I am doing a MDM vendor set up and having apple enterprise account for the same.But after completing all the steps I am getting an issue when I try to install the iPhone Configuration Utility file on the iPhone.We are getting an alert saying “Profile Installation Failed”.Please suggest what you suspect may be wrong.Following are the steps I followed for my profile creation.
For Vendor:
I created my vendor csr on my macbook called vendor.csr.
Email: My Enterprise Account Email.
Common Name: My Company Name.
Saved to Disk.
Uploaded the vendor.csr file to the enterprise account and downloaded the mdm.cer file from the account.
Loaded this certificate to the key chain.
Exported the .p12 file as private.p12 file.
Extracted Private key using command : openssl pkcs12 -in private.p12 -nocerts -out key.pem
Extracted Certificate : openssl pkcs12 -in private.p12 -clcerts -nokeys -out cert.pem
Convert the certificate to des form : openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DES
8.Stripped password from private key : openssl rsa -in key.pem -out private.key
For customer:
Now I created one more csr for push from the same macbook called push.csr.
Email: Company Support Email.
Common Name : Company Name Push
Saved to Disk.
Python Code :
Link: https://github.com/grinich/mdmvendorsign
I got the python code from the above link to get the plist encoded file from the files I generated above i.e. private.key, push.csr, mdm.cer.I renamed my files according to the command below and generated a plist encoded file.
Command : python mdm_vendor_sign.py --csr user_submitted_CSR.csr --key mdm_vendor_private.key --mdm mdm_certifiate_from_apple.cer
Push Cert :
Then I uploaded a plist encoded file on “https://identity.apple.com/pushcert/” and downloaded the resulting push certificate from there.
Installed the pushcert downloaded to the key chain and exported it in the p12 format and call it mdm.p12.
Converted the mdm.p12 to PEM format : openssl pkcs12 -in mdm.12 -out pushcert.pem -nodes
iPhone Configuration Utility :
I implemented three sections of iPCU. For server setup I am using RapidSSL for my server set up.
General
a. Name : My Company Private Limited
b. Identifier: com.mycompany.mdm.profile
c. Organization : My Company Name
d. Description : Version 1.0
e. Security : Always.
Credentials
Uploaded the pushcert.pem file generated at the last step of push cert work.
Mobile Device Management
a. Server URL : https://xyz.server
b Check In URL : https://xyz.checin
c. Topic :com.apple.mgmt.External.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
d. Identity : selected from credential.
Export iPCU -> None/SignConfigurationProfile (tried both).
Now this file is failing to install on the device when I send it through mail and I am getting message profile installation failed.What I understand from logs that the device is unable to make connection to the server.please suggest me how could I resolve that.
Device Logs:
Nov 27 19:02:21 iPhone profiled[114] <Notice>: (Note ) MC: Checking for MDM installation...
Nov 27 19:02:21 iPhone profiled[114] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Nov 27 19:02:21 iPhone profiled[114] <Notice>: (Note ) MC: Beginning profile installation...
Nov 27 19:02:21 iPhone profiled[114] <Error>: SecTrustEvaluate [leaf AnchorTrusted]
Nov 27 19:02:23 iPhone locationd[63] <Notice>: Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Nov 27 19:02:24 iPhone locationd[63] <Notice>: Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Nov 27 19:02:24 iPhone profiled[114] <Error>: SecTrustEvaluate [leaf AnchorTrusted]
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc : A connection to the server could not be established.
US Desc: A connection to the server could not be established.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"https://mdm.myCompanyName.com/Service1.svc",
500
)
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MC: Cannot install MDM “Mobile Device Management”. Error: NSError:
Desc : The payload “Mobile Device Management” could not be installed.
Sugg : A connection to the server could not be established.
US Desc: The payload “Mobile Device Management” could not be installed.
US Sugg: A connection to the server could not be established.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"Mobile Device Management"
)
...Underlying error:
NSError:
Desc : A connection to the server could not be established.
US Desc: A connection to the server could not be established.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"https://mdm.myCompanyName.com/Service1.svc",
500
)
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MC: Rolling back installation of profile “com.myCompanyName.mdm.profile”...
