Automx2 vs. automx

[Ralph Seichter]

* Dan Brown:

> I commented on this issue, though it really isn't quite what I had in
> mind.

We are at a conceptional stage, and I encourage you to elaborate on your
own requirements, if your existing comment does not cover them
yet. Other than the email-to-login lookup I mentioned and the real name
lookup you proposed, there might be aspects I am missing. I had no need
for LDAP support myself so far, and the amount of resources than can
currently be invested into automx2 is strictly limited. Patrick and I
need to know what is required before making decisions.

> Unless something's changed drastically in the last year or so,
> .mobileconfig profiles can be signed with any standard TLS
> certificate.

That's what I thought, and what I used before. I have been operating
a certificate authority for my customers since long before the days of
Let's Encrypt and have a pretty solid understanding of all the mechanics
involved, but I hit unexpected obstacles with macOS Catalina and iOS 13.
I have even asked Apple's support, but they effectively told me to
subscribe, obtain an "official certificate", and all would be well.

I actually use a separate profile, transferred to iOS devices via USB,
that contains my own CA's certificate chain, and that used to suffice in
the past.

> The last time I tried importing an unsigned .mobileconfig profile, the
> device complained pretty loudly before importing it.

I can see people being put off be the warning, no question about
that. My recommendation is to educate users about the popups they are
going to experience beforehand, ideally including screenshots.

-Ralph