1 2 3 Previous Next 42 Replies Latest reply: Jan 3, 2013 9:18 PM by Simon So
froowstie Level 1 Level 1 (0 points)
Hello there,

We're looking at evaluating iPhones at my business, and a key part of this is working out how out an enterprise deployment would work, with devices numbering in the 1000s.

Apple are pushing hard to spruike the perceived ease which with iPhone profiles can be deployed with ease, and how certificate management overheads are reduced through the use of SCEP.

Well, I can say that I have just invested a lot of time and effort searching the web for any whitepapers or general documentation around how iPhones and SCEP integration might work, and I can safely say there is basically no practical documentation available (take note apple, a link to SCEP RFC does not count as a useful documentation!).

So, I have setup a standalone lab environment, and have Microsoft certificate services working on a Windows 2008 server (enterprise Root CA), with the Network Deployment Enrollment Services add-on configured... this is Microsoft's version of SCEP. I have deployed a new custom certificate template setup for client-auth, and I am succesfully getting challenge responses and thumbprints via the web-interface.

I then populate the thumbprint and the challenge into the iPhone configuration utility, but when I go to install the profile on my phone, it just tried to generate the key, then seems to bomb citing "Profile failed to install".

I'm not getting much more in the way of details or logs.

1) Has anyone had real world experience in setting iPhones and SCEP up?
2) Can anyone confirm which exact settings I'm supposed to populate in the SCEP section of the iPCU?

I have populated the following fields:

- (URL) http://[hostname]/certsrv/mscep_admin/mscep.dll
- (Name) [Name of the Root Cert]
- (Subject) [I have left this field blank?]
- (Challenge) [challege as provided by the SCEP web interface]
- (Key size) 2048 (matches the cert template)
- (Use as digital signature) is not checked
- (Use as key encipherment) is not checked
- (Fingerprint) [is populated from SCEP web interface]

What am I missing? Does apple have anything in the way of useful documentation in this space?

Regards, James.

3GS, Windows XP
  • 1. Re: iPhone & certificate enrollment OTA via SCEP
    C l i f f Level 1 Level 1 (85 points)
    I see several mentions of SCEP in the Enterprise Deployment Guide, which you didn't say if you've read or not. http://www.apple.com/support/iphone/enterprise
  • 2. Re: iPhone & certificate enrollment OTA via SCEP
    froowstie Level 1 Level 1 (0 points)
    Yes, I've read it... about a 1,000 times, upside down and inside out.

    The several references they make, are just that.... vague references with little regard for the actual complexity of setting up SCEP or any real world implementation guides.

    Needless to say, I haven't got it working yet, and it's driving me crazy!
  • 3. Re: iPhone & certificate enrollment OTA via SCEP
    Matt Pierce Level 1 Level 1 (0 points)
    I'm also very much interested in this. I have a 2003 AD infrastructure and Certificate Server. Any additional info on SCEP would be greatly appreciated.
  • 4. Re: iPhone & certificate enrollment OTA via SCEP
    who.mobile Level 1 Level 1 (15 points)
    I got it working with mobileiron iphone management.

    Initially, it was difficult to make SCEP working for Windows 2003 MSCEP or Windows 2008 NDES SCEP.

    Here is sample value with iPhone Configuration Utility.
    (IPCU SCEP)
    URL: http://ca2008*/certsrv/mscep/
    NAME: CA1
    Subject: /O=DefaultCA/OU=IT/
    Challenge: 010589EC81F35ACB (it has time out usally)
    Fingerprint: (make MD5 fingerprint from certificate of your SCEP server)

    ---
    * How to get challenge:
    (windows 2008 NDES SCEP case)
    curl -kv --ntlm --user administrator@*.net:PW http://ca2008.*.net/certsrv/mscep_admin/
    (windows 2003 CA SCEP case)
    curl -kv --ntlm --user administrator@*.net:PW http://ca2003.*.net/certsrv/mscep/
    * How to get MD5 filterprint: you can download CA cert to PC and click that to get this.


    Now Put this Configuration profiles to iphone. iPhone will show "SCEP enrollment request" in Install Profiles.
    click install. it will show generating keys and finally get installed if SCEP working.


    You can follow below document to make SCEP.
    * install SCEP by following microsoft CA step by step implementation guide http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=44315BFF-B744-4637-A66B -E69B4955EE45&displaylang=en
    * and check Microsoft SCEP Implementation Whitepaper http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=E11780DE-819F-40D7-8B8E -10845BC8D446&displaylang=en

    Here are some problem/solution I faced:
    Q1) SCEP receive scep enrollment but scep server not issuing certificate.
    Answer1: check whether certificate in pending queue of certificate. if then you need to enable auto enroll
    Answer2: if server reply some PKCS7 message to phone but still SCEP not working, use "certutil -v p7.txt" (where p7.txt is response from server with "-----BEGIN PKCS7-----" and "-----END PKCS7-----" flags)

    Answer3: check event viewer when failes.
    Q2) you cannot login to /certsrv/mscep_admin using local admin account.
    Answer1: is scep installed correctly, try with domain administraotr account. it could be local policies problem.
    Q3) The password cache is full. in certsrv/mscep_admin.
    Answer1: change registry value PasswordMax refer SCEP guide.

