Signing OS X Configuration Profiles

anverhousseini
Contributor II

Hi JAMF Nation

A simple question: How do I sign a configuration profile? Which certificate should I use from the Apple developer portal?

I would like to upload a signed configuration profile to the JSS. The JSS ignores some payloads if the profile is not signed.

Thank you.

4 REPLIES 4

perrycj
Contributor III

@anverhousseini You can set up Profile Manager in the Server app to sign profiles if you're making them that way, otherwise you can use this command:

/usr/bin/security cms -S -N "certificate common name with private key in keychain" -i /path/to/unsigned/profile -o /path/to/new/signed/profile

You can use any certificate in your system keychain, as long as you have a private key for that certificate as well. If you have an official developer certificate from Apple, that would work. You could also use your JSS CA if that is self-signed. Hopefully this helps you out.

joshuasee
Contributor III

and if you're in the unlucky position of having certs with matching common names:

/usr/bin/security cms -S -Z "Key ID of Extension Subject Key Identifier, a long hex string but with no spaces" -i /path/to/unsigned profile.mobileconfig -o /path/to/signed profile.mobileconfig

gachowski
Valued Contributor II

You can also use Configurator 2... there is option in the GUI.

C

nwiseman
Contributor

So I've found that I can use the above command to sign a couple of the .mobileconfigs that I have. However, when I try to run these policys through Self Service or check-in it always prompts for a local admin. I'm guessing this is because I'm using a cert inside the System keychain to sign. Anyone ever ran into this or know a way around it?