Edit Certificates in Mobile-Config XML

Task:

Add user device certificates (e.g., PFX and CER) into Apple mobile-config scripts.  

Solution:  

Encode PFX and CER files with Base64.   Merge output with mobile-config script.  Specific solution steps are listed below.

Mobile-Config Background:   

Mobile-config scripts are simple XML documents.  The XML "code" holds any number of Apple iOS configuration settings.    These scripts are user-friendly and run on iPhones and iPads.  Network Administrators use these scripts for mobile device management (MDM).  For example, a mobile-config script can automatically configure VPN settings.

The Apple Configurator 2 is a free application that generates mobile-config files.  It has a user-friendly GUI and is a simple method to manage Apple devices.  Apple Configurator only runs on MacOS.  However, mobile-config scripts can be managed with any XML editor.  Simply copy existing scripts and make changes as needed (e.g., Notepad++).

Certificate Background:  

PKCS12 is an archive file that bundles a X.509 certificates and private key.  PKCS12 succeeds Microsoft's PFX archive.  However, PCKS12 and PFX files are interchangeable formats.  Organizations that use Windows CA work with PFX files.

CER is an extension of SSL and TLS certificates.  These files are simply X.509 certificates -without private keys.

IKEv2 VPN servers authenticate devices with X.509 certificates.  Authentication requires the user certificate and private key (i.e., PFX).  It generally requires the VPN server certificate and trusted root certificate (i.e., CER).   The mobile-config script provides a user-friendly method to configure IKEv2 and import PFX and CER files.

Solution Steps:  

  1. Use Certutil.exe to encode PFX file with Base64.  This process creates a new encoded file (*.enc).C:\source\cert>certutil -encode iphone.pfx user.enc
  2. Encode CER files (e.g., trusted root and VPN server) as needed.
    C:\source\cert>certutil -encode vpnserver.CER VPNServer.enc
  3. Open the encoded file with any XML editor (e.g., Notepad+).  Copy and paste its contents to the appropriate section within the mobile-confg script.  

Alternate Solution Steps:

Use Notepad+ to encode the PFX with Base64.

1. Open the PFX with Notepad++.
2. Select all text (CTL-A)
3. Right-click the highlighted text → Plug-In Commands → Base64 Encode.
4. The encoded text is ready for the mobile-confg script.  Insert this text to the appropriate section within the mobile-config script.

Merge Base64 

Instructions on how to incorporate Base64 PFX into mobile-config:  http://www.stevenjordan.net/2016/11/ikev2-mobile-config-script.html

Risks

Theses scripts are simple text files.  Bad things can happen if they fall into the wrong hands. Take precaution for mobile-config scripts that contain certificates and private keys (i.e., PFX):

  • It's best to distribute scripts via MDM solutions.  
  • These certificates should not be exportable.  
  • Do not install private keys on rooted devices.  
  • IT staff should assist with all manual installations.  
  • Implement a process to ensure safe handling of private keys.  
  • Ensure scripts that contain private keys are deleted when work is complete.  

References:


0 Comments:

Post a Comment

My Instagram