Back in 2010, Inflection Point was hired for an international company to develop a solution for managing their employees iPhones using configuration profiles to make them work with their enterprise system.
They decided to use Over-the-Air (OTA) Enrollment and Distribution for deploying configuration profiles so we followed Apple’s guide for Over-the-Air Profile Delivery and Configuration.
So, to cut a long story short, we managed to set up the solution using Windows Server 2008 Enterprise with the Microsoft SCEP implementation (NDES) installed and configured and it worked fine using iOS 3.1.X.
However, last week, they ask us to provide support for iOS 4 because after updating their iPhones they started to get this error “A network error has occurred. The network connection was lost”
We spend some time figuring out what was the problem. This is what we found:
We used iPhone Configuration Utility 3.0, and tried to install the configuration profile directly via USB on an iPhone with iOS 4.01 and get the same error so it wasn’t that the request was incorrectly built.
Using a network protocol analyzer (sniffer) we compare the HTTP requests and responses from an OTA delivery on an iPhone with 3.1.3 and on an iPhone with 4.01.
The problem we found was with the GetCACaps operation, this SCEP communication operation is optional accordingly to Apple Enterprise Deployment Guide which says that:
“If you add a dictionary with the key GetCACaps, the device uses the strings you provide as the authoritative source of information about the capabilities of your CA. Otherwise, the device queries the CA for GetCACaps and uses the answer it gets in response. If the CA doesn’t respond, the device defaults to GET 3DES and SHA-1 requests.”
Well, apparently, this isn’t true anymore for iPhone iOS4. The table below shows the communication between CA/SCEP server and the iPhones:
|
iPhone 3.1.3Sends a GetCACert operation →
← Receives a StatusCode 200 response
Sends a GetCACaps operation →
Sends a GetCACaps operation →
Sends a PKIOperation →
← Receives response for PKIOperation
Profile Installed
|
iPhone 4.0.1Sends a GetCACert operation →
← Receives a StatusCode 200 response
Sends a GetCACaps operation →
Sends a GetCACaps operation →
Sends a GetCACaps operation →
A network error has occurred.
The network connection was lost
|
As noticed, the iPhone 3.1.1 sends the GetCACaps operation twice and then, after receiving no answer, (it probably uses the defaults values for CA Capabilities and then) sends the PKIOperation. Otherwise iPhone 4.0.1 sends three GetCACaps operations and after receiving no answer, fails.
We fixed this by adding the information about the CA capabilities, the information that was expected from the GetCACaps operation, directly in the Phase 2 XML Server Response. As a result the iPhone doesn’t send the GetCACaps operation to the Server, sent the PKIOperation and the Profile is installed successfully.
Note: We make it work for OTA delivery for the client’s custom solution; however the problem remains if using iPhone Configuration Utility 3.0, we didn’t found a way to enter the CA capabilities manually.
Here is an example code of the Phase 2 XML Server response with the GetCACaps information added: