DEP (MDM) Setup Assistant enrollment & Over-the-Air Profile Service Phase 2 & 3 certificates missing
|Product:||macOS + SDK
Something not on this list
When a macOS device enrolls to an MDM via DEP or Over-the-Air Profile Service the device is supposed to supply all validating certificates to MDM (or Profile Service) for validation. However macOS does not do in this. In the case of DEP it only includes one single additional certificate: "CN=Apple iPhone Device CA". In the case of OTA Profile Service it only provides the signing certificate - not additional certificates at all. This prevents any verification from happening. This should happen according to the DEP documentation:
"The plist is CMS-signed with the device identity certificate. The device’s certificate and all necessary intermediate certificates are included. The certificate chain should validate against the Apple Root CA." But this is incorrect for macOS going back to at least OS X 10.10.
On the other hand iOS for both OTA Profile Service and DEP enrollment the full certificate chain is provided and is verifiable in this way.
Steps to Reproduce:
Perform a Profile Service Over-the-Air Enrollment or DEP Enrollment in macOS.
The full certificate chain should match the documentation and be provided in the CMS/PKCS#7 container. In other words macOS should behave like iOS already does.
Examine the CMS/PKCS#7-signed data for the DEP URL or OTA Profile Service Phase 2/3 URL. See that, for macOS, it is missing the certificate chain. Perform the same actions on iOS and see that they are included.
Problem seems to exist on all OS X and macOS devices. Problem does NOT exist on iOS.
Reports posted here will not necessarily be seen by Apple.
All problems should be submitted at bugreport.apple.com before they are posted here.
Please only post information for Radars that you have filed yourself, and please do
not include Apple confidential information in your posts. Thank you!