I was recently tasked with creating an iOS configuration profile (.mobileconfig) that would submit a SCEP request to our Microsoft CA’s NDES server. The NDES server would then, in response to the request, issue a certificate to the requesting device.
Easy enough, right? Well, as it turns out, no.
Everything worked fine up until the point when i tried to include the challenge pre-shared secret in the profile. If i included the challenge, the profile acted as if i hadn’t included it. The profile would prompt me to enter the challenge. I was able to manually enter the challenge and it submitted the request just fine. And i did receive the certificate back from the NDES server just fine. The issue was that the profile didn’t think the challenge was included in the profile.
I used the Apple Configurator to create the configuration profile (.mobileconfig). (For the record, i also used Profile Manager and got the same result) Here is what the config profile looked like:
Now, as you may know, a configuration profile is just an XML file. The Apple Configurator is just a nice GUI to create these XML files. Let’s take a look the code behind the above .mobileconfig.
Take a look at line 8 and 9. That’s the Challenge. The reason iOS wasn’t seeing the challenge was because it wasn’t in the correct dictionary. For some reason, Apple Configurator was placing it outside the PayloadContent dictionary.
To fix the error, all i did was cut and paste lines 8 & 9 and move them down below line 36. Now the Challenge will be included in the SCEP request and all is well.
The only other thing to note is that if you plan on signing your .mobileconfig with a code signing cert, you will need to make the above change before you sign the file. Otherwise you will FUBAR the file and the signature.