我正在开发iOS移动设备管理服务器作为学习练习。 (有关更多背景信息,请参见此处:iOS Device Enrollment with Self-Developed MDM)它是用Java开发的,它使用JAX-RS作为服务端点。我有2个JAX-RS端点,旨在支持设备注册。 /enroll端点返回一个类似于此的配置文件,以启动设备注册过程:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<dict>
<key>URL</key>
<string>http://myhost.com/profile</string>
<key>DeviceAttributes</key>
<array>
<string>UDID</string>
<string>IMEI</string>
<string>ICCID</string>
<string>MAC_ADDRESS_EN0</string>
<string>DEVICE_NAME</string>
<string>VERSION</string>
<string>PRODUCT</string>
</array>
<key>Challenge</key>
<string>MyChallengeGoesHere</string>
</dict>
<key>PayloadOrganization</key>
<string>Example Inc.</string>
<key>PayloadDisplayName</key>
<string>Profile Service</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>fdb376e5-b5bb-4d8c-829e-e90865f990c9</string>
<key>PayloadIdentifier</key>
<string>com.example.mobileconfig.profile-service</string>
<key>PayloadDescription</key>
<string>Enter device into the Example Inc encrypted profile service</string>
<key>PayloadType</key>
<string>Profile Service</string>
</dict>
</plist>
安装注册配置文件后,/profile端点会从iOS设备接受POST,并返回有关设备的请求信息。从那里,我使用以下配置文件安装PKCS#12格式的证书/私钥:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>7bec0d56-5463-486a-921d-c61a065639ca</string>
<key>PayloadIdentifier</key>
<string>org.example.mymdm</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>d76f716b-2336-47ec-8b16-681f096df7b9</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.mymdm.p12</string>
<key>Password</key>
<string>__MY_CERT_PASSWORD__</string>
<key>PayloadContent</key>
<data>__MY_P12_CERT__</data>
</dict>
</array>
</dict>
</plist>
此时,一切都按预期工作。如果我转到Settings-&gt; General-&gt; Profiles,我会看到列出的PKCS#12证书配置文件。现在我正在尝试配置必要的配置文件,以允许使用我的MDM服务进行设备检查。我创建了一个如下所示的个人资料:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>12999a48-f7a4-4e54-bb60-4e53fc63c293</string>
<key>PayloadIdentifier</key>
<string>org.example.mymdm.checkin</string>
<key>PayloadContent</key>
<array>
<dict>
<key>AccessRights</key>
<integer>8191</integer>
<key>CheckInURL</key>
<string>https://mymdmhost.com:8443/mdm/checkin</string>
<key>CheckOutWhenRemoved</key>
<true/>
<key>IdentityCertificateUUID</key>
<string>7299f0c7-4c19-44a5-96e3-14d77f3093a4</string>
<key>PayloadDescription</key>
<string>Checkin</string>
<key>PayloadDisplayName</key>
<string>Checkin</string>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.02D2C93A-3F6D-4E54-B15D-EECC1B7BD583</string>
<key>PayloadOrganization</key>
<string>Gener-Tech</string>
<key>PayloadType</key>
<string>com.apple.mdm</string>
<key>PayloadUUID</key>
<string>61da6cc7-2f7e-4aba-aabb-fa0af3f2258d</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ServerURL</key>
<string>https://mymdmhost.com:8443/mdm/checkin</string>
<key>SignMessage</key>
<true/>
<key>Topic</key>
<string>com.apple.mgmt.External.*</string>
<key>UseDevelopmentAPNS</key>
<true/>
</dict>
</array>
</dict>
</plist>
我尝试访问将此配置文件下推到设备的URL,但是当我点击“安装”时,我收到一条错误消息,表明它无法找到具有该UUID的证书。因此,我修改了配置文件,在其中包含另一个PKCS#12证书:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>12999a48-f7a4-4e54-bb60-4e53fc63c293</string>
<key>PayloadIdentifier</key>
<string>org.example.mymdm.checkin</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>7299f0c7-4c19-44a5-96e3-14d77f3093a4</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.mymdm.cert.p12</string>
<key>Password</key>
<string>__MY_CERT_PASSWORD__</string>
<key>PayloadContent</key>
<data>__MY_CERT_P12__</data>
</dict>
<dict>
<key>AccessRights</key>
<integer>8191</integer>
<key>CheckInURL</key>
<string>https://mymdmhost.com:8443/mdm/checkin</string>
<key>CheckOutWhenRemoved</key>
<true/>
<key>IdentityCertificateUUID</key>
<string>7299f0c7-4c19-44a5-96e3-14d77f3093a4</string>
<key>PayloadDescription</key>
<string>Checkin</string>
<key>PayloadDisplayName</key>
<string>Checkin</string>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.02D2C93A-3F6D-4E54-B15D-EECC1B7BD583</string>
<key>PayloadOrganization</key>
<string>Gener-Tech</string>
<key>PayloadType</key>
<string>com.apple.mdm</string>
<key>PayloadUUID</key>
<string>61da6cc7-2f7e-4aba-aabb-fa0af3f2258d</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ServerURL</key>
<string>https://mymdmhost.com:8443/mdm/checkin</string>
<key>SignMessage</key>
<true/>
<key>Topic</key>
<string>com.apple.mgmt.External.*</string>
<key>UseDevelopmentAPNS</key>
<true/>
</dict>
</array>
</dict>
</plist>
但是,现在我在设备控制台中看到一个错误
我认为这个错误是由于我使用自签名证书进行测试。我尝试将另一个<dict />包含PEM格式的自签名证书作为受信任的根。我还尝试创建一个完全独立的配置文件,只有受信任的根作为有效负载。但是,这些选项都没有奏效。
我在这里做错了吗?如何使用自签名证书测试我的MDM和Checkin支持?这甚至可能吗?