Home > Casper, Mac administration, Mac OS X, Scripting > Checking the Apple Push Notification Service certificate identifier used by MDM profiles

Checking the Apple Push Notification Service certificate identifier used by MDM profiles

A few years ago, I set up my Casper server with an Apple Push Notification Service (APNS) certificate. That by itself is not remarkable, but the way I did it would be frowned upon these days. That’s because I used an Apple ID tied to my work email address to generate it.

The reason that I did this was that back then, you needed to have a paid membership in the Apple iOS Developer Program in order to get an APNS certificate. I was not part of an enterprise team, so the Apple ID I was using to log into my ADC account was tied to my own work email address. Consequently, I generated my initial APNS certificate for my Casper server using an Apple ID tied to my work email address.

Fast forward to 2016 and the world of the Apple Push Certificates Portal, where it’s no longer necessary to have an Apple Developer Connection account to have an APNS certificate. In fact, it’s not a great idea at all because people come and go, but hopefully the Apple ID used to generate your APNS certificate (also known as an MDM certificate or push notification certificate) does not. That’s because you can’t transfer an Apple ID to another email address and only the Apple ID used to generate your initial APNS certificate can generate the new certificate needed for the annual APNS certificate renewal.

For iOS devices, where everything is managed via MDM, changing the Apple ID used to generate your APNS certificate means that you are going to have to re-enroll all of your devices. This is usually a sizable effort and one that should be avoided if at all possible.

For OS X devices, where MDM-only management is still fairly rare, changing Apple IDs (and APNS certificates) is less problematic. You will also need to re-enroll your devices but it should be possible to use alternate means to remove your old MDM profile(s) and make the Mac pull down a new set of MDM management profiles that would incorporate the new APNS certificate for the Mac’s push notifications.

Fortunately, I’m in the situation of having to change out my Apple ID and APNS certificate only on OS X devices. These devices are also managed by my Casper server, so I can automate a fix for the issue using a script like the one below:

However, I still had one issue – identifying which machines had the “old” MDM profiles associated with the APNS certificate which I was trying to move away from. For details on how this was addressed, see below the jump.

APNS certificates have a unique identifier and Casper’s MDM management profiles include this unique identifier in the Topic field of the MDM profile.

Screen Shot 2016 04 26 at 6 09 19 PM

Screen Shot 2016 04 26 at 6 10 42 PM

The issue was finding a way to pull out this unique identifier from the profile. Apple’s profiles command did not appear to include a way to display this information without outputting to a plist file and then searching the plist file for the needed information. This was not my preferred method because it depended on the output of the plist being consistent and I wasn’t confident in that being the case across different versions of OS X.

After conferring with my colleagues in the #jamfnation channel of the MacAdmins Slack instance, the hive mind figured out a way to use system_profiler to pull out the needed identifier by running the the command below with root privileges:

/usr/sbin/system_profiler SPConfigurationProfileDataType | awk '/Topic/{ print $NF }' | sed 's/[";]//g'

Screen Shot 2016 04 26 at 3 38 38 PM

Note: Something to be aware of is that using the system_profiler command can be computationally expensive. Depending on how many MDM profiles you have installed on the machine, it may take a few seconds or longer for the command to run. One of the folks on Slack had 64 MDM profiles on his Mac and the command took about 11 seconds to run.

Using this information, I wrote a script to locate and display the Apple Push Notification Service certificate identifier on OS X. This helps me with the task of changing my MDM certificate by clearly identifying which machines still have MDM profiles associated with the APNS certificate that I’m planning to retire.

The script is available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_apple_push_notification_certificate_identity

A Casper Extension Attribute is also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_apple_push_notification_certificate_identity

Hat tip to Dan Brodjieski, Ben Toms,  and Balmes Pavlov.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: