How-to sign an iOS configuration profile generated programmatically?











up vote
0
down vote

favorite












Context



I have a webapp (frontend JS / backend PHP) that generates some MDM iOS configuration profiles (*.mobileconfig) programmatically.



Website users enter some informations, call my PHP api, and my PHP backend generates a configuration profile "on-the-fly" with the user-specific data, save it on the server, and return back the URL of the generated profile, so the user can click this link and install it on its iOS device.



In short: this profile contains in its payload only a webclip (safari shortcut).



Everything works fine, the configuration profile link opens the iOS Settings app that asks the user to install this profile on its device.



My problem is that this programmatically generated profile is not signed. So the user is warned by iOS that the profile is not signed and he must do several additional actions to confirm the profile installation.



I would like that the generated profiles to be signed, so the user can install them more easily and quickly.



Questions




  • is it possible?

  • if yes, is it possible with PHP?

  • if yes, how can I do that?


I read some ressources about signing configuration profiles, by I don't understant everything, I din't have any skills about signing, certificates etc.



That's not clear for me!



Any help appreciated, thanks in advance!










share|improve this question


























    up vote
    0
    down vote

    favorite












    Context



    I have a webapp (frontend JS / backend PHP) that generates some MDM iOS configuration profiles (*.mobileconfig) programmatically.



    Website users enter some informations, call my PHP api, and my PHP backend generates a configuration profile "on-the-fly" with the user-specific data, save it on the server, and return back the URL of the generated profile, so the user can click this link and install it on its iOS device.



    In short: this profile contains in its payload only a webclip (safari shortcut).



    Everything works fine, the configuration profile link opens the iOS Settings app that asks the user to install this profile on its device.



    My problem is that this programmatically generated profile is not signed. So the user is warned by iOS that the profile is not signed and he must do several additional actions to confirm the profile installation.



    I would like that the generated profiles to be signed, so the user can install them more easily and quickly.



    Questions




    • is it possible?

    • if yes, is it possible with PHP?

    • if yes, how can I do that?


    I read some ressources about signing configuration profiles, by I don't understant everything, I din't have any skills about signing, certificates etc.



    That's not clear for me!



    Any help appreciated, thanks in advance!










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Context



      I have a webapp (frontend JS / backend PHP) that generates some MDM iOS configuration profiles (*.mobileconfig) programmatically.



      Website users enter some informations, call my PHP api, and my PHP backend generates a configuration profile "on-the-fly" with the user-specific data, save it on the server, and return back the URL of the generated profile, so the user can click this link and install it on its iOS device.



      In short: this profile contains in its payload only a webclip (safari shortcut).



      Everything works fine, the configuration profile link opens the iOS Settings app that asks the user to install this profile on its device.



      My problem is that this programmatically generated profile is not signed. So the user is warned by iOS that the profile is not signed and he must do several additional actions to confirm the profile installation.



      I would like that the generated profiles to be signed, so the user can install them more easily and quickly.



      Questions




      • is it possible?

      • if yes, is it possible with PHP?

      • if yes, how can I do that?


      I read some ressources about signing configuration profiles, by I don't understant everything, I din't have any skills about signing, certificates etc.



      That's not clear for me!



      Any help appreciated, thanks in advance!










      share|improve this question













      Context



      I have a webapp (frontend JS / backend PHP) that generates some MDM iOS configuration profiles (*.mobileconfig) programmatically.



      Website users enter some informations, call my PHP api, and my PHP backend generates a configuration profile "on-the-fly" with the user-specific data, save it on the server, and return back the URL of the generated profile, so the user can click this link and install it on its iOS device.



      In short: this profile contains in its payload only a webclip (safari shortcut).



      Everything works fine, the configuration profile link opens the iOS Settings app that asks the user to install this profile on its device.



      My problem is that this programmatically generated profile is not signed. So the user is warned by iOS that the profile is not signed and he must do several additional actions to confirm the profile installation.



      I would like that the generated profiles to be signed, so the user can install them more easily and quickly.



      Questions




      • is it possible?

      • if yes, is it possible with PHP?

      • if yes, how can I do that?


      I read some ressources about signing configuration profiles, by I don't understant everything, I din't have any skills about signing, certificates etc.



      That's not clear for me!



