<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 1/3/20 3:28 PM, Ralph Seichter
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:87mub48euh.fsf@wedjat.horus-it.com">
<pre class="moz-quote-pre" wrap="">I opened <a class="moz-txt-link-freetext" href="https://gitlab.com/automx/automx2/issues/10">https://gitlab.com/automx/automx2/issues/10</a> to allow you and
</pre>
</blockquote>
<p>I commented on this issue, though it really isn't quite what I
had in mind.<br>
</p>
<blockquote type="cite"
cite="mid:87mub48euh.fsf@wedjat.horus-it.com">
<pre class="moz-quote-pre" wrap="">Looks like Apple wants me to "pay to play" by subscribing as a developer
and thereby obtaining an Apple-issued signing certificate. Even if I did</pre>
</blockquote>
<p>Unless something's changed drastically in the last year or so,
.mobileconfig profiles can be signed with any standard TLS
certificate. At that time (before I found automx), I was able to
hand-generate a .mobileconfig file, manually sign it (details are
hazy, but I'm pretty sure it involved more than one invocation of
openssl--I can't say for sure that <a moz-do-not-send="true"
href="http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html">these</a>
are the instructions I used, but they look about right) with a
cert from Let's Encrypt, and my iPhone would import it without
complaints.</p>
<p>This of course means Automx needs access to a cert, including its
private key, but it's easy enough to create a dedicated cert for
that purpose using Let's Encrypt.<br>
</p>
<p>Automx supports signing these files, but it doesn't include the
intermediate CA cert, even when it's fed that cert as part of the
signing cert. This results in a validation error when the user
tries to import the profile.
</p>
<blockquote type="cite"
cite="mid:87mub48euh.fsf@wedjat.horus-it.com">
<pre class="moz-quote-pre" wrap="">Given that the typical use case is opening
<a class="moz-txt-link-freetext" href="https://foo.example.com/mobileconfig/?emailaddress=x@example.com">https://foo.example.com/mobileconfig/?emailaddress=x@example.com</a>
unsigned profiles are not really an issue, IMO. Server foo.example.com
</pre>
</blockquote>
<p>The last time I tried importing an unsigned .mobileconfig
profile, the device complained pretty loudly before importing it.
This could have changed too, I guess, but it was a non-trivial set
of warnings.<br>
</p>
<br>
</body>
</html>