29 Jun Are You Using the Correct Configuration Profile Signing Method in Ivanti Endpoint Manager?
Do you know what configuration profile signing method you’re using in your MDM environment? If you do know what method you’re using, do you know if you’re configured for the best option? Unfortunately, it can be difficult to stay on top of all security options and vendors do not always make it clear as to what option one should choose. In fact, you may have not even known that you should care (see this post by How-to Geek discussing how configuration profiles can be as dangerous as malware).
So, to help you understand what configuration profile signing method to choose for your environment, let’s start from the beginning.
A configuration profile is essentially an XML file, in a PLIST format, that allows you to distribute configuration information. These files are saved as .mobileconfig files, and both iOS and macOS attempt to install them when presented to the devices.
Because configuration profiles may contain sensitive data, both iOS and macOS support using encryption to protect the contents of profiles. However, encryption can only help protect the sensitive data contained therein; it does not protect the configuration profile itself.
Configuration Profile Signing
To protect the configuration profile, it needs to be signed with a signing certificate to guarantee the data integrity. This is where the the signing method comes into play.
These profiles will have one of three levels of security associated with them; depending on which option you desire to employ.
- No signing. When you leave the profile unsigned, the profile itself is vulnerable to tampering. Because these .mobileconfig files are easily editable, it could be altered without your knowledge and subsequently installed on devices with compromising settings. In this mode, users are notified when they attempt to install, that the profile is not trusted (red text) and hasn’t been signed. Even if your specific configuration profile hasn’t been tampered with, instructing end users to install a non-signed, untrusted profile could cause you grief at some point in the future. Indirectly you could be training your users to accept any future configuration profiles they come across, whether it come by email or by another source, and it too may be installed by the user and who knows what settings it may contain.
- Core certificate. Signing the profile with the Ivanti core server does move one step further than the no signing option, as any edits to the .mobileconfig file will break the signing, but the text presented to the user will still be in the red, untrusted state. The reason the for this is because the signing takes place using the Ivanti core server’s certificate to sign the configuration profile; however, the device does not have a way to validate the security of that certificate. Therefore, users are notified when they attempt to install the profile it has been signed by LANDESK, but warns them that it is not trusted. The name displayed to the user is the common name associated with the core certificate.
- Third-party certificate. When the configuration profile is signed with a certificate from a certificate authority, users will be notified the profile is indeed verified and can be trusted (trust indicated with green text). The name displayed to the user is the common name associated with the certificate (Nine41 Consulting, LLC in the screenshot below). Now, not only do you have confidence your profiles haven’t been tampered with, you also train your users to look for the safe, green text and this could potentially help advert any phishing attacks using non-signed or non-verified profiles.
Using Configuration Profiles in Ivanti
Alright, now that you have a better understanding of what a configuration profile is and how to protect, let’s review how it’s used by Ivanti.
When managing Macs and iOS devices with Ivanti’s MDM solution, or any MDM solution for that matter, a configuration profile will be installed containing the appropriate information for your specific MDM environment. Whether you enroll the device manually or use Apple’s Device Enrollment Program (DEP), this MDM management configuration profile will be installed on the device.
Subsequently, any additional software or configurations assigned to the device (think VPN, WiFi, certificates, domain binding, passcode options, security restrictions, etc.) these settings to will be applied with a configuration profile. Essentially, any change that occurs via the MDM tool will be done via a configuration profile.
It can bee seen, therefore, that a device will receive a configuration profile at time of install and with any new change.
Furthermore, setting the appropriate signing methodology in the beginning is important. To make a change to the signing methodology at a later point in time will require all devices to be re-enrolled. If using DEP, that is would not be the worst thing in the world. However, if you’ve manually enrolled all of your devices, touching them again to remove the previous configuration profile and install the new one could be incredibly time consuming.
So choose wisely now. For the reasons discussed above, I strongly recommend you purchase a code signing certificate (~$200 USD / yr) and sign all of your profiles with a digital certificate that will be trusted by your devices.
Setting the Configuration Profile Signing Method
You can select the desired security level within the Ivanti Management Console on the core server itself.
- Launch the Ivanti Management Console from the Core Server.
- Go to Configure > Device Discovery.
- Select iOS Profile Signing from the menu tree.
- Set the desired signing preference (preferably with a certificate and the associated password).
- Click the OK button.
If you found this information helpful, you may also benefit from the Getting Started with Apple Device Management book I recently released that walks through all of the required configurations options to prepare for iOS and macOS device management with Ivanti Endpoint Manager 2017.1.