main banner

Mobile Development

Over-the-Air Enrollment and Distribution on iOS4

Back in 2010, Inflection Point was hired by an International company to develop a solution for managing their employees iPhones using configuration profiles to make them work with their enterprise system.


They decided to use Over-the-Air (OTA) Enrollment and Distribution for deploying configuration profiles so we followed Apple’s guidelines for Over-the-Air Profile Delivery and Configuration.

So, to make this a short story, we managed to set up the solution using Windows Server 2008 Enterprise with the Microsoft SCEP implementation (NDES) installed and configured; and it worked fine using iOS 3.1.X.

However, last week, they asked us to provide support for iOS 4 because after updating their iPhones they started to get this error “A network error has occurred. The network connection was lost.”

We spent some time figuring out what the problem was. This is what we found:

We used iPhone Configuration Utility 3.0, and tried to install the configuration profile directly via USB on an iPhone with iOS 4.01 and got the same error, so it wasn’t that the request was incorrectly built.

Using a network protocol analyzer (sniffer) we compared the HTTP requests and responses from an OTA delivery on an iPhone with 3.1.3 and on another with 4.01.

The problem we found was with the GetCACaps operation, this SCEP communication operation is optional according to Apple Enterprise Deployment Guide which states that:

If you add a dictionary with the key GetCACaps, the device uses the strings you provide as the authoritative source of information about the capabilities of your CA. Otherwise, the device queries the CA for GetCACaps and uses the answer it gets in response. If the CA doesn’t respond, the device defaults to GET 3DES and SHA-1 requests.

Well, apparently, this isn’t true anymore for iPhone iOS4. The table below shows the communication between CA/SCEP server and the iPhones:

iPhone 3.1.3Sends a GetCACert operation →

← Receives a StatusCode 200 response

Sends a GetCACaps operation →

Sends a GetCACaps operation →

Sends a PKIOperation →

← Receives response for PKIOperation

Profile Installed

iPhone 4.0.1Sends a GetCACert operation →

← Receives a StatusCode 200 response

Sends a GetCACaps operation →

Sends a GetCACaps operation →

Sends a GetCACaps operation →

A network error has occurred.

The network connection was lost

 

As noticed, the iPhone 3.1.1 sends the GetCACaps operation twice and then, after receiving no answer, (it probably uses the default values for CA Capabilities) it sends the PKIOperation. Otherwise iPhone 4.0.1 sends three GetCACaps operations and after receiving no answer, it fails.

We fixed this by adding the information about the CA capabilities (the information that was expected from the GetCACaps operation) directly in the Phase 2 XML Server Response. As a result the iPhone didn't send the GetCACaps operation to the Server, it sent the PKIOperation and the Profile was successfully installed.

Note: We made it work for OTA delivery for the client’s custom solution; however the problem remains if iPhone Configuration Utility 3.0 is used. We didn’t find a way to enter the CA capabilities manually.

Here is an example code of the Phase 2 XML Server response with the GetCACaps information added:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple Inc//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
    <dict>
        <key>
PayloadVersion</key>
        <integer>
1</integer>
        <key>
PayloadUUID</key>
        <string>
Ignored</string>
        <key>
PayloadType</key>
        <string>
Configuration</string>
        <key>
PayloadIdentifier</key>
        <string>
Ignored</string>
        <key>
PayloadContent</key>
        <array>
            <dict>
                <key>
PayloadContent</key>
                <dict>
                    <key>
URL</key>
                    <string>
http://CA-DOMAIN-IP/certsrv/mscep/</string>
                    <key>
Name</key>
                    <string>
IPS</string>
                    <key>
Subject</key>
                    <array>
                        <array>
                            <array>
                                <string>
CN</string>
                                <string>
iPhone</string>
                            </array>
                        </array>
                    </array>
                    <key>
Challenge</key>
                    <string>
XXXXXXXXXXXXXXXXXXX</string>
                    <key>
Keysize</key>
                    <integer>
1024</integer>
                    <key>
Key Type</key>
                    <string>
RSA</string>
                    <key>
Key Usage</key>
                    <integer>
0</integer>
                    <key>
GetCACaps</key>
                    <array>
                        <string>
GETPKIOperation</string>
                        <string>
Renewal</string>
                        <string>
SHA-1</string>
                    </array>
         
                </dict>
                <key>
PayloadDescription</key>
                <string>
Provides device encryption identity</string>
                <key>
PayloadUUID</key>
                <string>
XXXXXXXX-XXXX-XXXXXXX-XXXXXXXXXXXXX</string>
                <key>
PayloadType</key>
                <string>
com.apple.security.scep</string>
                <key>
PayloadDisplayName</key>
                <string>
Encryption Identity</string>
                <key>
PayloadVersion</key>
                <integer>
1</integer>
                <key>
PayloadOrganization</key>
                <string>
Example, Inc.</string>
                <key>
PayloadIdentifier</key>
                <string>
com.example.profileservice.scep</string>
            </dict>       
        </array>
    </dict>



Pablo N.

A Computer Systems Engineer born in Ciudad Victoria Tamaulipas, Pablo loves football, family time and RPGs. With more than 9 years of experience as a developer and specializing in mobile development, iOs and Android, he has some really good articles you should read.

Articles