Databases
StackOverflow2013
Postsdbo
POError when combining scep and mdm payloads - enrollment server did not provision valid identity certificate
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POError when combining scep and mdm payloads - enrollment server did not provision valid identity certificate
    primarykey
    data
    text
    <p>I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "<strong>The enrollment server did not provision a valid identity certificate.</strong>" This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in <a href="http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html">this</a> diagram).</p> <p>The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).</p> <p>I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.</p> <p>A side note - using a preexisting MDM vendor is not an option here.</p> <p>Below is the profile I'm using:</p> <pre><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;PayloadContent&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;PayloadContent&lt;/key&gt; &lt;dict&gt; &lt;key&gt;Challenge&lt;/key&gt; &lt;string&gt;this is a challenge&lt;/string&gt; &lt;key&gt;Key Type&lt;/key&gt; &lt;string&gt;RSA&lt;/string&gt; &lt;key&gt;Key Usage&lt;/key&gt; &lt;integer&gt;5&lt;/integer&gt; &lt;key&gt;Keysize&lt;/key&gt; &lt;integer&gt;1024&lt;/integer&gt; &lt;key&gt;Name&lt;/key&gt; &lt;string&gt;mycompany&lt;/string&gt; &lt;key&gt;Retries&lt;/key&gt; &lt;integer&gt;3&lt;/integer&gt; &lt;key&gt;RetryDelay&lt;/key&gt; &lt;integer&gt;0&lt;/integer&gt; &lt;key&gt;Subject&lt;/key&gt; &lt;array&gt;&lt;array&gt;&lt;array&gt; &lt;string&gt;CN&lt;/string&gt; &lt;string&gt;mycompany&lt;/string&gt; &lt;/array&gt;&lt;/array&gt;&lt;/array&gt; &lt;key&gt;URL&lt;/key&gt; &lt;string&gt;https://mysite.com/scep.aspx&lt;/string&gt; &lt;/dict&gt; &lt;key&gt;PayloadDescription&lt;/key&gt; &lt;string&gt;Configures SCEP&lt;/string&gt; &lt;key&gt;PayloadDisplayName&lt;/key&gt; &lt;string&gt;SCEP (mycompany)&lt;/string&gt; &lt;key&gt;PayloadIdentifier&lt;/key&gt; &lt;string&gt;com.mycompany.mdm.scep1&lt;/string&gt; &lt;key&gt;PayloadOrganization&lt;/key&gt; &lt;string&gt;&lt;/string&gt; &lt;key&gt;PayloadType&lt;/key&gt; &lt;string&gt;com.apple.security.scep&lt;/string&gt; &lt;key&gt;PayloadUUID&lt;/key&gt; &lt;string&gt;57225d3d-0758-4d23-8093-e4d8c9bbd47c&lt;/string&gt; &lt;key&gt;PayloadVersion&lt;/key&gt; &lt;integer&gt;1&lt;/integer&gt; &lt;/dict&gt; &lt;dict&gt; &lt;key&gt;AccessRights&lt;/key&gt; &lt;integer&gt;3&lt;/integer&gt; &lt;key&gt;CheckInURL&lt;/key&gt; &lt;string&gt;mysite.com/checkin.aspx&lt;/string&gt; &lt;key&gt;CheckOutWhenRemoved&lt;/key&gt; &lt;false/&gt; &lt;key&gt;IdentityCertificateUUID&lt;/key&gt; &lt;string&gt;57225d3d-0758-4d23-8093-e4d8c9bbd47c&lt;/string&gt; &lt;key&gt;PayloadDescription&lt;/key&gt; &lt;string&gt;Configures MobileDeviceManagement.&lt;/string&gt; &lt;key&gt;PayloadIdentifier&lt;/key&gt; &lt;string&gt;com.mycompany.mdm.mdm2&lt;/string&gt; &lt;key&gt;PayloadOrganization&lt;/key&gt; &lt;string&gt;&lt;/string&gt; &lt;key&gt;PayloadType&lt;/key&gt; &lt;string&gt;com.apple.mdm&lt;/string&gt; &lt;key&gt;PayloadUUID&lt;/key&gt; &lt;string&gt;ed0ae41d-1aa7-4721-9fe9-139c1072132c&lt;/string&gt; &lt;key&gt;PayloadVersion&lt;/key&gt; &lt;integer&gt;1&lt;/integer&gt; &lt;key&gt;ServerURL&lt;/key&gt; &lt;string&gt;https://mysite.com/checkin.aspx&lt;/string&gt; &lt;key&gt;SignMessage&lt;/key&gt; &lt;false/&gt; &lt;key&gt;Topic&lt;/key&gt; &lt;string&gt;com.apple.mgmt.mypushsubject&lt;/string&gt; &lt;key&gt;UseDevelopmentAPNS&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt; &lt;/array&gt; &lt;key&gt;PayloadDescription&lt;/key&gt; &lt;string&gt;Profile description.&lt;/string&gt; &lt;key&gt;PayloadDisplayName&lt;/key&gt; &lt;string&gt;Test Profile&lt;/string&gt; &lt;key&gt;PayloadIdentifier&lt;/key&gt; &lt;string&gt;com.mycompany.mdm&lt;/string&gt; &lt;key&gt;PayloadOrganization&lt;/key&gt; &lt;string&gt;mycompany&lt;/string&gt; &lt;key&gt;PayloadRemovalDisallowed&lt;/key&gt; &lt;false/&gt; &lt;key&gt;PayloadType&lt;/key&gt; &lt;string&gt;Configuration&lt;/string&gt; &lt;key&gt;PayloadUUID&lt;/key&gt; &lt;string&gt;13321058-4037-478c-9b1e-ef6f810065cb&lt;/string&gt; &lt;key&gt;PayloadVersion&lt;/key&gt; &lt;integer&gt;1&lt;/integer&gt; &lt;/dict&gt; &lt;/plist&gt; </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USKen Austin
    1. USKen Austin
    plurals
    1. This table or related slice is empty.
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POError when combining scep and mdm payloads - enrollment server did not provision valid identity certificate
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POError when combining scep and mdm payloads - enrollment server did not provision valid identity certificate
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POError when combining scep and mdm payloads - enrollment server did not provision valid identity certificate
      1. USLior Cohen
      1. VTFavorite
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload