Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: venkygct
venkygct Author
User level: Level 1
0 points

OTA Mobileconfig encryption - profile could not be decrypted - Decryption key for this profile is not installed.

Hi -


I'm trying OTA enrollment. I'm using MS-AD for SCEP

1. In step 1 device responds with device details signed by the private key from certificate from apple.

2. In step 2 my profile service sends a message to get a certificate from SCEP (AD) server

3. In step 3 device responds with device details signed by private key from certificate from SCEP server.

4. In step 4 my profile service encrypts the profile with public key from certificate from SCEP server.


I'm getting message that the profile can't be decrypted. Exact error message is

"OTA Mobileconfig encryption - profile could not be decrypted - Decryption key for this profile is not installed."


Can somebody confirm if format of my encrypted profile is correct.


Here is the encrypted profile. The encrypted payload is between <data> tag. The unencrypted version of payload is also listed below.


1. Encrypted profile


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>EncryptedPayloadContent</key>

<data>


......Redacted - the encrypted data .....

</data>

<key>PayloadDescription</key>

<string>Profile description.</string>

<key>PayloadDisplayName</key>

<string>MyCompany Test Profile</string>

<key>PayloadIdentifier</key>

<string>com.mycompany.profile</string>

<key>PayloadOrganization</key>

<string></string>

<key>PayloadRemovalDisallowed</key>

<false/>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>C4BBB40B-1BFB-4CFC-83E1-A1D5270D05D3</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

</plist>



2. payload in plain text. I'm inserting this payload between <data> tag after encryption


<array>

<dict>

<key>PayloadDescription</key>

<string>Configures device restrictions.</string>

<key>PayloadDisplayName</key>

<string>Restrictions</string>

<key>PayloadIdentifier</key>

<string>com.houston.profile.restrictions</string>

<key>PayloadOrganization</key>

<string></string>

<key>PayloadType</key>

<string>com.apple.applicationaccess</string>

<key>PayloadUUID</key>

<string>61FD34AC-F388-44B5-BCD7-C602CB382469</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>allowAddingGameCenterFriends</key>

<false/>

<key>allowAppInstallation</key>

<false/>

<key>allowAssistant</key>

<false/>

<key>allowCamera</key>

<false/>

<key>allowCloudBackup</key>

<false/>

<key>allowCloudDocumentSync</key>

<false/>

<key>allowDiagnosticSubmission</key>

<false/>

<key>allowExplicitContent</key>

<false/>

<key>allowGlobalBackgroundFetchWhenRoaming</key>

<false/>

<key>allowInAppPurchases</key>

<false/>

<key>allowMultiplayerGaming</key>

<false/>

<key>allowPhotoStream</key>

<false/>

<key>allowSafari</key>

<false/>

<key>allowScreenShot</key>

<false/>

<key>allowUntrustedTLSPrompt</key>

<false/>

<key>allowVideoConferencing</key>

<true/>

<key>allowVoiceDialing</key>

<false/>

<key>allowYouTube</key>

<false/>

<key>allowiTunes</key>

<false/>

<key>forceEncryptedBackup</key>

<false/>

<key>forceITunesStorePasswordEntry</key>

<false/>

<key>ratingApps</key>

<integer>1000</integer>

<key>ratingMovies</key>

<integer>1000</integer>

<key>ratingRegion</key>

<string>us</string>

<key>ratingTVShows</key>

<integer>1000</integer>

</dict>

</array>

iPad 2, MS-AD for SCEP server

Posted on Feb 1, 2012 8:50 AM

Reply
8 replies
User profile for user: sfromaa
sfromaa
User level: Level 1
0 points

Mar 26, 2012 4:45 AM in response to zahidmaqbool

Yes I am using -


encrypted_profile = OpenSSL::PKCS7.encrypt(@@p7sign.certificates, payload, OpenSSL::Cipher::Cipher::new("des-ede3-cbc"), OpenSSL::PKCS7::BINARY)


where @@p7sign.certificates are the certificates used by phone to sign its response and sent to the server and payload is the PLIST that i want to encrypt.


Any help would be really appreciated.


Thanks

Reply
User profile for user: Stibra101
Stibra101
User level: Level 1
0 points

Apr 18, 2012 10:36 AM in response to venkygct

I am not a developer, but you can not use public key from SCEP server to encrypt profile for the phone.

You have to use public key from SCEP certificate issued to the phone, that means that iPhone have to send it's public key after SCEP enrollment. YOu have to catch the public key in the iPhone response and use that public key to encrypt the profile.

Please let us know when you make this happen!

Reply
User profile for user: i1Eugen
i1Eugen
User level: Level 1
0 points

Jul 8, 2014 2:44 AM in response to venkygct

I have a C++ version of Profile Service. The same problem:

Jul 8 16:38:51 iPhone-*** profiled[1454] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...

Jul 8 16:38:51 iPhone-*** profiled[1454] <Notice>: (Note ) MC: Issued certificate received.

Jul 8 16:38:52 iPhone-*** profiled[1454] <Notice>: (Note ) MC: Retrieving profile from OTA Profile service...

Jul 8 16:38:52 iPhone-*** profiled[1454] <Notice>: (Error) MC: Decryption failed: NSError:

Desc : Profile could not be decrypted

Sugg : Decryption key for this profile is not installed.

US Desc: Profile could not be decrypted

US Sugg: Decryption key for this profile is not installed.

Domain : MCProfileErrorDomain

Code : 1006

Type : MCFatalError


I have compared my all certificates which are generated from C++ (X509, PKCS7, etc). They are similar to the Apple Ruby example. I cannot imagine what I should check next.


Has anyone solved the issue?

Reply

OTA Mobileconfig encryption - profile could not be decrypted - Decryption key for this profile is not installed.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up