Introduction to the
The configuration description file is an XML file used for installation to the device and contains configuration information.
Such as:
- Device security policies and access restrictions
- VPN Configuration information
- Wi-fi Settings
- Password Policy Settings
- Mobile Device Management
- Email and calendar accounts
Creating a profile for iPhone configuration can be done either using tools or handwritten XML files. I used the former for ease of use (the web says this has been abandoned by Apple, so it doesn’t seem to affect file generation).
Create a new configuration file, which involves the following configurations:
-
The identifier is similar to the APP ID. Security indicates whether the description file can be removed. By default, deletion is always allowed.
-
Restrictions: Use the default Settings to set device access permissions, such as whether to allow apps, cameras, iCloud, etc.
-
Credentials: A P12-format certificate file used for MDM Server authentication (note: this P12 has nothing to do with apple Developer Center certificates, really nothing to do with certificates, they are just P12-format. This is a file provided by the Server for HTTPS communication between the authentication (Server generated CA certificate key file), is required for HTTPS communication).
-
Mobile device management: This step is particularly important. The Settings are as follows.
- Server URL: Specifies the URL for each connection after the device is registered.
- Registration URL: indicates the address of the first device registration, including authentication and token update operations.
- Subject: User ID mentioned in the previous certificate making: com.apple.mgmt.external.*.
- Identity: Certificate added to credentials.
- Check upon Removal: When this parameter is set to TRUE, when a user deletes a profile on a device, the device sends a message to the registration URL indicating that the profile is about to be deleted. MDM Serve can use this to check whether the device is still being monitored.
- Access permission: Use the default value.
- Apple Push notification service: Select the development environment APNs used, do not select it here.
The configuration is complete. If you save or export the configuration file, the system prompts you to sign the configuration file.
The complete XML file generated
<? xml version="1.0" encoding="UTF-8"? > <! DOCTYPE plist PUBLIC"- / / / / DTD PLIST Apple 1.0 / / EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string> Configure access restrictions </string> <key>PayloadDisplayName</key> <string> Access restriction </string> <key>PayloadIdentifier</key> <string>com.apple.applicationaccess.C6130962-2621-47FD-8E9C-8832BCE3C5B0</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadUUID</key> <string>C6130962-2621-47FD-8E9C-8832BCE3C5B0</string> <key>PayloadVersion</key> <integer< / a > 1integer>
<key>allowActivityContinuation</key>
<true/>
<key>allowAddingGameCenterFriends</key>
<true/>
<key>allowAppCellularDataModification</key>
<true/>
<key>allowAppInstallation</key>
<true/>
<key>allowAppRemoval</key>
<true/>
<key>allowAssistant</key>
<true/>
<key>allowAssistantWhileLocked</key>
<true/>
<key>allowAutoCorrection</key>
<true/>
<key>allowAutomaticAppDownloads</key>
<true/>
<key>allowBluetoothModification</key>
<true/>
<key>allowBookstore</key>
<true/>
<key>allowBookstoreErotica</key>
<true/>
<key>allowCamera</key>
<true/>
<key>allowChat</key>
<true/>
<key>allowCloudBackup</key>
<true/>
<key>allowCloudDocumentSync</key>
<true/>
<key>allowCloudPhotoLibrary</key>
<true/>
<key>allowDefinitionLookup</key>
<true/>
<key>allowDeviceNameModification</key>
<true/>
<key>allowEnablingRestrictions</key>
<true/>
<key>allowEnterpriseAppTrust</key>
<true/>
<key>allowEnterpriseBookBackup</key>
<true/>
<key>allowEnterpriseBookMetadataSync</key>
<true/>
