Enrollment Blueprint¶

Resource	Operation	Description
	GET /enroll/trust.mobileconfig
	POST /enroll/ota_authenticate
	POST /enroll/profile
	GET /enroll/profile
	GET /enroll/ota

GET /enroll/trust.mobileconfig¶

Generate a trust profile, if one is required.

Response Headers:
	Content-Type – application/x-apple-aspen-config
Status Codes:	200 OK – 500 Internal Server Error – The system has not been configured, so we can’t produce anything.

POST /enroll/ota_authenticate¶

Over-The-Air Profile Delivery Phase 3 and 4.

This endpoint represents the OTA Phase 3 and 4, “/profile” endpoint as specified in apples document “Over-The-Air Profile Delivery”.

There are two types of requests made here: - The first request is signed by the iPhone Device CA and contains the challenge in the Profile Service payload,

we respond with the SCEP detail.

The second request is signed by the issued SCEP certificate. We should respond with an enrollment profile.

It also contains the same device attributes sent in the previous step, but this time they are authenticated by our SCEP CA.

Examples:

Signed plist given in the first request:

{
    'CHALLENGE': '<CHALLENGE FROM PROFILE HERE>',
    'IMEI': 'empty if macOS',
    'MEID': 'empty if macOS',
    'NotOnConsole': False,
    'PRODUCT': 'MacPro6,1',
    'SERIAL': 'C020000000000',
    'UDID': '00000000-0000-0000-0000-000000000000',
    'UserID': '00000000-0000-0000-0000-000000000000',
    'UserLongName': 'Joe User',
    'UserShortName': 'juser',
    'VERSION': '16F73'
}

See Also:

Over-the-Air Profile Delivery and Configuration.

POST /enroll/profile¶: Generate an enrollment profile.

GET /enroll/profile¶: Generate an enrollment profile.

GET /enroll/ota¶

Over-The-Air Profile Delivery Phase 1.5.

This endpoint represents the delivery of the Profile Service profile that should be delivered AFTER the user has successfully authenticated.

Previous topic

Next topic

This Page

Enrollment Blueprint¶