYUUJQlp7/gR7A94Ej4R8n
            /LDyPg4KgIPWLR2S6aCRUN2/ESKUpiXkF0jnwgjn7BVFuRzN0F51
            SjWPu6nuHJJnD19TVdDmLUW4bMIeBRJVjwO0eu13jUA+Ho7lVcJ8
            VWmXP5xZ5rIREjU9ar01jbOtZYRI7xHK9sZaHWEAVsL4Z5+rM2yK
            fE/zxRNpRqmnjmWeEWbXMxkACrYzTXZXkH9kvCqu74z1j51TEl6b
            dsCM8ps6giXLY3C8xmIEOM6wAigkJh8TzsAB8LRyIKa4suwTYLDN
            r9NhAAJcslzHSKGs5+dZYS10OakjgQJIpAQ4ndW1ayH7WBTNzJ7H
            Wb64jL0t4uETpS3DZENqwOi8xlsxilGnzbaKPy1AuJvj4meZ6Sjd
            GzM1c0x4+GrfrUEU227QXm8CzrJrscw3VF30CNFZThHXDtzEL1l8
            +IQ4rY5ITtRoMm6+LNCAY8oOFUaAL07NhRllRS/MTUucnLjNzjLA
            Iy8GMltqERplck38BnkuYGlko8uE4OkqfbpL8RaIkW+5SAICf30I
            WTQRF5LRWfHwJNKNWPClFxqt9gZisMGJyXKtLQZAyEjATNU7ziVK
            9w3KzT/dbxkDMRT9dciazXUZBTYh1jYPMpqpXUhYTuxPnMkRlDB5
            b6o3AoeaVpb9fg0APRVALWXJmTtww/wc+fVpnY4TBoLUlWuUFHeO
            ix0GZfSE07SfK3dy7PNtGdiIBp/TkEEXxTROqpZ5cQXzpdX4+lNM
            t9Srv3MbRPbXMwGi+8UeXMN+VHKOZrrjmgXTyItp9Pc0ohDsH/3a
            5xymKuGAOb+8NL4wNzAfMAcGBSsOAwIaBBTjRVHGzvf6MX6e7vpc
            sy0ACsE/ugQUmgpxIC70yqmN6+FSpWkr4hkXNMA=
            </data>
            <key>PayloadDescription</key>
            <string>Provides device authentication (certificate or identity).</string>
            <key>PayloadDisplayName</key>
            <string>localhost</string>
            <key>PayloadIdentifier</key>
            <string>com.myserver.test.credential1</string>
            <key>PayloadOrganization</key>
            <string></string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs12</string>
            <key>PayloadUUID</key>
            <string>CEB5AD2E-97A2-4B59-96AA-56B2B1732528</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>AccessRights</key>
            <integer>8191</integer>
            <key>CheckInURL</key>
            <string>https://10.10.25.153:8443/company/checkin</string>
            <key>CheckOutWhenRemoved</key>
            <true/>
            <key>IdentityCertificateUUID</key>
            <string>CEB5AD2E-97A2-4B59-96AA-56B2B1732528</string>
            <key>PayloadDescription</key>
            <string>Configures MobileDeviceManagement.</string>
            <key>PayloadIdentifier</key>
            <string>com.myserver.test.mdm2</string>
            <key>PayloadOrganization</key>
            <string></string>
            <key>PayloadType</key>
            <string>com.apple.mdm</string>
            <key>PayloadUUID</key>
            <string>615074E6-4799-49FF-9107-CEF07FEEBC1A</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ServerURL</key>
            <string>https://10.10.25.153:8443/company/checkin</string>
            <key>SignMessage</key>
            <true/>
            <key>Topic</key>
            <string>com.apple.mgmt.myserver.test</string>
            <key>UseDevelopmentAPNS</key>
            <true/>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Profile description.</string>
    <key>PayloadDisplayName</key>
    <string>MDM Payload with Credentials</string>
    <key>PayloadIdentifier</key>
    <string>com.myserver.test</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>B6F82762-17FE-441A-8B4F-41F82E3A8E8C</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

score 2 · Answer 1 · answered Aug 01 '14 at 16:21

2

SCEP is quite complex protocol. You can't just send a .pem back or plist. As I remember you have to send a certificate encrypted/signed in PKCS7 envelope.

