Menu Close

Signed Configuration Profile Inspection

Automate the inspection of signed Configuration Profiles with the uscp function 

Background

A manual, step-by-step process of using Terminal to make a timestamped, unsigned copy of a Configuration Profile was detailed as part of previous Sophos-specific post.

This posts builds on bz please and introduces a new uscp function which automates the inspection of signed Configuration Profiles:

  1. The original, signed Configuration Profile’s signature “subjects” and modification date are displayed
  2. A timestamped backup of the original, signed Configuration Profile is created and its signature removed
  3. The unsigned backup Configuration Profile is formatted for readability and is opened in Visual Studio Code

~/.zshrc Configuration

Backup your current ~/.zshrc and add the following uscp function:

uscp () {    # [u]n[s]ign [c]onfiguration [p]rofile
    if [ -z ${1} ]; then
        printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile\n###\n\n"
        printf "Usage:\n1. Type \"uscp\", followed by a [Space]\n2. Drag-and-drop the signed Configuration Profile\n3. Press [Return]\n\nA timestamped, unsigned copy will be saved next to the source file and opened in Visual Studio Code.\n\n"
        return
    fi

    signedConfigurationProfile=${1}
    signedFileName=$( echo ${signedConfigurationProfile} | awk -F '/' '{print $NF}' )

    printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile:\n# ${signedFileName}\n###\n\n"

    subjects=$( openssl pkcs7 -inform DER -print_certs -in $signedConfigurationProfile | grep subject )
    printf "• The signature of \"${signedFileName}\" contains the following subjects:\n${subjects}\n\n"

    fileModificationDate=$( date -j -f "%s" "$( stat -f "%m" $signedConfigurationProfile)" "+%Y-%m-%d" )
    printf "• The modification date of \"${signedFileName}\" is:\n${fileModificationDate}\n\n"


    timestampedConfigurationProfile="${signedConfigurationProfile%.*}-$fileModificationDate.${signedConfigurationProfile##*.}"
    printf "• Creating a timestamped copy of \"${signedFileName}\", appending \"${fileModificationDate}\" to the filename …\n"
    cp -v "$signedConfigurationProfile" "${timestampedConfigurationProfile}"

    timestampedFileName=$( echo ${timestampedConfigurationProfile} | awk -F '/' '{print $NF}' )
    printf "\n• Removing signature from \"${timestampedFileName}\" …\n"
    openssl smime -inform DER -verify -in "${timestampedConfigurationProfile}" -noverify -out "${timestampedConfigurationProfile%.*}"-unsigned."${timestampedConfigurationProfile##*.}"

    unsignedConfigurationProfile="${timestampedConfigurationProfile%.*}"-unsigned."${timestampedConfigurationProfile##*.}"
    unsignedFileName=$( echo ${unsignedConfigurationProfile} | awk -F '/' '{print $NF}' )

    printf "\n• Formatting \"${unsignedFileName}\" …\n"
    plutil -convert xml1 "${unsignedConfigurationProfile}"
    resultCode=${?}
    if [ ${resultCode} = "0" ]; then
        printf "Formatting successful\n\n"
        printf "\n• Editing ${unsignedConfigurationProfile} in Visual Studio Code …\n\n"
        code ${unsignedConfigurationProfile}
    else
        printf "Error: ${resultCode}\n\n"
        return
    fi

}

Function Usage

  1. Launch Terminal
  2. Type uscp followed by a Space
  3. Drag-and-drop the signed Configuration Profile to the open Terminal window
  4. Press Return
Screencast (01:36; no audio)

Update: Aug 2024

Sign Configuration Profile

The following may prove helpful to convert a .plist to a signed .mobileconfig

scp () {     # [s]ign [c]onfiguration [p]rofile
    if [ -z ${1} ]; then
        printf "\n###\n# [s]ign [c]onfiguration [p]rofile\n###\n\n"
        printf "Usage:\n1. Type \"scp\", followed by a [Space]\n2. Drag-and-drop a properly formatted \".plist\" file\n3. Press [Return]\n\nA signed \".mobileconfig\" will be saved next to the source file.\n\n"
        return
    fi

    developerIDstring="Developer ID Installer: Your Company Name (Your Team ID)"

    plistFile=${1}
    plistFileName=$( echo ${plistFile} | awk -F '/' '{print $NF}' )
    mobileconfigFileName=$( echo ${plistFile%.*}.mobileconfig | awk -F '/' '{print $NF}' )
    printf "\n###\n# [s]ign [c]onfiguration [p]rofile\n###\n\n"

    printf "• Input:  ${plistFileName}\n"

    /usr/bin/security cms -S -N "${developerIDstring}" -i "${plistFile}" -o "${plistFile%.*}".mobileconfig

    printf "• Output: ${mobileconfigFileName}\n\n"

}
Posted in macOS, Tips & Tricks

Related Posts