algo
algo copied to clipboard
trailofbits
macOS: profile cannot be installed
Describe the bug
To Reproduce
Steps to reproduce the behavior:
- Follow the manual
- Go to ./configs/xxx.xxx.xxx.xxx/ipsec/apple/
- Double click on a "mobileconfig" file.
- macOS says to review the profile in settings
- Go to review the profile and prress "Install"
- macOS asks for my user name and password (window title: "Profile/MDM wants to make changes")
- macOS displays failure window:
It does not ask me for any other passwords (no prompt for p12 password).
I can successfully install profiles from commercial VPN service providers.
Using macOS Monterey 12.4.
Expected behavior
Profile installs
Additional context
Using master @ 8b05cda01d8ef4965d755cdfd2c7d16661d3b26b
I found https://github.com/trailofbits/algo/issues/1086 but it is not the same issue. It seems like Monterey does not like what algo generates.
Logs from macOS:
default 22:34:33.177544+0300 mdmclient ### XPC request: CallPlugIns:DetermineAdditionalWarnings ### from: <com.apple.preferences.configurationprofiles.remoteservice.xpc (pid: 51444; uid: 501)>
default 22:34:33.184947+0300 mdmclient ### XPC request: InstallProfile ### from: <com.apple.preferences.configurationprofiles.remoteservice.xpc (pid: 51444; uid: 501)>
default 22:34:33.185270+0300 mdmclient === CPF_GetInstalledProfiles === (<User: 501>)
default 22:34:33.188201+0300 mdmclient Number of <User: 501> profiles found: 5 (Filtered: 0)
default 22:34:33.189179+0300 mdmclient === CPF_InstallProfile === donut.local.A2AEB225-0CED-5266-A1B7-B8891192069E (user: dmitry) (source: '(null):Manual')
default 22:34:33.199558+0300 mdmclient ### XPC request: CallPlugIns:ValidateProfileForInstall ### from: <self>
default 22:34:45.076950+0300 authd Succeeded authorizing right 'system.privilege.admin' by client '/usr/libexec/mdmclient' [56900] for authorization created by '/usr/libexec/mdmclient' [56900] (3,0) (engine 237)
default 22:34:45.100425+0300 mdmclient ### XPC request: CallPlugIns:InstallProfile ### from: <self>
default 22:34:45.222151+0300 mdmclient Recording an MDS plugin: /System/Library/Security/ldapdl.bundle {87191ca6-0fc9-11d4-849a-000502b52122}
default 22:34:45.226830+0300 mdmclient Recording an MDS plugin: /System/Library/Frameworks/Security.framework {87191ca0-0fc9-11d4-849a-000502b52122}
default 22:34:45.337974+0300 CertificateService CSSM Exception: -25264 MAC verification failed during PKCS12 import (wrong password?)
default 22:34:45.342152+0300 CertificateService ImportKeychainData SecKeychainItemImport returned: -25264
default 22:34:45.342261+0300 CertificateService ImportKeychainData SecKeychainItemImport certificate verify error
error 22:34:45.344089+0300 mdmclient [ERROR] <<<<< PlugIn: InstallPayload [CertificateService] Error: Error Domain=ConfigProfilePluginDomain Code=-323 "The certificate could not be verified (authentication error)." UserInfo={NSLocalizedDescription=The certificate could not be verified (authentication error).} <<<<<
default 22:34:45.358747+0300 authd Succeeded authorizing right 'system.privilege.admin' by client '/usr/libexec/mdmclient' [56900] for authorization created by '/usr/libexec/mdmclient' [56900] (3,0) (engine 241)
default 22:34:45.365196+0300 mdmclient ### XPC request: CallPlugIns:RemoveProfilePayloads ### from: <self>
default 22:34:45.519478+0300 CertificateService CSSM Exception: -25264 MAC verification failed during PKCS12 import (wrong password?)
default 22:34:45.595396+0300 secd CertificateServi[56901]/1#5 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=query missing class name}
I cant reproduce with the default options. What options did you select? Please share the deployer log output
@jasonjgeiger I made a certificate for the top-level domain and also for the domain that I specified when setting up algo vpn (vpn.my-domain.com) Perhaps the certificate is enough only for the top-level domain. I didn't check and did both just in case.