ios - Apple iOS MDM 服务器设置设备注册/配置

Question

我们正在尝试设置我们自己的内部 iOS MDM 服务器，但我们遇到了一些问题，即根据 Apple 文档，我们看到的内容不一定与我们的预期相符。

按照 Apple 网站上的说明，我们设置了一个网页，用户可以在其中通过单击链接来注册他们的设备。此链接使设备经历“设备注册过程”，如苹果“Over-The-Air Profile Delivery and Configuration”文档的图 1.1 所示：https ://developer.apple.com/library/ios/#文档/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html

我们的问题是：在上述文档的第 3 阶段（设备配置）开始之前，我们的功能都按预期运行。但是，当我们查看 Web 服务器和设备之间的流量时，注册流程似乎执行了两次。根据文档，这些是我们希望看到的服务器调用：

/enroll
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA

然而，实际上，我们看到调用块执行了两次，一个接着一个，看起来是相同的数据。有没有人看到这种行为，这是预期的吗？

一个更紧迫的问题是，在执行第 2 阶段、第 3 步之后，我们将生成的证书传递给设备，设备成功安装。但是，根据文档，此时我们应该从设备获得响应，我们可以使用新的配置文件以及我们想要在设备上设置的设置来回复它。然而，我们从来没有得到那个回应，即使到那时为止的一切似乎都已成功完成。有谁知道为什么没有发送响应，或者当时可能出了什么问题？

提前致谢，

使用 iphone 配置实用程序检索的设备日志：

<Notice>: (Note ) MC: Profile “com.test.profileservice.scep” queued for installation.
<Notice>: (Note ) MC: Checking for MDM installation...
<Notice>: (Note ) MC: ...finished checking for MDM installation.
<Notice>: (Note ) MC: Enrolling in OTA Profile service...
<Error>: Jan 25 16:34:13  SecTrustEvaluate  [leaf AnchorTrusted]
<Error>: Jan 25 16:34:14  SecTrustEvaluate  [leaf AnchorTrusted]
<Notice>: (Note ) MC: Attempting to retrieve issued certificate...
<Notice>: (Note ) MC: Issued certificate received.
<Notice>: (Note ) MC: Retrieving profile from OTA Profile service...
<Notice>: (Note ) MC: Received final profile: Test Config
<Notice>: (Note ) MC: Beginning profile installation...
<Error>: Jan 25 16:34:17  SecTrustEvaluate  [leaf AnchorTrusted]
<Notice>: (Note ) MC: Attempting to retrieve issued certificate...
<Notice>: (Note ) MC: Issued certificate received.
<Notice>: (Note ) MC: Profile “Test Config” installed.
<Error>: Checking for changed log settings
<Error>: valid 0 value 0
<Error>: Verbose logging disabled
<Notice>: (Note ) MC: mc_mobile_tunnel starting.
<Notice>: (Note ) MC: mc_mobile_tunnel shutting down.

发送到 MDM 服务器的完整请求流：

/enroll
/checkin
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA
/checkin
/scep?operation=GetCACert&message=EnrollmentCAInstance
/scep?operation=GetCACaps&message=EnrollmentCAInstance
/scep?operation=PKIOperation&message=MII.....AAA

添加作为 SCEP 配置的一部分发回的有效负载：

<plist version="1.0">
  <dict>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadUUID</key>
    <string>Ignored</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadIdentifier</key>
    <string>Test Config</string>
    <key>PayloadDisplayName</key>
    <string>Test Profile:SCEP</string>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadContent</key>
        <dict>
          <key>URL</key>
          <string>https://test.com/mdm_scep</string>
          <key>Name</key>
          <string>EnrollmentCAInstance</string>
          <key>Subject</key>
          <array>
            <array>
              <array>
                <string>O</string>
                <string>Test Organization, Inc.</string>
              </array>
            </array>
            <array>
              <array>
                <string>CN</string>
                <string>test.com</string>
              </array>
            </array>
          </array>
          <key>Challenge</key>
          <string>DummyChallenge</string>
          <key>Keysize</key>
          <integer>1024</integer>
          <key>Key Type</key>
          <string>RSA</string>
          <key>Key Usage</key>
          <integer>5</integer>
        </dict>
        <key>PayloadDescription</key>
        <string>Provides device encryption identity</string>
        <key>PayloadUUID</key>
        <string>12345678-1234-1234-1234-123456789012</string>
        <key>PayloadType</key>
        <string>com.apple.security.scep</string>
        <key>PayloadDisplayName</key>
        <string>Encryption Identity</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadOrganization</key>
        <string>Test Organization, Inc.</string>
        <key>PayloadIdentifier</key>
        <string>com.test.profileservice.scep</string>
      </dict>
    </array>
  </dict>
</plist>

Answer 1

回答您关于两个 SCEP 块执行的问题。

请看一下这个问题： 更新过期的 iO​​S MDM 配置文件

在答案中，我描述了为什么设备会进行两次 SCEP 调用。这是每个设计（没有错）。

关于第 2 阶段第 3 步的问题。请您 a) 在您的问题中添加对服务器的调用的完整打印输出 b) 设备日志

当我使用 MDM 时，我发现如果没有这两条信息，几乎不可能对其进行故障排除。

-- 更新 1 --

正确的调用顺序如下

协议的OTA部分

/enroll
返回：第一个配置文件请求 UDID、IMEI 等

/profile
输入：由 iOS 设备私钥签名的 UDID、IMEI 等 / 返回：带有 SCEP 有效负载的配置文件

/scep?operation=GetCACert&message=EnrollmentCAInstance

/scep?operation=GetCACaps&message=EnrollmentCAInstance

/scep?operation=PKIOperation&message=MII.....AAA

This is SCEP calls for device to get an identify which is used for OTA part Return: OTA identity certificate.

/profile

Input: UDID, IMEI etc signed by private key associated with OTA certificate Return: Profile with SCEP payload + MDM payload

/scep?operation=GetCACert&message=EnrollmentCAInstance

/scep?operation=GetCACaps&message=EnrollmentCAInstance

/scep?operation=PKIOperation&message=MII.....AAA

This is SCEP calls for device to get an identify which is used for MDM part Return: MDM identity certificate.

MDM PART of PROTOCOL

/checkin Input: Checkin request Return: HTTP code 200

As you can see it's VERY different from what you have. Did you implement everything as described in [OTA Delivery and Configuration][1]? It's really hard to guess what's wrong, because it looks like the whole part of "/profile" usage is missing.

I would recommend to start from the very beginning and make sure that each call to the server is done in described order and return described return profiles.