<key>allowEraseContentAndSettings</key>
<true/>
<key>allowExplicitContent</key>
<true/>
<key>allowFingerprintForUnlock</key>
<true/>
<key>allowFingerprintModification</key>
<true/>
<key>allowGameCenter</key>
<true/>
<key>allowGlobalBackgroundFetchWhenRoaming</key>
<true/>
<key>allowInAppPurchases</key>
<true/>
<key>allowKeyboardShortcuts</key>
<true/>
<key>allowManagedAppsCloudSync</key>
<true/>
<key>allowMultiplayerGaming</key>
<true/>
<key>allowMusicService</key>
<true/>
<key>allowNews</key>
<true/>
<key>allowNotificationsModification</key>
<true/>
<key>allowOpenFromManagedToUnmanaged</key>
<true/>
<key>allowOpenFromUnmanagedToManaged</key>
<true/>
<key>allowPairedWatch</key>
<true/>
<key>allowPassbookWhileLocked</key>
<true/>
<key>allowPasscodeModification</key>
<true/>
<key>allowPhotoStream</key>
<true/>
<key>allowPredictiveKeyboard</key>
<true/>
<key>allowRadioService</key>
<true/>
<key>allowRemoteScreenObservation</key>
<true/>
<key>allowSafari</key>
<true/>
<key>allowScreenShot</key>
<true/>
<key>allowSharedStream</key>
<true/>
<key>allowSpellCheck</key>
<true/>
<key>allowSpotlightInternetResults</key>
<true/>
<key>allowUIAppInstallation</key>
<true/>
<key>allowUIConfigurationProfileInstallation</key>
<true/>
<key>allowUntrustedTLSPrompt</key>
<true/>
<key>allowVideoConferencing</key>
<true/>
<key>allowVoiceDialing</key>
<true/>
<key>allowWallpaperModification</key>
<true/>
<key>allowiTunes</key>
<true/>
<key>forceAirDropUnmanaged</key>
<false/>
<key>forceAssistantProfanityFilter</key>
<false/>
<key>forceEncryptedBackup</key>
<false/>
<key>forceITunesStorePasswordEntry</key>
<false/>
<key>forceWatchWristDetection</key>
<false/>
<key>ratingApps</key>
<integer> 1000 < /integer>
<key>ratingMovies</key>
<integer> 1000 < /integer>
<key>ratingRegion</key>
<string>us</string>
<key>ratingTVShows</key>
<integer> 1000 < /integer>
<key>safariAcceptCookies</key>
<integer< / a > 2integer>
<key>safariAllowAutoFill</key>
<true/>
<key>safariAllowJavaScript</key>
<true/>
<key>safariAllowPopups</key>
<true/>
<key>safariForceFraudWarning</key>
<false/> </dict> <key>PayloadDescription</key> <string> Configure password Settings </string> <key>PayloadDisplayName</key> <string> Password </string> <key>PayloadIdentifier</key> <string>com.apple.mobiledevice.passwordpolicy.B52AEECB-63DD-4B05-AFB2-6B547038F8D7</string> <key>PayloadType</key> <string>com.apple.mobiledevice.passwordpolicy</string> <key>PayloadUUID</key> <string>B52AEECB-63DD-4B05-AFB2-6B547038F8D7</string> <key>PayloadVersion</key> <integer< / a > 1integer>
<key>allowSimple</key>
<true/>
<key>forcePIN</key>
<true/>
<key>requireAlphanumeric</key>
<false/> </dict> <dict> <key>Password</key> <string>123456</string> <key>PayloadCertificateFileName</key> P12 </string> <key>PayloadContent</key> <data> // Certificate content Base64 encoded string </data> <key>PayloadDescription</key> <string> Provide device identification (certificate or identity). </string> <key>PayloadDisplayName</key> <string>out.p12</string> <key>PayloadIdentifier</key> <string>com.apple.security.pkcs12.ACACFDA4-64B4-46D5-A8BD-DB241775A394</string> <key>PayloadOrganization</key> <string>Gener-Tech</string> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>ACACFDA4-64B4-46D5-A8BD-DB241775A394</string> <key>PayloadVersion</key> <integer< / a > 1integer>
</dict>
<dict>
<key>AccessRights</key>
<integer> 8191 < /integer> <key>CheckInURL</key> <string>https://www.... /checkin.do? deviceId=fc97f6b4524346a18f14d1a425986abb</string>
<key>CheckOutWhenRemoved</key>
<true/> <key>IdentityCertificateUUID</key> <string>ACACFDA4-64B4-46D5-A8BD-DB241775A394</string> <key>PayloadDescription</key> <string> Configure "Mobile Device Management" </string> <key>PayloadDisplayName</key> <string> Mobile device management </string> <key>PayloadIdentifier</key> <string>com.apple.mdm.02D2C93A-3F6D-4E54-B15D-EECC1B7BD583</string> <key>PayloadOrganization</key> <string>Gener-Tech</string> <key>PayloadType</key> <string>com.apple.mdm</string> <key>PayloadUUID</key> <string>02D2C93A-3F6D-4E54-B15D-EECC1B7BD583</string> <key>PayloadVersion</key> <integer< / a > 1integer> <key>ServerURL</key> <string>https://www.... /mdm/server.do? deviceId=fc97f6b4524346a18f14d1a425986abb</string>
<key>SignMessage</key>
<true/>
<key>Topic</key>
<string>com.apple.mgmt.External.*</string>
<key>UseDevelopmentAPNS</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Lock&Reset All Settings&Erase</string>
<key>PayloadDisplayName</key>
<string>Gener MDM Sever</string>
<key>PayloadIdentifier</key>
<string>net.myfleet.mdm</string>
<key>PayloadOrganization</key>
<string>Gener-Tech</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>984CE2FF-6BE1-49AE-A3EF-43B0B0EC9A11</string>
<key>PayloadVersion</key>
<integer< / a > 1integer>
</dict>
</plist>
Copy the codeWe can directly modify this XML file to add additional fields as needed from the Configuration Profile Reference. You can also modify it based on this to suit yourself (it’s easy to miss or make mistakes), but I prefer to use the iPhone Configuration tool for ease of operation.
Sign the generated configuration file
The configuration file generated above can be installed directly on the device. If the installation is successful, there will be a red prompt “unsigned” as follows.
Signature requires two operations: 1. Signature on the MDM Server. Sign with a certificate issued by Apple.
MDM Sever signature
The following certificate files are required:
- Unsigned. Mobileconfig The original unsigned configuration file
- Server. CRT Certificate used for signing on the server
- Server. key Key of the certificate used for signing on the server
- Cert-chain-crt CA certificate issued to the server by another organization
- signed.mobileconfig will be your signed configuration profile
Can be executed in terminal: openssl smime -sign -in unsigned.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach
(The above is the operation process of Java background signature, I did not verify, in this as a summary of the operation steps put here).
My guess is that MDM Sever’s signature is only for authentication and encryption of description files with the client. It is only for the two to recognize each other, regardless of whether the iOS system recognizes each other. Therefore, ‘unsigned’ will be displayed after the above operation. (This operation can be omitted in the actual test).
##### Signature related to apple certificate the following operation is quoted from tianhu blog, the article address www.skyfox.org/ios-mobilec…
There are several ways to do this, but I used script signatures here.
With the help of the powerful Github, I found a Python script to sign
Address: github.com/nmcspadden/…
1. Sign a MobileconFig
Profile_signer. py is placed in the same directory as mobileconfig, and the terminal executes in the directory
./profile_signer.py -n “3rd Party Mac Developer Application” sign AcrobatPro.mobileconfig AcrobatProSigned.mobileconfig 2. Encrypt a Mobileconfig
./profile_signer.py -n “3rd Party Mac Developer Application” encrypt AcrobatPro.mobileconfig AcrobatProEnc.mobileconfig 3. Sign and encrypt a MobileconFig
./profile_signer.py -n “3rd Party Mac Developer Application” both AcrobatPro.mobileconfig AcrobatProBoth.mobileconfig “3rd Party Mac Developer Application” for the full name of your certificate in the keystring, select certificate => Display Brief => Copy common names in quotes, for example
“iPhone Developer: jakey.shao [email protected]”
“iPhone Distribution: Skyfox Network Technology Co., Ltd.”
66911171-EE9C-4DB7-BFCE-6564CC1b4E1A If you can read the certificate correctly, it will prompt you to allow access to the key string, click permit!
The final installation prompt has been verified.