Frankly, you don't want to spend time figuring out this protocol and implementing it.

I would recommend to go with jSCEP library which implements it or EJBCA which implements it either.

BTW. You can just send a random certificate in the response to this SCEP request, you actually need to extract get CSR which is part of this request, sign it and send this newly created certificate back.

Your other option is use PKCS12. In this case, you don't need to have SCEP server. You just send certificate + private key in PKCS12 form. However, it's less secure option (because your server knows private key of a device).

answered Aug 01 '14 at 16:21

Victor Ronin

22,758
18
92
184

Reading through the libraries jscep and ejbca.. I am still unable to send a signed pkcs pki message to the device.. still struggling to find actual implementation.. jscep requires private key to create signed data and as i am using verisign validated certificate i do not have the private key of the certificate.. Please help.. how can i go ahead with the implementation.. My actual problem is how can we sign a certificate? i did not get any decent code which i could understand. – Samreen Aug 04 '14 at 12:28
@Samreen: I would really recommend you to read several primer article regarding asymmetric cryptography or even a book on this topic. It's very-very hard to figure out (or even ask correct questions) about certificates and SCEP without basic knowledge. And it's way beyond the scope of StackOverflow Q&A format. You will need both a certificate and private key for SCEP. BTW. There are about 7-8 different groups of certificates which are used for iOS MDM. So, just trying to throw something together won't work. – Victor Ronin Aug 04 '14 at 16:40
Well Thanks for guidance Victor. For SCEP, I managed to create a self signed certificate and passed on ahead. The SCEP enrollment was a success using JSCEP library. Now while installing the profile it throws a new error. – Samreen Aug 07 '14 at 14:07
The IPCU console log says: "The server certificate for https:// myserverurl/checkin is invalid" with error: MCHTTPTransactionErrorDomain It clearly specifies that the identity certificate which i am passing is not correct. I am sending the .mobileconfig using the IPCU with SCEP and MDM payload together. I had read that the PayloadUUID of SCEP and IdentityCertificateUUID of MDM should be same. Also in the credentials section first the SCEP certificate with the password of private key and then any iOS authorised certificate is passed. Please let me know where am i going wrong now. – Samreen Aug 07 '14 at 14:13
To add to this, i have three certificates. one aps_development which will be used for apple push notifications. One ios_development certificare whi h was made from apple website dont knw its use. one self signed certificate which is used for Scep enrollment. So which of these should be used identity certificate for checkin url for the server? – Samreen Aug 07 '14 at 15:15
@Samreen: I plan to write an article with explanation on all MDM certificates. I am not sure what is your exact problem. What is the error which you are getting in console log? – Victor Ronin Aug 10 '14 at 18:06
Well an article would be great. There are many articles though which do explain details. I get below error it is the last stage of /checkin Desc : The server certificate for https: //myserver-ip-address:port/checkin is invalid. US Desc: The server certificate for https: //myserver-ip-address:port/checkin is invalid. Domain : MCHTTPTransactionErrorDomain Code : 23002 The certificate is SSL for my server which i have added in the credentials of the payload also I have added the SSL in trusted certificates on my windows machine. Dont know where is it failing – Samreen Aug 12 '14 at 08:55
on further investigation on server side i found server logs which says this exception -- "javax.net.ssl.SSLException: Received close_notify during handshake".. I followed the forum response from this url -- " http://answer.techwikihow.com/568791/ios-mobile-device-management-failed-install-profile.html " but hard luck still facing the same issue. the domain name is my ip address and i have an ssl certificate with the same CN=my_ipaddress; still it did not work. what is the problem now? – Samreen Aug 12 '14 at 13:33
a) Try to install your SSL cert separately (through iPCU) to your phone b) Try to access your webserer from safari after that. Only when safari won't complain, proceed with testing MDM. – Victor Ronin Aug 12 '14 at 16:27
I have many times hit the same url using safari. In safari it does accepts the certificate as Not Trusted since it a self signed certificate. I have tried installing the certificate using IPCU as well it gets installed. Only problem it gives is when the iOs device is trying to hit the checkin url internally. All the external or manual hits are working as usual it works for a normal SSL for a website. Dont know how to proceed. I am simply stuck.:( Adding the IPCU config which i am installing on the device with mdm and credential details. Please check "Edit: MDM - Credentials" above. – Samreen Aug 13 '14 at 13:52
Ok. You need to install your server SSL certificate (self signed cert to the device) and make sure that it's trusted in Safari. Create a configuration profile in IPCU and choose Credentials and git .cer (your sels signed certificate). It's important that it should be .cer and not .p12. This will install self-signed SSL cert into trusted store. As soon as you can access your website in safari without "Not Trusted" notice, you should be able to access checkin. What happens internally -MDM client checks whether your website of checkin URL has a trusted cert and rejects it because it's not trusted – Victor Ronin Aug 13 '14 at 16:14
Bravo!! that was great. It worked and it successfully called the checkin url. Well do we have to do this for self signed certificate always? Before installing the MDM paylaod i always have to first install the certificate and then the payload else it does not perform installation. – Samreen Aug 14 '14 at 11:42
@VictorRonin: if I can contribute to your article, please let me know. – David Grant Jan 07 '15 at 19:32
@VictorRonin can you elaborate a bit more on how/why is less secure using a PKCS12 and therefore not needing a SCEP server? – dazito Jun 17 '16 at 14:24
@dazito The very high level answer is following. A private key for PKCS12 is created on the server and passed to a client. A private key for SCEP is created on the client and not passed anywhere. As a result, if somebody was able to do man in the middle attack, PKCS12 will be compromised and SCEP won't be compromised. – Victor Ronin Jun 17 '16 at 18:13
@VictorRonin Probably I'm missing something in the Apple MDM protocol, but what is that private key used for or it's purpose? – dazito Jun 20 '16 at 14:13
@dazito It depends on a lot which certificate are you talking about. Let's assume that you are talking about MDM client certificate. The private key will be used to authenticate to the server (either while TLS tunnel negotiation or by signing all MDM messages sent from a client to MDM server). – Victor Ronin Jun 20 '16 at 16:25
@VictorRonin Thank you, I was precisely talking about the authenticate certificate. Can you please check my question here: http://stackoverflow.com/questions/37945836/apple-mdm-ota-identity-certificate-with-scep-vs-pkcs12-embedded-within-the-pro it is a follow up question from this discussion. Again, thanks for your help. – dazito Jun 21 '16 at 13:30

