OTA Mobileconfig encryption - profile could not be decrypted - Decryption key for this profile is not installed.
Hi -
I'm trying OTA enrollment. I'm using MS-AD for SCEP
1. In step 1 device responds with device details signed by the private key from certificate from apple.
2. In step 2 my profile service sends a message to get a certificate from SCEP (AD) server
3. In step 3 device responds with device details signed by private key from certificate from SCEP server.
4. In step 4 my profile service encrypts the profile with public key from certificate from SCEP server.
I'm getting message that the profile can't be decrypted. Exact error message is
"OTA Mobileconfig encryption - profile could not be decrypted - Decryption key for this profile is not installed."
Can somebody confirm if format of my encrypted profile is correct.
Here is the encrypted profile. The encrypted payload is between <data> tag. The unencrypted version of payload is also listed below.
1. Encrypted profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EncryptedPayloadContent</key>
<data>
......Redacted - the encrypted data .....
</data>
<key>PayloadDescription</key>
<string>Profile description.</string>
<key>PayloadDisplayName</key>
<string>MyCompany Test Profile</string>
<key>PayloadIdentifier</key>
<string>com.mycompany.profile</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C4BBB40B-1BFB-4CFC-83E1-A1D5270D05D3</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
2. payload in plain text. I'm inserting this payload between <data> tag after encryption
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures device restrictions.</string>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.houston.profile.restrictions</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>61FD34AC-F388-44B5-BCD7-C602CB382469</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>allowAddingGameCenterFriends</key>
<false/>
<key>allowAppInstallation</key>
<false/>
<key>allowAssistant</key>
<false/>
<key>allowCamera</key>
<false/>
<key>allowCloudBackup</key>
<false/>
<key>allowCloudDocumentSync</key>
<false/>
<key>allowDiagnosticSubmission</key>
<false/>
<key>allowExplicitContent</key>
<false/>
<key>allowGlobalBackgroundFetchWhenRoaming</key>
<false/>
<key>allowInAppPurchases</key>
<false/>
<key>allowMultiplayerGaming</key>
<false/>
<key>allowPhotoStream</key>
<false/>
<key>allowSafari</key>
<false/>
<key>allowScreenShot</key>
<false/>
<key>allowUntrustedTLSPrompt</key>
<false/>
<key>allowVideoConferencing</key>
<true/>
<key>allowVoiceDialing</key>
<false/>
<key>allowYouTube</key>
<false/>
<key>allowiTunes</key>
<false/>
<key>forceEncryptedBackup</key>
<false/>
<key>forceITunesStorePasswordEntry</key>
<false/>
<key>ratingApps</key>
<integer>1000</integer>
<key>ratingMovies</key>
<integer>1000</integer>
<key>ratingRegion</key>
<string>us</string>
<key>ratingTVShows</key>
<integer>1000</integer>
</dict>
</array>
iPad 2, MS-AD for SCEP server