    --------

    With mobileiron appliance, I just need to configure below to their appliance.
    And than register iphone to the appliance using phone number, and using their app, I can manage configuration profile easily.

    URL: http://ca2008.*/certsrv/mscep/
    Subject: /O=DefaultCA/OU=IT/
    Challenge Type: Microsoft SCEP
    Challenge URL: http://ca2008.*/certsrv/mscep_admin/
    User Name: administrator@*
    Password: *
    Key Size: 1024
    Key Usage: Signing Encryption

    ----------
    Anyway they could answer some of SCEP implementation problem also.
  • 5. Re: iPhone & certificate enrollment OTA via SCEP
    who.mobile Level 1 Level 1 (15 points)
    Just one update, I couldn't make iPhone Configuration Utility SCEP enrollment working. it stuck with below part.
    Wed Oct 21 15:20:51 unknown Preferences[504] <Warning>: generated key pair
    Wed Oct 21 15:20:51 unknown Preferences[504] <Warning>: /SourceCache/ManagedConfiguration/ManagedConfiguration-313.17/Handlers/MCSCEPPa yloadHandler.m 447 : Error Domain=MCPayloadHandlerErrorDomain Code=1 UserInfo=0x148540 "Profile failed to install" <CFDictionary 0x174cd0 [0x3821dff4]>{type = mutable, count = 6, capacity = 12, pairs = (\n\t5 : <CFString 0x381eba60 [0x3821dff4]>{contents = "NSLocalizedRecoveryOptions"} = <CFArray 0x1425c0 [0x3821dff4]>{type = immutable, count = 1, values = (\n\t0 : <CFString 0x174d10 [0x3821dff4]>{contents = "OK"}\n)}\n\t6 : <CFString 0x381ebac0 [0x3821dff4]>{contents = "NSLocalizedDescription"} = <CFString 0x147ad0 [0x3821dff4]>{contents = "Profile failed to install"}\n\t7 : <CFString 0x384d54f4 [0x3821dff4]>{contents = "Class"} = <CFString 0x133e80 [0x3821dff4]>{contents = "MCPayloadManager"}\n\t9 : <CFString 0x384d5504 [0x3821dff4]>{contents = "Method"} = <CFString 0x1425f0 [0x3821dff4]>{contents = "performInstallStep"}\n\t11 : <CFString 0x384d4254 [0x3821dff4]>{contents = "MCErrorType"} = <CFString 0x384d4264 [0x3821dff4]>{contents = "MCFatalError"}\n\t14 : <CFString 0x381ebaf0 [0x3821dff4]>{contents = "NSLocalizedRecoverySuggestion"} = <CFString 0x147930 [0x3821dff4]>{contents = "Try Again"}\n)}
    Wed Oct 21 15:20:51 unknown Preferences[504] <Warning>: handler <MCSCEPPayloadHandler: 0x137c40> posted error Error Domain=MCPayloadHandlerErrorDomain Code=1 UserInfo=0x148600 "Profile failed to install" during step 7

    I can see the request to SCEP server scep reply GetCACert
    +GET /certsrv/mscep/?operation=GetCACert&message=CA HTTP/1.0\r\n+
    And iPhone popup installed failed.

    I couldn't find document but it looks iphone expect config signed by SCEP CA cert. I need to find tool to sign mobile config with SCEP.
  • 6. Re: iPhone & certificate enrollment OTA via SCEP
    froowstie Level 1 Level 1 (0 points)
    Yes, it sounds like you have the exact same issue as me.

    I have MSCEP correctly issuing certificates (via the certificates snap-in) and issuing challenges when you hit the admin web-site.

    However, the profile install is failing on the actual device (iphone) as you have described.

    I'm going to install the MS SCEP hotfix (http://support.microsoft.com/kb/959193/en-us), although I don't expect this to solve the issue - just make it easier to manage multiple devices enrolling.

    The mobileiron solution does look interesting, but I'd prefer to get standard SCEP working before looking at vendor solutions.

    Cheers, froowstie
  • 7. Re: iPhone & certificate enrollment OTA via SCEP
    who.mobile Level 1 Level 1 (15 points)
    Let me know what you found. This SCEP integration is very good way to deploy certificate to phone and IPCU can help company policy configuration. I just need little bit of per user customization of policy, unless I use external tool.
  • 8. Re: iPhone & certificate enrollment OTA via SCEP
    Nicolas Troiscentquatorze Level 1 Level 1 (5 points)
    Did any of you get OTA-distributed certificates to be trusted on the iPhone? I have tried pushing client certificates together with root CA certificates (including intermediate CAs) and could not get them to be trusted.
  • 9. Re: iPhone & certificate enrollment OTA via SCEP
    who.mobile Level 1 Level 1 (15 points)
    You can't make first policy trusted while you using scep. I think that might working if you push certificate first and try. Anyway I could manage distribute certificate with policy and make "validated" policy with mobileiron evaluation.
  • 10. Re: iPhone & certificate enrollment OTA via SCEP
    Nicolas Troiscentquatorze Level 1 Level 1 (5 points)
    I tried downloading a root CA chain over Safari, it ends up installed inside profiles but will not be trusted by the device. There is no end-user interface on iPhone to change the trust level either.

