MDM Apple enrollment fails with NSOSStatusErrorDomain on 1st attempt

[michalnicp]

Fleet version: 4c0456be731dafcf0fff05585668230ca3457d4b

🧑‍💻  Expected behavior

Installing an enrollment profile should succeed.

💥  Actual behavior

Installing the profile files with an "NSOSStatusErrorDomain". Retrying is successful, but it shouldn't fail on the 1st attempt.

This also fails with the same error when using DEP enrollment.

More info

Use the guide https://micromdm.io/blog/troubleshoot-dep/ to troubleshoot MDM issues on the device.

This seems to be related to issuing a device certificate from the scep server. Logs from the device show

$ log stream --info --debug --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"'

2022-10-11 14:03:42.755219-0600 0x137ae    Debug       0x0                  2183   0    mdmclient: [com.apple.ManagedClient:MDMAgent] [501:MDMAgent] <OUTERROR> Error Domain=MCCloudConfigurationErrorDomain Code=34007 "The Device Enrollment service could not verify the identity of this device. Please contact your system administrator." UserInfo={USEnglishDescription=CLOUD_CONFIG_INVALID_DEVICE_ERROR, NSLocalizedDescription=The Device Enrollment service could not verify the identity of this device. Please contact your system administrator., MCErrorType=MCFatalError}

Use https://www.osstatus.com to find the meaning of apple api error codes.

Note that you should use a clean fleet installation to reproduce the issue! Repeated attempts without using a clean database fail to reproduce.

[michalnicp]

The NSOSStatusErrorDomain -67688 is "errSecInvalidSignature". I noticed that there is a certificate created on the device "MDM SCEP SIGNER ". I suspect this is an intermediate certificate that is generated when requesting a certificate from SCEP.

[michalnicp]

8267 seems to fix the issue for manual enrollment. However, for DEP automatic enrollment, it still fails the 1st time and succeeds on the second.

[roperzh]

I still get this issue even with manual enrollment.

[roperzh]

interesting... using the method you described above (thanks!) I get a different error (manual enrollment):

2022-11-23 15:26:01.265747-0300 0xc0ce     Debug       0x0                  1233   0    mdmclient: (Security) [com.apple.securityd:atomicfile] 0x137f2aad0 allocated /Library/Keychains/System.keychain buffer 0x128018000 size 45468
2022-11-23 15:26:01.265759-0300 0xc0ce     Debug       0x0                  1233   0    mdmclient: (Security) [com.apple.securityd:atomicfile] 0x137f2aad0 closed /Library/Keychains/System.keychain
2022-11-23 15:26:01.266960-0300 0xc0ce     Debug       0x0                  1233   0    mdmclient: (Security) [com.apple.securityd:atomicfile] 0x138814860 free /Library/Keychains/System.keychain buffer 0x128028000
2022-11-23 15:26:01.266992-0300 0xc0ce     Debug       0x0                  1233   0    mdmclient: (Security) [com.apple.securityd:handleobj] create 0x137f37843 for 0x137f37870
2022-11-23 15:26:01.267024-0300 0xc0ce     Default     0x0                  1233   0    mdmclient: (Security) [com.apple.securityd:security_exception] MacOS error: -25304
2022-11-23 15:26:01.267811-0300 0xc13f     Error       0x139d4              1233   0    mdmclient: [com.apple.ManagedClient:CPDomainPlugIn] [ERROR] <<<<< PlugIn: InstallPayload [CertificateService] Error: Error Domain=NSOSStatusErrorDomain Code=-67688 "(null)" UserInfo={IsInternalError=true} <<<<<

MacOS error: -25304 description is "The specified item is no longer valid. It may have been deleted from the keychain." 🤔

[fleet-release]

Clouds in the sky, Making Fleet smoother and better, Fixing enrollment.