Nov 27 19:02:26 iPhone profiled[114] <Notice>: (Error) MC: Installation of profile “com.myCompanyName.mdm.profile” failed with error: NSError:
Desc : The profile “myCompanyName” could not be installed.
Sugg : The payload “Mobile Device Management” could not be installed.
US Desc: The profile “myCompanyName” could not be installed.
US Sugg: The payload “Mobile Device Management” could not be installed.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"myCompanyName"
)
The certificate you generated with your MDM vendor cert from Apple isn't used for device authentication. It's used for that particular server to send notifications to APNs.
The identity in iPCU (Which was deprecated long ago) is for a client certificate. Also remember that all TLS certificates need to be valid and trusted. Your server is rejecting the client with a HTTP 500, so I would start investigating the server logs as to why.
Really though if you are developing your own MDM solution I would open a DTS incident with Apple. The API documents are only published to folks in the Enterprise Developer Program and not publicly available. Rather than here, the MDM section of the Apple Developer Forums is probably a better place to discuss it.
Related
I'm having an issue starting the Remote Control and Spy sessions using the Quamotion WebDriver on an iPad Mini 4 running iOS 10.2.1.
I'm getting the following error message:
The spy failed to start. The installation of application Quamotion Agent on device iPad failed. The installation proxy returned the error ApplicationVerificationFailed. The following syslog messages may contain more information:
0x16df1b000 -[MIClientConnection _doInstallationForURL:withOptions:completion:]: Install of "/var/mobile/Media/PublicStaging/com.apple.test.WebDriverAgentRunner-Runner" type Customer (LSInstallType = (null)) requested by mobile_installation_proxy (pid 203) 0x16df1b000 -[MIInstaller performInstallationWithError:]: Installing :Install (New):0:Success:Begin could not enable test hierarchy: ApplePinningAllowTestCertsiPhoneApplicationSigning not true [leaf CheckLeafMarkerOid IssuerCommonName Revocation1 SubjectCommonName] could not enable test hierarchy: ApplePinningAllowTestCertsiPhoneApplicationSigning not true [leaf CheckLeafMarkerOid IssuerCommonName Revocation1 SubjectCommonName] [leaf Revocation1] 0x16df1b000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 147: Failed to verify code signature of /private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.N6uppO/extracted/Payload/WebDriverAgentRunner-Runner.app : 0xe8008018 (The identity used to sign the executable is no longer valid.) 0x16df1b000 -[MIInstaller performInstallationWithError:]: Verification stage failed :Install (New):0:Fail:End
Are there any steps I can take to troubleshoot this? I can start the Spy and remote control on an iPhone 6.
This most likely indicates that the iOS Developer Certificates you have uploaded in the Quamotion Settings page have been revoked.
You can check the revocations tate of your iOS developer certificate using the following command:
openssl ocsp -issuer AppleWWDRCA.pem -cert mycert.pem -text -url http://ocsp.apple.com/ocsp03-wwdr01 -header 'host' 'ocsp.apple.com'
You can download the individual certificates in .cer format from the Settings page in the Quamotion WebDriver. You can then convert the .cer file to .pem file using the following OpenSSL command:
openssl x509 -inform der -in mycert.cer -out mycert.pem
You'll also need the Apple WWDR CA certificate, which you can download from https://developer.apple.com/certificationauthority/AppleWWDRCA.cer .
If your certificate has been revoked, you should get a status message simliar to this:
Response Verify Failure
140404648445600:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify error:ocsp_vfy.c:126:Verify error:self signed certificate in certificate chain
mycert.pem: revoked
This Update: Mar 14 10:10:08 2018 GMT
Next Update: Mar 15 10:10:08 2018 GMT
Reason: keyCompromise
Revocation Time: Jan 23 08:33:40 2018 GMT
Question
Is it possible to resign/provision IPA's exported for the AppStore with a development certificate and profile?
I can do the actual resign and upon manual verification things seem fine, however any application I try this on crashes on launch. I am not trying to resign an app downloaded form the AppStore, these are applications built on my computer.
None of the popular tools seem to do it right either. Did anyone ever pull this off or is it impossible for some reason?
