Open Radar

 
Summary:
Installing or updating passcode policy policy by pushing passcode payload profiles to the device using MDM fails on OS X devices. We have attached the MDM client crash log on OS X device as well as sample payload sent to the device. 

Why is this a series issue security wise?
Enforcing passcode restriction using MDM is the most basic security  feature all our enterprise clients use. If the OS X device is unable to enforce those passcode restrictions on the device. it puts those devices at risk.

Steps to Reproduce:
1) Enroll Mac OS X device in to MDM by installing the MDM profile
2) push a passcode policy profile to the OS X device with restrictions like minlength:3 and requireAlphanumeric:true
3) Delete the main MDM profile from the device using the System preferences app. 
4) Above step will remove the passcode profile also, some time this profile will not go away.
5) Reenroll the OS X device by installing MDM profile.
6) try to push passcode profile to the device using install profile command by attaching the passcode payload of type com.apple.mobiledevice.passwordpolicy with restrictions like minlength:3 and requireAlphanumeric:true
   

Expected Results:
MDM provider should be able to update/install passcode policy profile on OS X devices.

Actual Results:
The installtion of passcode profile fails with following error on the server side:
"ErrorDomain" -> "ProfileDomainPluginController"
 "ErrorCode" -> "101"
 "LocalizedDescription" -> "The operation couldn’t be completed. (ProfileDomainPluginController error 101.)"

Device logs also shows following error:
Jun 28 11:48:48 tests-MacBook-Air ManagedClient[536]: *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSCFString substringFromIndex:]: Index 52 out of bounds; string length 50'
	*** First throw call stack:
	(
		0   CoreFoundation                      0x00007fff93ecc4f2 __exceptionPreprocess + 178
		1   libobjc.A.dylib                     0x00007fff92149f7e objc_exception_throw + 48
		2   CoreFoundation                      0x00007fff93f334bd +[NSException raise:format:] + 205
		3   Foundation                          0x00007fff93630faa -[NSString substringFromIndex:] + 126
		4   ManagedClient                       0x0000000108f27bb8 ManagedClient + 334776
		5   CoreFoundation                      0x00007fff93e62a54 __NSArrayEnumerate + 596
		6   ManagedClient                       0x0000000108f27a96 ManagedClient + 334486
		7   CoreFoundation                      0x00007fff93e3e28c ____NSDictionaryEnumerate_block_invoke436 + 28
		8   CoreFoundation                      0x00007fff93dfb190 CFBasicHashApply + 128
		9   CoreFoundation                      0x00007fff93e3dfa4 __NSDictionaryEnumerate + 276
		10  ManagedClient                       0x0000000108f279a6 ManagedClient + 334246
		11  ManagedClient                       0x0000000108f26a4e ManagedClient + 330318
		12  ManagedClient                       0x0000000108f3737a ManagedClient + 398202
		13  ManagedClient                       0x0000000108ee762c ManagedClient + 71212
		14  ManagedClient                       0x0000000108ee7810 ManagedClient + 71696
		15  libdispatch.dylib                   0x00007fff9844fa4b dispatch_mig_server + 403
		16  libdispatch.dylib                   0x00007fff9843b40b _dispatch_client_callout + 8
		17  libdispatch.dylib                   0x00007fff9844b675 _dispatch_source_latch_and_call + 2235
		18  libdispatch.dylib                   0x00007fff9843fa83 _dispatch_source_invoke + 983
		19  libdispatch.dylib                   0x00007fff9844e72d _dispatch_main_queue_callback_4CF + 422
		20  CoreFoundation                      0x00007fff93e819e9 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9
		21  CoreFoundation                      0x00007fff93e408dd __CFRunLoopRun + 1949
		22  CoreFoundation                      0x00007fff93e3fed8 CFRunLoopRunSpecific + 296
		23  ManagedClient                       0x0000000108ed86ef ManagedClient + 9967
		24  libdyld.dylib                       0x00007fff900a15ad start + 1
	)

mdmclient[531]: CPProfileManager.installProfile returning error 101 (The operation couldn’t be completed. (ProfileDomainPluginController error 101.))




Version:
System Version: OS X 10.11.5 (15F34)
Kernel Version: Darwin 15.5.0
Model Name:	MacBook Air
Model Identifier:	MacBookAir6,2
Serial Number (system):	C02M33ACF6T6


Notes:
Addtional observation:
1) If we run following command after deleting all profiles from the device: 
pwpolicy -v getaccountpolicies

It still returns all the passcode restriction enforced by the old MDM profile even after they have been deleted. It seems that passcode policy remains enforced even after the profile are gone. 

2) Even if I send two command in sucession one which tries to deletes  the passcode profile and other trying to install the passcode profile, installation  of passcode profile fails.  

Configuration:
Installation of passcode profile only works for the first time, after that subsequent updates and install fail.

Attachments:
'System Configuration.rtf', 'MDM payload pushed to device using intall profile command.txt', 'devicelogs.txt' and 'ManagedClient_2016-06-28-114848_tests-MacBook-Air.crash' were successfully uploaded.