Profiles not being signed

Question

Level 1

6 points

Profiles not being signed

My Configuration Profiles that are being pushed to machines are showing up as "Unsigned" in System Preferences->Profiles

The trust profiles and enrollment profiles are showing up as Verified but it doesn't look like those use the same cert for signing. Not sure if that is intentional or if I goofed something up. Can't find any documentation that goes that deep into the certs required for PM.

In the Keychain(server side) I have 4 relevant self-signed certs:

- OD Certificate Authority (Company.com Root CA)

- Intermediate CA signed by the above CA (Company.com Intermediate)

- Code Signing Cert signed by the Intermediate above (Company.com Code Signing Cert)

- Another cert signed by the Intermediate. In the cert its purpose is "Server Authentication" (Company.com cert)

The only cert that the clients have installed and trusted is the first OD Certificate Authority (Company.com Root CA)

In Server.app under certificates I have

Settings

- Secure server settings using - Intermediate CA (Company.com Intermediate)

Certificates

- Another cert (Company.com cert) that last one on the list from above

- Code Signing Cert (Company.com Code Signing Cert)

Under Profile Manager:

- Sign Configuration Profiles box is checked

- Clicking edit shows me its using the Code Signing Cert

When I look at the Trust Profile through System Preferences on a client Machine it says that it contains 2 certificates. They are both the same - OD Certificate Authority. When I look in the client keychain, only one copy is found. Something seems flaky here but I don't know how to modify the Trust Profile.

The same thing with the Remote Management Profile. 2 identical certs - OD Certificate Authority. Again, no idea how to modify this.

Any help would be appreciated. Thanks!

Posted on Feb 24, 2015 8:18 AM

Reply

Answer 1

Best reply

tvieson

Level 1

0 points

Mar 5, 2015 1:19 PM in response to jjpotter

I'm in the same boat. If you download the profile directly from the server is it signed? For me the only time the profile is not signed is if it is pushed via APN. If I download the profile direct and install, the certificate is there and it says Verified. Via APN it says unsigned.

Some background:

This is a Mac Mini running 10.10.2 with server 4.0.3. Web services are running under a certificate issued by my company's CA and not the OD CA that profile manager creates during initial setup. Again, doesn't seem to be an issue since enrollment works and downloaded profiles seem okay. It is only when I push the profile via APN that it strips or cannot find the signing cert.

Reply

Answer 2

jjpotter Author

Level 1

6 points

Mar 5, 2015 1:27 PM in response to tvieson

Yes, if they are downloaded, they are signed. I have read in a few different places that it is the intended function that they aren't signed if they are pushed profiles. I guess the logic being that if the machine is already enrolled in PM there's no need for the extra verification. It would be nice to find something in Apple's documentation that at least hinted this is the case, but I haven't been able to find it.

For now I'm just downloading the profiles and pushing them out with Munki. It has worked out very well for me.

Reply

Answer 3

Mar 6, 2015 5:38 AM in response to jjpotter

If you take the 'easy' route then Apple's Server.app will auto-generate all the certificates for you including a code-signing certificate. There are however two other ways, one is to buy an official server certificate and and official code-signing certificate - these are not the same thing. The other way is to generate your own self-signed server certificate using your own self-signed rootCA and one can also generate ones own self-signed code-signing certificate using the same self-signed rootCA.

The 'Trust' profile tells your devices to trust your self-signed rootCA, when you buy an official server certificate and/or official code-signing certificate these are signed by a 'well known' rootCA which is usually already installed and trusted on all computers.

I am using my own self-signed rootCA, and my own server certificates signed by my own self-signed rootCA. I am also using my own code-signing certificate again signed by my own self-signed rootCA. I can tell you from this experience that while generating a server certificate this way via openssl or possibly Keychain Access is relatively straight forward, generating a code-signing certificate this way verges on the impossible. I use XCA a free tool that acts as front-end for openssl to generate my self-signed rootCA, my server certificates, my code-signing certificate and if needed client certificates.

You do need to define different attributes for a code-signing certificate.