    I also tried downloading a root CA inside a profile exported over-the-air (incl. SCEP exchanges). Same results: certificates are there but untrusted. Putting in place a web service coupled with a SCEP server is obviously intended for enterprises that run their own CA. It seems surprising that they would not be able to trust their own certificates over the air. Is there anything I missed? Any bit to set in the XML profile to have the CA chain trusted?
  • 11. Re: iPhone & certificate enrollment OTA via SCEP
    Cap.me Level 1 Level 1 (0 points)
    Hi,

    I have the same error. I have no SCEP log on the 2008 server.

    I used the following ipcu config:
    Here is sample value with iPhone Configuration Utility.
    (IPCU SCEP)
    URL: http://ca2008/certsrv/mscep
    NAME: CAiphone
    Subject: (blank)
    Challenge: (the challenge i got with http://ca2008/certsrv/mscep_admin URL)
    Fingerprint: (the fingerprint i got with http://ca2008/certsrv/mscep_admin URL)

    My config file is signed by IPCU

    Anything Wrong ? did you solve the problem ?

    Thanks a lot



    _error i had_:

    <Warning>: /SourceCache/ManagedConfiguration/ManagedConfiguration-313.17/Handlers/MCSCEPPa yloadHandler.m 447 : Error Domain=MCPayloadHandlerErrorDomain Code=1 UserInfo=0x148540 "Profile failed to install" <CFDictionary 0x174cd0 0x3821dff4>{type = mutable, count = 6, capacity = 12, pairs = (\n\t5 : <CFString 0x381eba60 0x3821dff4>{contents = "NSLocalizedRecoveryOptions"} = <CFArray 0x1425c0 0x3821dff4>{type = immutable, count = 1, values = (\n\t0 : <CFString 0x174d10 0x3821dff4>{contents = "OK"}\n)}\n\t6 : <CFString 0x381ebac0 0x3821dff4>{contents = "NSLocalizedDescription"} = <CFString 0x147ad0 0x3821dff4>{contents = "Profile failed to install"}\n\t7 : <CFString 0x384d54f4 0x3821dff4>{contents = "Class"} = <CFString 0x133e80 0x3821dff4>{contents = "MCPayloadManager"}\n\t9 : <CFString 0x384d5504 0x3821dff4>{contents = "Method"} = <CFString 0x1425f0 0x3821dff4>{contents = "performInstallStep"}\n\t11 : <CFString 0x384d4254 0x3821dff4>{contents = "MCErrorType"} = <CFString 0x384d4264 0x3821dff4>{contents = "MCFatalError"}\n\t14 : <CFString 0x381ebaf0 0x3821dff4>{contents = "NSLocalizedRecoverySuggestion"} = <CFString 0x147930 0x3821dff4>{contents = "Try Again"}\n)}
    Wed Oct 21 15:20:51 unknown Preferences504 <Warning>: handler <MCSCEPPayloadHandler: 0x137c40> posted error Error Domain=MCPayloadHandlerErrorDomain Code=1 UserInfo=0x148600 "Profile failed to install" during step 7

    Message was edited by: Cap.me
  • 12. Re: iPhone & certificate enrollment OTA via SCEP
    froowstie Level 1 Level 1 (0 points)
    Bump

    I'm no closer to solving this. It sounds like everyone is having the same issue getting iPhone and OTA cert enrollment via SCEP.

    I've also tried deploying the root cert inside the same profile, and seperately but it doesn't seem to make a difference.

    It sounds like the iPhone expects the profile to be signed by the CA that's issuing the certs. This probably why the MobileIron appliance works, because they've figured out how to do that inside the device.

    I might try and raise a support case with apple, seeing as it's obvious they don't monitor these forums.

    Hope someone else is getting closer to a solution.

    Cheers, froowstie
  • 13. Re: iPhone & certificate enrollment OTA via SCEP
    Cap.me Level 1 Level 1 (0 points)
    Thank you for the answer.

    I'll try to sign the .mobileconfig with the CA, and i'll post if i succeed.
    hope it will work...

    Regard,

    Cap.me

    Message was edited by: Cap.me
  • 14. Re: iPhone & certificate enrollment OTA via SCEP
    froowstie Level 1 Level 1 (0 points)
    Have you checked the mobileconfig XML that's generated by the MobileIron appliance? Does it include signing information within it?

    If so, can you provide me with a copy?
1 2 3 Previous Next