Open Radar

 
Area:
Something not on this list

Summary:
When a macOS device enrolls to an MDM via DEP or Over-the-Air Profile Service the device is supposed to supply all validating certificates to MDM (or Profile Service) for validation. However macOS does not do in this. In the case of DEP it only includes one single additional certificate: "CN=Apple iPhone Device CA". In the case of OTA Profile Service it only provides the signing certificate - not additional certificates at all. This prevents any verification from happening. This should happen according to the DEP documentation:

"The plist is CMS-signed with the device identity certificate. The device’s certificate and all necessary intermediate certificates are included. The certificate chain should validate against the Apple Root CA." But this is incorrect for macOS going back to at least OS X 10.10.

On the other hand iOS for both OTA Profile Service and DEP enrollment the full certificate chain is provided and is verifiable in this way.

Steps to Reproduce:
Perform a Profile Service Over-the-Air Enrollment or DEP Enrollment in macOS.

Expected Results:
The full certificate chain should match the documentation and be provided in the CMS/PKCS#7 container. In other words macOS should behave like iOS already does.

Actual Results:
Examine the CMS/PKCS#7-signed data for the DEP URL or OTA Profile Service Phase 2/3 URL. See that, for macOS, it is missing the certificate chain. Perform the same actions on iOS and see that they are included.

Version:
10.12.3
16C67

Notes:


Configuration:
Problem seems to exist on all OS X and macOS devices. Problem does NOT exist on iOS.

Attachments: