Automx2 vs. automx

Dan Brown dan at
Sat Jan 4 21:19:05 CET 2020

On 1/3/20 3:28 PM, Ralph Seichter wrote:
> I opened to allow you and

I commented on this issue, though it really isn't quite what I had in mind.

> Looks like Apple wants me to "pay to play" by subscribing as a developer
> and thereby obtaining an Apple-issued signing certificate. Even if I did

Unless something's changed drastically in the last year or so,
.mobileconfig profiles can be signed with any standard TLS certificate. 
At that time (before I found automx), I was able to hand-generate a
.mobileconfig file, manually sign it (details are hazy, but I'm pretty
sure it involved more than one invocation of openssl--I can't say for
sure that these
are the instructions I used, but they look about right) with a cert from
Let's Encrypt, and my iPhone would import it without complaints.

This of course means Automx needs access to a cert, including its
private key, but it's easy enough to create a dedicated cert for that
purpose using Let's Encrypt.

Automx supports signing these files, but it doesn't include the
intermediate CA cert, even when it's fed that cert as part of the
signing cert.  This results in a validation error when the user tries to
import the profile.

> Given that the typical use case is opening
> unsigned profiles are not really an issue, IMO. Server

The last time I tried importing an unsigned .mobileconfig profile, the
device complained pretty loudly before importing it.  This could have
changed too, I guess, but it was a non-trivial set of warnings.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the automx-users mailing list