Findings
In the device log I don't see anything reported by the App process itself so the OS must have killed it before launch. I do see this:
securityd[101] <Notice>: cert[0]: CheckLeafMarkerOid =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: SubjectCommonName =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: IssuerCommonName =(path)[]> 0
amfid(Security)[196] <Notice>: [leaf CheckLeafMarkerOid IssuerCommonName SubjectCommonName]
amfid(libmis.dylib)[196] <Info>: Blacklist does not exist.
amfid(libmis.dylib)[196] <Info>: Using empty blacklist.
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: open stream failed (may be non-existing)
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: creating empty auth list
assertiond[66] <Notice>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (5)
SpringBoard(FrontBoard)[57] <Error>: Unable to register for exec notifications: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (0x5)
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(FrontBoard)[57] <Error>: Unable to obtain a process handle for <FBApplicationProcess: 0x10bc26cd0; com.company.product.name; pid: 1683>
This seemed to indicate an issue with the entitlements. However, when I manually print them (/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i "$1"/embedded.mobileprovision) > entitlements.plist
) from the IPA I installed I have:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>TEAMID.*</string>
<key>com.apple.developer.default-data-protection</key>
<string>NSFileProtectionComplete</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAMID</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>TEAMID.*</string>
</array>
</dict>
</plist>
This clearly shows the get-task-allow entitlement to be true.
Tools
Whichever tool I try I end up with the same result, e.g
https://dantheman827.github.io/ios-app-signer/
https://github.com/nowsecure/node-applesign
https://github.com/fastlane/fastlane/blob/master/sigh/lib/assets/resign.sh
Similar Questions
can we resign the appstore build with our development certificates? Simple no answer, seems incorrect since I'm able to perform the actual resign operation without warnings or errors.
Resign iOS App from a distribution identity to a developer identity Show how to verify and/or adapt the final entitlements in the resigned IPA.
iOS resign IPA from appstore with developer profile Question bit older but one of the commenters eventually reports the same observed behaviour: "but it can't run normally, it flashback. till now i have no idea about it".
Update 1
(reaction to #Yoshkebab)
Output of otool suggest the binary is not encrypted:
otool -l App/Payload/App.app/App | grep -A 4 -i encrypt:
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 0
cryptsize 0
cryptid 0
--
cmd LC_ENCRYPTION_INFO_64
cmdsize 24
cryptoff 0
cryptsize 0
cryptid 0
However e.g. Hopper can not disassemble it... Are there any references apple applies the encryption in Xcode? That would indicate they have a that key on user's systems? Also I don't see build steps that would indicate this (codesign is just adding the signature, no?)
Clutch fails to see my application and Stefan Esser's dumpdecrypted library doesn't work because the app crashes immediately I suspect (my setup is ok because it works for other apps).
AppStore signed apps are not only signed by the developer's certificate, but the binary is also encrypted by Apple's private key.
Thus you can resign the App's but unless you decrypt the binary you wont be able to run them.
Check out the binary's LC_ENCRYPTION_INFO load command (easiest way is to use MachoView) , if you see a flag Crypt ID != 0, the binary is encrypted.
Assuming that it is, you can still do it, this is a bit tedious and you'll need a jail broken device with the App installed.
Connect to your device with SSH. Easiest way to do it with with gandalf
Get Clutch and install it on your device - follow their instructions (I found that the easiest way to compile it is to change the package name)
Dump the decrypted app into a new IPA (Clutch -d "YOUR_PACKAGE_ID")
Now you have a decrypted IPA that you can resign
I am working on MDM Setup on iOS, we followed the below blog to setup MDM with iOS. We have created all the files, when trying to install the configuration profile in device, it is throwing an error "The server ceritifcate for url is invalid".