score 0 · Answer 2 · answered Aug 14 '14 at 11:47

Here is what i did. To successfully install MDM Payload with a valid certificate in PKCS12 format.

Followed below steps.

Created an SSL in .jks and converted it into .cer and .p12 format respectively.
.JKS used for the server as a certificate to be hosted.
Installed .cer first in the machine as a trusted root and then created an IPCU mobileconfig with credential payload containing the .cer file.
Now installed the .p12 certificate in the machine. Created an MDM paylaod with MDM (Mobile Device Management) and Credentials in IPCU.
Used the .p12 certificate in the credentials with its private key and linked this certificate with the Identity of the MDM payload.
MDM Payload profile got successfully installed and the check-in (checkin) url was called internally with Authentication messagetype first and then the TokeUpdate messageType later.

Hi Samreen I have done all the certificates part. I have created .mobileconfig file which contains payload content. Now i am stuck what to do ? — sau, Jun 05 '15 at 14:33
Hello sau, Please can you elaborate which part are you stuck in?? As per my experience, the issue would be in the ceritificate creation only.. FYI, i have implemented this in java platform. Please mention all your steps as iOS device calls mdm server in several number of phases. which phase are you stuck in?? Have you followed all steps i mentioned above in the solution?? — Samreen, Jun 08 '15 at 05:48

iOS MDM Enrollment SCEP Specification and PKIOperation and operation=PKIOperation &message=MMIC

2 Answers2

Linked