The end result is that all my certificates work and Profile Manager does show everything as both correctly Verified i.e. 'green' and correctly signed. While I pre-install the trust and enrolment profiles (and certificates) via my computer imaging process the settings profiles are then pushed over the air from Profile Manager, as stated this is working fine for me.

An added bonus is that I have been able to set longer expiration dates on my certificates. Apple's auto-generated ones if you use them only last a year.

Finally, push certificates are another totally different kind of certificate. These can only be generated via Apple's APNS web portal. This is because they have to be used with Apple's push notification servers. They are not the same thing as a code-signing certificate or a server certificate. You do not buy them they are free from Apple via the APNS portal. See https://identity.apple.com/pushcert/

If you are using Profile Manager then it includes a built-in wizard which automates generating an APNS certificate. If you are using an alternative MDM system you have to create a Certificate Signing Request (CSR) from your MDM and upload it to the Apple APNS portal to generate a push certificate.

Reply

Answer 4

tvieson

Level 1

0 points

Mar 6, 2015 6:32 AM in response to John Lockwood

Thanks for the information John. It does sounds like we have the same approach but are getting different results. Contrary to jjpotter's conclusion it does sound as though the APN provided profile can include a self-issued certificate. Our issue must be somewhere in the differences between your environment and ours. Is your profile manager server directly accessible from the internet?

Mine is currently on the internal tier and I'm able to access Apple services via firewall exceptions. Meaning contact from a device outside of our internal tier is not possible unless initiated from within the network.

Reply

Answer 5

jjpotter Author

Level 1

6 points

Mar 6, 2015 6:35 AM in response to John Lockwood

The question is, why are profiles that are configured for download signed, but the ones configured for push are not.

Reply

Answer 6

Mar 6, 2015 6:45 AM in response to tvieson

tvieson wrote:

Thanks for the information John. It does sounds like we have the same approach but are getting different results. Contrary to jjpotter's conclusion it does sound as though the APN provided profile can include a self-issued certificate. Our issue must be somewhere in the differences between your environment and ours. Is your profile manager server directly accessible from the internet?

Mine is currently on the internal tier and I'm able to access Apple services via firewall exceptions. Meaning contact from a device outside of our internal tier is not possible unless initiated from within the network.

No, no an APNS certificate is never self-signed it is always signed by Apple as it is issued by them. Remember an APNS certificate is nothing directly to do with signing your profiles or acting as your server certificate. APNS is merely the Apple servers telling your client that there is a message i.e. profile waiting for them on your Profile Manager server. Your Profile Manager server would still be responsible for giving the profile to the client when it then 'phones home' to collect it.

Your original issue of profiles not being signed would be to do with possibly your code-signing certificate which as stated is nothing to do with Apple Push Notifications.

You can as I mentioned make your own self-signed code-signing certificate although as I also mentioned this is much harder than an ordinary server certificate.

Reply

Answer 7

Mar 6, 2015 6:48 AM in response to jjpotter

I would turn off signing of profiles, reboot, and then try turning it back on and perhaps for paranoias sake rebooting again.

I only push my certificates. (Other than the initial enrolment.)

Reply

Answer 8

Mar 22, 2016 12:49 PM in response to jjpotter

I'm having this problem as well.

Biggest difference is that my 'third party' domain and certs are from my local MS domain and CA.

I've had difficulty with many aspects of using Server as a MDM. Still don't have this functioning, yet.

(I would note that I've already reinstalled Server app completely to fix a broken PM web site and this still hasn't fixed everything)

From the Mydevices web page, the Trust and MDM profiles can be loaded, installed and show as verified. The installed/verified Trust profile does include both the Root CA and Code Signing certs.

Why, then, that the Enrollment Profile cannot install/verify from the Mydevices web page when it is signed by the same Code Signing certificate?

I can, however, log into the Profilemanager web page and download/install the profile and it will be verified. (??!!!)

Even so, I can't push any profile updates or install new software to the client, so it's use as a MDM is hamstrung.

Reply