URL: http://avibirnale.blogspot.in/2013/05/mdm-development-configuration-for-ios.html
Please find the below log to see the error in detail
Oct 28 11:14:23 iPhone4S profiled[219] <Notice>: (Error) MC: Connection to https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin failed with error: NSError:
Desc : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCHTTPTransactionErrorDomain
Code : 23002
Type : MCFatalError
Params : (
"https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin"
)
Oct 28 11:14:23 iPhone4S profiled[219] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCHTTPTransactionErrorDomain
Code : 23002
Type : MCFatalError
Params : (
"https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin"
)
Oct 28 11:14:23 iPhone4S profiled[219] <Notice>: (Error) MC: Cannot install MDM “Mobile Device Management”. Error: NSError:
Desc : The payload “Mobile Device Management” could not be installed.
Sugg : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The payload “Mobile Device Management” could not be installed.
US Sugg: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"Mobile Device Management"
)
...Underlying error:
NSError:
Desc : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCHTTPTransactionErrorDomain
Code : 23002
Type : MCFatalError
Params : (
"https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin"
)
Oct 28 11:14:23 iPhone4S profiled[219] <Notice>: (Error) MC: Rolling back installation of profile “com.Test.mdm.profile”...
Oct 28 11:14:23 iPhone4S profiled[219] <Notice>: (Error) MC: Installation of profile “com.Test.mdm.profile” failed with error: NSError:
Desc : The profile “Test MDM Profile” could not be installed.
Sugg : The payload “Mobile Device Management” could not be installed.
US Desc: The profile “Test MDM Profile” could not be installed.
US Sugg: The payload “Mobile Device Management” could not be installed.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"Test MDM Profile"
)
...Underlying error:
NSError:
Desc : The payload “Mobile Device Management” could not be installed.
Sugg : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The payload “Mobile Device Management” could not be installed.
US Sugg: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"Mobile Device Management"
)
...Underlying error:
NSError:
Desc : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCHTTPTransactionErrorDomain
Code : 23002
Type : MCFatalError
Params : (
"https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin"
)
Oct 28 11:14:23 iPhone4S profiled[219] <Notice>: (Error) MC: Profile “com.Test.mdm.profile” failed to install with error: NSError:
Desc : Profile Failed to Install
Sugg : The profile “Test MDM Profile” could not be installed.
US Desc: Profile Failed to Install
US Sugg: The profile “Test MDM Profile” could not be installed.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : The profile “Test MDM Profile” could not be installed.
Sugg : The payload “Mobile Device Management” could not be installed.
US Desc: The profile “Test MDM Profile” could not be installed.
US Sugg: The payload “Mobile Device Management” could not be installed.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"Test MDM Profile"
)
...Underlying error:
NSError:
Desc : The payload “Mobile Device Management” could not be installed.
Sugg : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The payload “Mobile Device Management” could not be installed.
US Sugg: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"Mobile Device Management"
)
...Underlying error:
NSError:
Desc : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCHTTPTransactionErrorDomain
Code : 23002
Type : MCFatalError
Params : (
"https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin"
)
Oct 28 11:14:24 iPhone4S Preferences[141] <Warning>: -[VPNConnectionStore reloadVPN]: The active VPN configuration has changed from to (null)
Oct 28 11:14:24 iPhone4S Preferences[141] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0x15e531d0:<VPNBundleController: 0x15e531d0>): _serviceCount(0), serviceCount(0), toggleInRootMenu(0), RootMenuItem(1)
Oct 28 11:14:24 iPhone4S profiled[219] <Error>: __MKBAssertionFinalize: __MKBAssertionFinalize(0x14565fa0)
Oct 28 11:14:24 iPhone4S profiled[219] <Notice>: (Error) MC: Installation failed. Error: NSError:
Desc : Profile Installation Failed
Sugg : Profile Failed to Install
US Desc: Profile Installation Failed
US Sugg: Profile Failed to Install
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : Profile Failed to Install
Sugg : The profile “Test MDM Profile” could not be installed.
US Desc: Profile Failed to Install
US Sugg: The profile “Test MDM Profile” could not be installed.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : The profile “Test MDM Profile” could not be installed.
Sugg : The payload “Mobile Device Management” could not be installed.
US Desc: The profile “Test MDM Profile” could not be installed.
US Sugg: The payload “Mobile Device Management” could not be installed.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"Test MDM Profile"
)
...Underlying error:
NSError:
Desc : The payload “Mobile Device Management” could not be installed.
Sugg : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The payload “Mobile Device Management” could not be installed.
US Sugg: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"Mobile Device Management"
)
...Underlying error:
NSError:
Desc : The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
US Desc: The server certificate for “https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin” is invalid.
Domain : MCHTTPTransactionErrorDomain
Code : 23002
Type : MCFatalError
Params : (
"https://ec2-54-172-70-197.compute-1.amazonaws.com/MDM_Server/mdm/checkin"
)
Oct 28 11:14:25 iPhone4S mc_mobile_tunnel[218] <Notice>: (Note ) MC: mc_mobile_tunnel shutting down.
I fixed this issue by uploading both server.p12 and server.crt in Credentials payload for that config profile.
Setup WSO2 EMM server on a Mac (10.8). Created self-signed certificates according to the iOS server configuration guide:
https://docs.wso2.org/display/EMM100/iOS+Server+Configurations
Was able to successfully download and install the self-signed Root CA on iPad (iOS 7).
However, getting error on iPad during WSO2 Profile Service installation:
"Profile Installation Failed: The Registration Authority's response is invalid."
Tried with both server domain name as well as IP address as the CN for certificates got the same error.
There is no error log on the MDM server side.
Here is the iOS error log:
Mar 18 11:55:09 XXXXX-iPad profiled[2191] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:
Desc : The Registration Authority’s response is invalid.
US Desc: The Registration Authority’s response is invalid.
Domain : MCSCEPErrorDomain
Code : 22003
Type : MCFatalError
Mar 18 11:55:09 XXXXX-iPad profiled[2191] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
Desc : The Registration Authority’s response is invalid.
US Desc: The Registration Authority’s response is invalid.
Domain : MCSCEPErrorDomain
Code : 22003
Type : MCFatalError
Mar 18 11:55:09 XXXXX-iPad profiled[2191] <Notice>: (Error) MC: Installation failed. Error: NSError:
Desc : Profile Installation Failed
Sugg : The Registration Authority’s response is invalid.
US Desc: Profile Installation Failed
US Sugg: The Registration Authority’s response is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : The Registration Authority’s response is invalid.
US Desc: The Registration Authority’s response is invalid.
Domain : MCSCEPErrorDomain
Code : 22003
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}
There can be many issues which cause this actions. First as in docs you have to sign your generated RA using your generated CA. Open the certificate and see whether the signer is the root CA which you have created. Next thing is when importing to the wso2mobilemdm.jks you have to specify an alias and a private key password. EMM ships with some default configurations. If it mismatches from your alias and the password this will not work. To check this just navigate to the {installation folder}/repository/conf/mdm-config.xml file. Check whether you have the proper RA configurations there. Once you change these entries you need to restart the server. Let me know whether this works for you.
Developed my first iPhone app for internal use and it should be distributed internally.
I am able to successfully install it on to the device when I code sign the build with my developer profile. But not able to install the same app(.ipa) using iTunes when code sign the build with App store distribution profile. I am getting the following error.
Oct 1 15:52:32 unknown installd[462] <Error>: profile not valid: 0xe8008012
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 install_embedded_profile: Could not install embedded profile: -402620398
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 verify_signer_identity: Could not copy validate signature: -402620395
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 preflight_application_install: Could not verify executable at /var/tmp/install_staging.1JP9zU/foo_extracted/Payload/mi-ios.app
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 install_application: Could not preflight application install
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 handle_install: API failed
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 send_message: failed to send mach message of 71 bytes: 10000003
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 send_error: Could not send error response to client
I made sure the distribution profile is valid(have private key and certificate installed on my mac).
I am not sure what i am missing here. I followed every step given at iOS dev center. Any help would be appreciated.
The App Store profile is, as its name implies, for use only when distributing via the App Store. It exists for signing your app for distribution via the App Store and can't be used for any other purpose. Unless you install an app that has been signed by it via the App Store it will, quite correctly, fail.
If you want to distribute an app for internal use to a few devices and for a relatively short period, you should use an ad hoc profile; if to a lot if users for an extended period, you need to register as a corporate developer and follow a different process.