      Any help appreciated, thanks in advance!







      php ios mdm signing configuration-profile






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 22 at 16:01









      TooLiPHoNe.NeT

      1271112




      1271112
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          Yes you can. Also with PHP.



          How?





          1. Save the profile you want to sign to a temp file:




            file_put_contents ($tmp_file_name, $profile_data);





          2. Sign the file you have just created:




            $data = shell_exec ("openssl smime -sign -in $tmp_file_name {add here another parameters you need...}");





          3. Send the data to the client:




            echo $data;





          4. Delete the tmp file...




            unlink ($tmp_file_name);









          share|improve this answer





















          • That's sounds great, thanks. However, which infos do you put on "{add here another parameters you need...}" ? I guess I have to put some Apple certificates informations elsewhere? Is that linked to the Apple developer certificate you have to generate in order to publish apps on the appstore? I'm sorry for being so dunb, I'm a JS frontend developer so that is really not my comfort zone!!
            – TooLiPHoNe.NeT
            Nov 30 at 9:54












          • See here: discussions.apple.com/thread/4907079 > openssl smime -sign -signer your_server.crt -inkey your_server_cert_key.pem -certfile your_server_cert_chain.pem -nodetach -outform der -in your_unsigned_profile.mobileconfig -out your_signed_profile.mobileconfig
            – zvi
            Dec 1 at 17:03












          • @TooLiPHoNe.NeT and please mark answer as accepted.
            – zvi
            Dec 2 at 7:54










          • yes thaks! I saw and bookmarked this link indeed. So I guess I now have to generate *.pem files from the p12 file from the iOS developer certificate (I've read other things about that). And I have to enroll the Apple's dev program first of course, or buy another certificate.
            – TooLiPHoNe.NeT
            Dec 2 at 22:25










          • I'd like to mark as accepted after I confirm it is working for my case, but this could take some time for me to test that so I accpet your answer, it will help me a lot. I'll tell you back here when I'll manage to have some time to implement all this. thanks
            – TooLiPHoNe.NeT
            Dec 2 at 22:26











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53434631%2fhow-to-sign-an-ios-configuration-profile-generated-programmatically%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          Yes you can. Also with PHP.



          How?





          1. Save the profile you want to sign to a temp file:




            file_put_contents ($tmp_file_name, $profile_data);





          2. Sign the file you have just created:




            $data = shell_exec ("openssl smime -sign -in $tmp_file_name {add here another parameters you need...}");





          3. Send the data to the client:




            echo $data;





          4. Delete the tmp file...




            unlink ($tmp_file_name);









          share|improve this answer





















          • That's sounds great, thanks. However, which infos do you put on "{add here another parameters you need...}" ? I guess I have to put some Apple certificates informations elsewhere? Is that linked to the Apple developer certificate you have to generate in order to publish apps on the appstore? I'm sorry for being so dunb, I'm a JS frontend developer so that is really not my comfort zone!!
            – TooLiPHoNe.NeT
            Nov 30 at 9:54












          • See here: discussions.apple.com/thread/4907079 > openssl smime -sign -signer your_server.crt -inkey your_server_cert_key.pem -certfile your_server_cert_chain.pem -nodetach -outform der -in your_unsigned_profile.mobileconfig -out your_signed_profile.mobileconfig
            – zvi
            Dec 1 at 17:03












          • @TooLiPHoNe.NeT and please mark answer as accepted.
            – zvi
            Dec 2 at 7:54










          • yes thaks! I saw and bookmarked this link indeed. So I guess I now have to generate *.pem files from the p12 file from the iOS developer certificate (I've read other things about that). And I have to enroll the Apple's dev program first of course, or buy another certificate.
            – TooLiPHoNe.NeT
            Dec 2 at 22:25










          • I'd like to mark as accepted after I confirm it is working for my case, but this could take some time for me to test that so I accpet your answer, it will help me a lot. I'll tell you back here when I'll manage to have some time to implement all this. thanks
            – TooLiPHoNe.NeT
            Dec 2 at 22:26















          up vote
          1
          down vote



          accepted










          Yes you can. Also with PHP.



          How?





