iPhone Configuration Profile encryption

Question

I have a configuration profile with MDM payload and Wifi payload. I have few questions in my mind

1. What is the difference between Identification Payload and Profile Removal Password Payload. I know that the second one is prompted if the user wants to remove the profile.
2. Will I be able to have Profile Removal Password Payload for my profile with MDM payload?
3. How to encrypt my .mobileconfig file? Should I use CA certificate for encrypting the profile?

Answer 1

1) I think you are talking about identity profile (vs identification profile).

This profile is to give a device some identity (a certificate and a private keys) which it will use to authenticate itself to the server.

It could be PKCS12 (which is a format which combines both a cert and a key) or SCEP (which is a protocol to obtain a certificate)

2) MDM profile is always removable (except a case when device is supervised).

3) That's exactly where identity payload is used. You should encrypt a profile using a certificate of this device. So, if you need to encrypt a profile and send to 5 different devices, you actually will need to have idetity (certs) for each of these 5 devices and you will need to create 5 copies of this profile and encrypt using each cert.

Answer 2

I can only answer your third question, how to encrypt mobileconfig file? For this I wrote a utility class


```
    /**
     * encryption moblicconfig file 
     * @param configPath moblic filepath ./data/123.mobileconfig
     * @param outPath encrypted moblic filepath ./data/123.mobileconfig
     * @param certPath certpath  ./data/cert.pem
     * @throws IOException
     * @throws ParserConfigurationException
     * @throws ParseException
     * @throws SAXException
     * @throws PropertyListFormatException
     */
    public static void encryptionMobile(String configPath,String outPath,String certPath) throws IOException, ParserConfigurationException, ParseException, SAXException, PropertyListFormatException {

        NSDictionary rootDict = (NSDictionary) PropertyListParser.parse(FileUtil.readBytes(new File(configPath)));
        String payloadContent = rootDict.get("PayloadContent").toXMLPropertyList();
        File tempPlistPath =  new File("./data/web/temp/" + System.currentTimeMillis());
        FileUtil.writeBytes(payloadContent.getBytes(StandardCharsets.UTF_8),tempPlistPath);

        File tempDer = new File("./data/web/temp/" + System.currentTimeMillis());

        String outDer = tempDer.getAbsolutePath();

        String certPathFile = new File(certPath).getAbsolutePath();

        String cmd = "openssl smime -encrypt -aes128 -nodetach -binary -outform der -in " + tempPlistPath.getAbsolutePath() + " -out " + outDer + " " + certPathFile;
        XjmUtil.runtimeExec(cmd);

        byte[] bytes = FileUtil.readBytes(new File(outDer));

        String EncryptedPayloadContent = Base64.getEncoder().encodeToString(bytes);

        rootDict.remove("PayloadContent");

        rootDict.put("EncryptedPayloadContent", new NSData(EncryptedPayloadContent));


        PropertyListParser.saveAsXML(rootDict,new File(outPath));

        FileUtil.del(tempPlistPath);
        FileUtil.del(outDer);


    }
```

This is maven dependency

<dependency>
 <groupId>cn.hutool</groupId>
 <artifactId>hutool-all</artifactId>
 <version>5.7.14</version>
</dependency>

<dependency>
 <groupId>cn.hutool</groupId>
 <artifactId>hutool-all</artifactId>
 <version>5.7.14</version>
</dependency>