I'm working on an iOS enterprise app that relies on an Configuration Profile being put on the phone. Unfortunately, the user can "cancel" this profile, which really screws with our app.
So I was wondering if a) is it possible to prevent a configuration profile from being deleted OR
b) is there a way to check to see if a configuration profile is installed already (say, at runtime, then we can just install it again if it's not there)?
If you want the configuration profile not to be tampered with / disabled by the user, this is possible! If you're using Apple Configurator to build your .mobileconfig file in the generals tab select security as never. Be aware: once the profile is installed on the device it cannot be reverted unless you restore the device
The long story short is there is no current documented way to even programmatically call / install a configuration profile (.mobileconfig) file onto the device: so if you're thinking about checking whether the profile exists and if not to install it, it's impossible (as for available documentation thus far) - if you do find a way let me know
Note:
.mobileconfig files can only run through Safari / Mail.
This similar SO discussion may help: Installing a configuration profile on iPhone - programmatically
It is possible to check is .mobileconfig is installed.
What you need to do is:
Create CA (certificate authority) and export it as .cer.
Issue certificate using created CA and export is as well as .cer.
Using Apple Configurator app add CA .cer in the certificates area.
Mobile configuration profile will have CA .cer.
Issued certificate (on step two) add to app bundle.
Using Security framework evaluate (SecTrustEvaluate) issued
certificate on step 2.
Related
This is my first time trying to deploy a VSTO add-in to a user's system, and I am running into a security barrier. The add-in was built in Visual Studio 2019 Community Edition and is meant to integrate with Microsoft Excel. The user runs Office 365.
On running Setup.exe, user receives the initial confirmation prompt and clicks "Install." A progress bar briefly appears and runs about 25% of the way, then an error message pops up: "Customized functionality in this application will not work because the certificate used to sign the deployment manifest for [the add-in] or its location is not trusted."
I understand that Microsoft would like me to pay for a signing certificate, but I am hoping to get this to work while avoiding that expense.
This article from Microsoft describes the use of a digital certificate as "an optional step": ClickOnce and Authenticode. This article states that an alternative route is for the user to click the "ClickOnce trust prompt" during installation: Grant trust to Office solutions. But as far as I understand the process, it is halted before it even gets to the ClickOnce trust prompt, so the user never gets that option.
For comparison, the user ran the installation on an older system. On that system he received the ClickOnce prompt, approved the software, and the installation ran successfully to the end. This indicates very strongly that the problem on the newer system is a security setting.
I instructed the user to open Excel and go to Options > Trust Center > Trust Center Settings > Add-Ins and remove the check mark from "Require Application Add-Ins to be signed by Trusted Publisher." There was no check mark to begin with, so that setting was not the issue.
I have instructed the user to go to the command prompt and clean out any remnants of the failed install with rundll32 dfshim CleanOnlineAppCache before each new installation attempt.
I'm at a loss as to where to look next. Any help would be much appreciated.
One relatively easy workaround: you pack the "publish" folder as ZIP file, disable any online checks or deployments (in the project settings, select to publish locally, not to a website. Installing from a website or auto-update won't work without normal certificate). Then give your user that ZIP. User downloads that ZIP, then right-click the ZIP file and checks "Unblock". Then unzips and installs normally. Now any certificate should do. This applies if your user downloads your file from the internet.
So the idea is very simple: Just tell your user to click "Unblock" checkbox before extracting files from the ZIP archive you have sent and running them.
Another solution, you simply tell the user's system to trust your "self-signed" developer's certificate (add your certificate to "Trusted Publishers" store on the user computer). For that you need admin rights. Please note that user's admins probably won't like this idea, unless you and your user work in the same organization. Here are the instructions: https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
The best and easiest of course would be if you buy a normal code signing certificate. They are not that expensive, you can get one from COMODO (SectiGo) for example for something like $70/year though their resellers.
On the target machine. you need to install and trust the certificate used to sign your addin (see Signing tab of your project options)
What is required for the certification process, is it a quick process? Are they certifying me/ my business or the code??
It is a quick process for the process:
Sign with valid certificate when publishing.
Add the publisher into Trusted Publisher before installing when Macro Settings is a high security level.
Finish installing.
You can obtain a certificate for code signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating digital certificates.
Generate your own certificate with MakeCert.exe, which is included with the Windows Software Development Kit (SDK).
I've noticed something somewhat strange when I ran the Xcode build of my app and then launch the app store build. If I run the xcode build (using development certificates), then run my app through the app store (using production certificates) I get prompted with the following dialog box
MyApp want to use your confidential information stored in "com.myApp in the keychain.
I also get this dialog when I run the app store build first, then the Xcode development build. I believe this dialog appears because both builds have different certificates (could be wrong).
My biggest concern is the user updates the app, will the user see this dialog?
Not sure if this is important, but this is how I save data to the keychain.
[[A0SimpleKeychain keychain] setString:string forKey:#"key"];
Apple's code signing guide has the answers.
I believe this dialog appears because both builds have different certificates
Correct. See Understanding the Code Signature:
The most important internal requirement is the designated requirement, or DR. This rule tells an evaluating system how to identify a particular piece of code. Any two pieces of code that have (and successfully verify against) the same DR are considered to be the same code.
...
Some parts of macOS do not care about the identity of the signer. They care only whether the app is validly signed and stable. Stability is determined through the DR, and does not depend on the nature of the certificate authority used. The keychain system and parental controls are examples of such usage.
From Code Signing Tasks:
Shipping and Updating Your Product
The user’s system considers the new version of your product to be the
same program as the previous version. For example, Keychain Services
does not distinguish older and newer versions of your program as long
as both are signed and the unique Identifier remains constant.
Signing your code with a different certificate makes the system consider it a different app. As long as you sign your releases with the same certificate between versions, you will be fine.
I changed the info.plist file in Boot Camp package to make it support making USB installing drives on my Mac, but on Mac OS X Mavericks the app crashed before I signed the new file. I use the following code in terminal to sign it.
sudo codesign -fs - /Applications/Utilities/Boot\ Camp\ Assistant.app
After signing the code, the app ran successfully. The whole tutorial is here: Enable Bootcamp to install from usb for OSX 10.9
BUT I am wondering why I can sign the code so easily, without any formal certificate. I think code signature is a security feature. Only developers with certificates can sign their codes and distribute them, and Apple only allow these signed programs to run: About Code Signing I am a beginner on this topic; can someone explain the process a little bit? Does this means that hackers can sign whatever codes they want (maybe malicious ones) and run them AS LONG AS they get the password for root account?
Then I changed back to the original info.plist and wanted to remove the signature for the file that I created. How do I do this?
Thanks!
The reason is because you are signing the package with a local certificate. When Apple sign the package, it will run on any Mac, as their root certificate is trusted in the base OS.
If you transferred your locally signed package to another mac, you would find that it crashes, because it was signed with a certificate from another machine.
Hope this clears it up.
In OS X Maverick's XCode, I created a brand new Mac > "Cocoa Application", with Core Data and Spotlight Importerl; about as vanilla a Cocoa application I could muster.
Under Preferences > Accounts, I signed in to my Mac Developer Account.
In Targets > Identity, I set Signing to "Mac App Store", and was able to select my Mac Developer Account for "Team".
I then went to Product > Clean, and then Product > Build for... > Running, and then Produt > Archive.
In the Organizer, I select the resulting .app and click "Validate", and hit the Mac App Store radio, and hit "Next", and it's able to log into my Mac Developer Account.
I select my Provisioning Profile in the dropdown, and click "Validate".
It comes back with several errors:
1 - "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.] For more information, visit the Mac OS Developer Portal."
2 - "The bundle identifier cannot be changed from the current value, '{DIFFERENT-BUNDLE-FROM-OTHER-PROJECT}'. If you want to change your bundle identifier, you will need to create a new application in iTunes Connect.
3 - Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provision profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.applications-identifier' in '{BUNDLENAME}.app/Contents/MacOS/{BUNDLENAME}'
I was able to do the same process before, for a vanilla app, before Mavericks. I'm not sure if this is a Mavericks error, or a fact that now I have multiple app projects. Particularly odd is that DIFFERENT-BUNDLE-FROM-OTHER-PROJECT in error (2) is not the same bundle name as the current project's bundle.
Would love any help you can provide! Thank you!
Seems like this was a secret key missing or corruption issue. I ended up revoking the existing certificates and profiles I had in XCode > Preferences > Accounts, and issuing new ones.
You may need to set a provisional profile in the Build Settings section.
See here: Xcode 5: Code signing entitlement errors
and here: Weird code-signing error
Go to Apple Developer Portal, recreate the provisioning profile (distribution profile in your case) and download it again. Make sure that the Distribution certificate is installed in your Keychain Access in order to sign apps submitted for the App Store. and Recheck ur Bundule Id as well
You should try setting up a WildCard Provisioning Profile and go from there.
I was unable to find a way how to install certificates on my iPad to a keychain using iTunes (or other tool that runs on mac os x).
I need to be able to set the group (kSecAttrAccessGroup, eg. "XKFABCDEFGH.com.mycompany.myapp") to store the certificate under. Since there is a chain of certificates, I'll be installing all of them up to the root one. Also, the last (leaf) certificate will have private part (don't know if that makes any difference).
The alternative to this is to write a small app and compile the certificates as its resources. Then I can use SecItemAdd / SecItemUpdate to write those certificates. Downside to this is that I want to install different certificate on every device, so I'll have to compile the app several different times.
Note: The app is to be a B2B, eg. not an application for public iTunes market!
Edit: I want to use the certificates ASIHTTPRequest, I do not require that those certificates are recognized by the iOS itself (unless it will collide with the ASIHTTPRequest library).