          1. Save the profile you want to sign to a temp file:




            file_put_contents ($tmp_file_name, $profile_data);





          2. Sign the file you have just created:




            $data = shell_exec ("openssl smime -sign -in $tmp_file_name {add here another parameters you need...}");





          3. Send the data to the client:




            echo $data;





          4. Delete the tmp file...




            unlink ($tmp_file_name);









          share|improve this answer





















          • That's sounds great, thanks. However, which infos do you put on "{add here another parameters you need...}" ? I guess I have to put some Apple certificates informations elsewhere? Is that linked to the Apple developer certificate you have to generate in order to publish apps on the appstore? I'm sorry for being so dunb, I'm a JS frontend developer so that is really not my comfort zone!!
            – TooLiPHoNe.NeT
            Nov 30 at 9:54












          • See here: discussions.apple.com/thread/4907079 > openssl smime -sign -signer your_server.crt -inkey your_server_cert_key.pem -certfile your_server_cert_chain.pem -nodetach -outform der -in your_unsigned_profile.mobileconfig -out your_signed_profile.mobileconfig
            – zvi
            Dec 1 at 17:03












          • @TooLiPHoNe.NeT and please mark answer as accepted.
            – zvi
            Dec 2 at 7:54










          • yes thaks! I saw and bookmarked this link indeed. So I guess I now have to generate *.pem files from the p12 file from the iOS developer certificate (I've read other things about that). And I have to enroll the Apple's dev program first of course, or buy another certificate.
            – TooLiPHoNe.NeT
            Dec 2 at 22:25










          • I'd like to mark as accepted after I confirm it is working for my case, but this could take some time for me to test that so I accpet your answer, it will help me a lot. I'll tell you back here when I'll manage to have some time to implement all this. thanks
            – TooLiPHoNe.NeT
            Dec 2 at 22:26













          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          Yes you can. Also with PHP.



          How?





          1. Save the profile you want to sign to a temp file:




            file_put_contents ($tmp_file_name, $profile_data);





          2. Sign the file you have just created:




            $data = shell_exec ("openssl smime -sign -in $tmp_file_name {add here another parameters you need...}");





          3. Send the data to the client:




            echo $data;





          4. Delete the tmp file...




            unlink ($tmp_file_name);









          share|improve this answer












          Yes you can. Also with PHP.



          How?





          1. Save the profile you want to sign to a temp file:




            file_put_contents ($tmp_file_name, $profile_data);





          2. Sign the file you have just created:




            $data = shell_exec ("openssl smime -sign -in $tmp_file_name {add here another parameters you need...}");





          3. Send the data to the client:




            echo $data;





          4. Delete the tmp file...




            unlink ($tmp_file_name);










          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 29 at 8:48









          zvi

          398310




          398310












          • That's sounds great, thanks. However, which infos do you put on "{add here another parameters you need...}" ? I guess I have to put some Apple certificates informations elsewhere? Is that linked to the Apple developer certificate you have to generate in order to publish apps on the appstore? I'm sorry for being so dunb, I'm a JS frontend developer so that is really not my comfort zone!!
            – TooLiPHoNe.NeT
            Nov 30 at 9:54












          • See here: discussions.apple.com/thread/4907079 > openssl smime -sign -signer your_server.crt -inkey your_server_cert_key.pem -certfile your_server_cert_chain.pem -nodetach -outform der -in your_unsigned_profile.mobileconfig -out your_signed_profile.mobileconfig
            – zvi
            Dec 1 at 17:03












          • @TooLiPHoNe.NeT and please mark answer as accepted.
            – zvi
            Dec 2 at 7:54










          • yes thaks! I saw and bookmarked this link indeed. So I guess I now have to generate *.pem files from the p12 file from the iOS developer certificate (I've read other things about that). And I have to enroll the Apple's dev program first of course, or buy another certificate.
            – TooLiPHoNe.NeT
            Dec 2 at 22:25










          • I'd like to mark as accepted after I confirm it is working for my case, but this could take some time for me to test that so I accpet your answer, it will help me a lot. I'll tell you back here when I'll manage to have some time to implement all this. thanks
            – TooLiPHoNe.NeT
            Dec 2 at 22:26


















          • That's sounds great, thanks. However, which infos do you put on "{add here another parameters you need...}" ? I guess I have to put some Apple certificates informations elsewhere? Is that linked to the Apple developer certificate you have to generate in order to publish apps on the appstore? I'm sorry for being so dunb, I'm a JS frontend developer so that is really not my comfort zone!!
            – TooLiPHoNe.NeT
            Nov 30 at 9:54












