iOS 12.3 - changes in configuration profiles

There seems to be one change in the configuration profile reference docs.

Removed allowSiriServerLogging from the Restrictions Payload
1 Like

In my opinion the error comes exactly because there’s already a payload with that PayloadUUID installed. Did you try removing this profile and reinstalling it?

Yes. I even reset the iphone and I have the same issue.

It happens if the profile fail to install once. It seems the phone never erase the profile completely. When you try to reinstall it you will see a message The UUID for the profile “Application Management Profile” is not unique.

I had to completely wipe the device (erase settings and data) to be able to enroll again and don’t see the message.

This is a pain.

I see. Do you not generate a new PayloadUUID on every profile install operation? I think it should be unique per installation operation and not just per profile.

We do generate a unique PayloadUUID. I am wondering if Apple does properly cleaning the failing profile.

When we install the profile, at the last step of install we see a system pop-up saying “Couldn’t communicate with a helper application”. We close the setting window by swapping. We are then able to install applications and list managed applications even if their not profile listed in iOS settings.

First we are not able to understand “Couldn’t communicate with a helper application”, second it seems their is a dirty profile that we cannot see and delete in iOS settings.

Errors we see in console log when doing the install of the profile:

default	14:59:46.784522 +0200	Preferences	Install profile data, interactive error. Error: NSError:
Desc   : Couldn’t communicate with a helper application.
Sugg   : Try your operation again. If that fails, quit and relaunch the application and try again.
Domain : NSCocoaErrorDomain
Code   : 4097
Extra info:
{
    NSDebugDescription = "connection to service named com.apple.managedconfiguration.profiled";
}

Then something that is probalby related.

default    14:59:46.789071 +0200    profiled    *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSDictionaryM setObject:forKey:]: object cannot be nil (key: CertSubject)'
*** First throw call stack:
(0x1a047127c 0x19f64b9f8 0x1a03eace8 0x1a035fb18 0x1a33cd6a4 0x1a33f0954 0x1a33bc6d8 0x1a3429fc0 0x1a3429f64 0x1009db2fc 0x1009deca4 0x100973ac8 0x19feb0a38 0x19feb17d4 0x19fe5a450 0x19fe5ae3c 0x19fe634a8 0x1a0091114 0x1a0093cd4)

What is the content/purpose of this profile?
Is it management, configuration or provisioning?

They are configuration profiles (PayloadType = Configuration) to install an app then MDM.

I opened a bug report on Apple

Thanks for your help.

Not sure what you mean by configuration profiles to install an app?

Afaik remote application installs require InstallApplication command issued to them there is no reference in configuration profile for app installation. InstallApplication directs the device to either pull an app from App Store or download a Manifest file (https://help.apple.com/deployment/ios/#/apda0e3426d7) that has instructions on the app installation (in-house apps).

If you’re devices are MDM enrolled you can issue commands “ProfileList” and “ProvisioningProfileList” to retrieve a list of profiles installed and their UUID’s

How are you installing the profiles (via a webserver/apple configurator)? Which MDM solution are you using?

1 Like

That payload was only released in iOS 12.2 wonder why it was removed so soon

Sorry I was not clear. It is just a configuration then after app are pushed via InstallApplication command.

You are completely correct for InstallApplication this is what we do.

Good idea for the “ProfileList” and “ProvisioningProfileList”.

I am working for Appaloosa and we are installing profiles via webserver.

Something has been changed in iOS 12.3 and also iOS 12.4 and documentation hasn’t been modified.

The subject in SCEP payload is now mandatory (from https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf).

20

If it is not present:

default    14:59:46.789071 +0200    profiled    *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSDictionaryM setObject:forKey:]: object cannot be nil (key: CertSubject)'
*** First throw call stack:
(0x1a047127c 0x19f64b9f8 0x1a03eace8 0x1a035fb18 0x1a33cd6a4 0x1a33f0954 0x1a33bc6d8 0x1a3429fc0 0x1a3429f64 0x1009db2fc 0x1009deca4 0x100973ac8 0x19feb0a38 0x19feb17d4 0x19fe5a450 0x19fe5ae3c 0x19fe634a8 0x1a0091114 0x1a0093cd4)

And you phone raise a popup “Couldn’t communicate with a helper application”

1 Like

We are able to retrieve profiles via ProfileList but… ProfileList is empty.

You can try installing MDM diagnostics profile and collecting diagnostics data to see if you can get better detailed information about the error

https://developer.apple.com/bug-reporting/profiles-and-logs/?platform=ios

1 Like

Thanks this is a good idea! I didn’t think about using it this time.

Their is an issue on iOS 12.3, 12.3.1, 12.4 beta 1 with a “invisible MDM enrollment”. They are trying fix the issue at the moment.

In the new documentation the “cert subject” is no more optional.

It is not clearly defined in that documentation… URL is marked as “Required”… does that mean that everything else is optional… or not…?

I say that because you can read "The SCEP payload can specify an optional SubjectAltName "…but at the same time their is only one (Required)…

I think the doc need a little bit more clarity. All fields should be marked as optional or required.

It is fixed in iOS 12.4 :slight_smile:

1 Like