I am trying to create a simple MDM server to manage iOS devices. But I am struggling with "MDM Enrollment Profile", I am creating this profile using ipcu. But when I am opening this profile through email (or weblink) there is nothing happening.
Let me share what I am doing to create "MDM Enrollment Profile" - Creating new profile in ipcu. - Filling details for "General" section - Filling details for "Mobile Device Management" - Filling details for "Credentials" as it is required to complete above step - Then I am exporting using the export button. Choosing none for the security.
Then I am emailing resulting file and opening on device but nothing happening when I open the file, its not asking me to open/install the file. (I tried with creating a weblink also, but no luck).
What I am doing wrong? Is there any documentation available on creating "MDM Enrollment Profile". Please help.
Update 1 -
I tried to open the mobileconfig file and see what is causing issues. After a lot of trial and error I found that if I remove this dictionary form the file it start working -
<dict>
<key>AccessRights</key>
<integer>8191</integer>
<key>CheckInURL</key>
<string>https://server-domain/workplace3/logiphone/</string>
<key>CheckOutWhenRemoved</key>
<false/>
<key>PayloadDescription</key>
<string>Configures Mobile Device Management</string>
<key>PayloadDisplayName</key>
<string>Mobile Device Management</string>
<key>PayloadIdentifier</key>
<string>com.server-domain.profile.mdm-one.</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mdm</string>
<key>PayloadUUID</key>
<string>CC7E12CB-DA53-4D4E-AB7D-39B45A453146</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ServerURL</key>
<string>https://server-domain/</string>
<key>SignMessage</key>
<false/>
<key>Topic</key>
<string>push_topic</string>
</dict>
Any idea what is wrong in above dictionary ?
Tag IdentityCertificateUUID is missing in the payload.
It is a mandatory property in MDM payload. It will be used to identify the Identity certificate associated to MDM. Identity Certificate Payload(either PKCS12 or SCEP), should have the same UUID as PayloadUUID
So your modified MDM payload would be
<dict>
<key>AccessRights</key>
<integer>8191</integer>
<key>IdentityCertificateUUID</key>
<string>YOUR-ID_CERTIFICATE-PAYLOADUUID</string>
<key>CheckInURL</key>
<string>https://server-domain/workplace3/logiphone/</string>
<key>CheckOutWhenRemoved</key>
<false/>
<key>PayloadDescription</key>
<string>Configures Mobile Device Management</string>
<key>PayloadDisplayName</key>
<string>Mobile Device Management</string>
<key>PayloadIdentifier</key>
<string>com.server-domain.profile.mdm-one.</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mdm</string>
<key>PayloadUUID</key>
<string>CC7E12CB-DA53-4D4E-AB7D-39B45A453146</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ServerURL</key>
<string>https://server-domain/</string>
<key>SignMessage</key>
<false/>
<key>Topic</key>
<string>push_topic</string>
</dict>
Replace YOUR-ID_CERTIFICATE-PAYLOADUUID with the PayloadUUID of your ID certificate (SCEP or PKCS12)
For more information, please check this wonderful PDF on IOS MDM by Intrepidus Group.
If you again get error, you could check the Device Console logs and update the question with the error message you are getting while installation. It would be very helpful to debug the issue.
Update
To get IdentityCertificateUUID, you have to look for Payload dictionary with PayloadType com.apple.security.pkcs12(PKCS12 Certificate Payload) or PayloadType com.apple.security.scep(SCEP Payload).
From your question, you have configured credentials for MDM in IPCU. Which means, you have configured PKCS12 Payload as Identity Certificate.So identify payload with type com.apple.security.pkcs12, copy its PayloadUUID, and construct IdentityCertificateUUID in MDM payload. Job done!
If you have configured SCEP in IPCU, then you should use SCEP payload's PayloadUUID.
Please note that using SCEP for Identity certificate is recommended rather than using PKCS12 Certificate.Using SCEP you can ensure than only device is having private key.
来源:https://stackoverflow.com/questions/30594134/how-to-create-mdm-enrollment-profile-for-ios