          • See here: discussions.apple.com/thread/4907079 > openssl smime -sign -signer your_server.crt -inkey your_server_cert_key.pem -certfile your_server_cert_chain.pem -nodetach -outform der -in your_unsigned_profile.mobileconfig -out your_signed_profile.mobileconfig
            – zvi
            Dec 1 at 17:03












          • @TooLiPHoNe.NeT and please mark answer as accepted.
            – zvi
            Dec 2 at 7:54










          • yes thaks! I saw and bookmarked this link indeed. So I guess I now have to generate *.pem files from the p12 file from the iOS developer certificate (I've read other things about that). And I have to enroll the Apple's dev program first of course, or buy another certificate.
            – TooLiPHoNe.NeT
            Dec 2 at 22:25










          • I'd like to mark as accepted after I confirm it is working for my case, but this could take some time for me to test that so I accpet your answer, it will help me a lot. I'll tell you back here when I'll manage to have some time to implement all this. thanks
            – TooLiPHoNe.NeT
            Dec 2 at 22:26
















          That's sounds great, thanks. However, which infos do you put on "{add here another parameters you need...}" ? I guess I have to put some Apple certificates informations elsewhere? Is that linked to the Apple developer certificate you have to generate in order to publish apps on the appstore? I'm sorry for being so dunb, I'm a JS frontend developer so that is really not my comfort zone!!
          – TooLiPHoNe.NeT
          Nov 30 at 9:54






          That's sounds great, thanks. However, which infos do you put on "{add here another parameters you need...}" ? I guess I have to put some Apple certificates informations elsewhere? Is that linked to the Apple developer certificate you have to generate in order to publish apps on the appstore? I'm sorry for being so dunb, I'm a JS frontend developer so that is really not my comfort zone!!
          – TooLiPHoNe.NeT
          Nov 30 at 9:54














          See here: discussions.apple.com/thread/4907079 > openssl smime -sign -signer your_server.crt -inkey your_server_cert_key.pem -certfile your_server_cert_chain.pem -nodetach -outform der -in your_unsigned_profile.mobileconfig -out your_signed_profile.mobileconfig
          – zvi
          Dec 1 at 17:03






          See here: discussions.apple.com/thread/4907079 > openssl smime -sign -signer your_server.crt -inkey your_server_cert_key.pem -certfile your_server_cert_chain.pem -nodetach -outform der -in your_unsigned_profile.mobileconfig -out your_signed_profile.mobileconfig
          – zvi
          Dec 1 at 17:03














          @TooLiPHoNe.NeT and please mark answer as accepted.
          – zvi
          Dec 2 at 7:54




          @TooLiPHoNe.NeT and please mark answer as accepted.
          – zvi
          Dec 2 at 7:54












          yes thaks! I saw and bookmarked this link indeed. So I guess I now have to generate *.pem files from the p12 file from the iOS developer certificate (I've read other things about that). And I have to enroll the Apple's dev program first of course, or buy another certificate.
          – TooLiPHoNe.NeT
          Dec 2 at 22:25




          yes thaks! I saw and bookmarked this link indeed. So I guess I now have to generate *.pem files from the p12 file from the iOS developer certificate (I've read other things about that). And I have to enroll the Apple's dev program first of course, or buy another certificate.
          – TooLiPHoNe.NeT
          Dec 2 at 22:25












          I'd like to mark as accepted after I confirm it is working for my case, but this could take some time for me to test that so I accpet your answer, it will help me a lot. I'll tell you back here when I'll manage to have some time to implement all this. thanks
          – TooLiPHoNe.NeT
          Dec 2 at 22:26




          I'd like to mark as accepted after I confirm it is working for my case, but this could take some time for me to test that so I accpet your answer, it will help me a lot. I'll tell you back here when I'll manage to have some time to implement all this. thanks
          – TooLiPHoNe.NeT
          Dec 2 at 22:26


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53434631%2fhow-to-sign-an-ios-configuration-profile-generated-programmatically%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          What visual should I use to simply compare current year value vs last year in Power BI desktop

          How to ignore python UserWarning in pytest?

          Alexandru Averescu