更新过期的iOS MDM配置文件 [英] Update an expired iOS MDM profile

问题描述

因此，我设置了SCEP服务器以生成仅在短时间内有效的iOS身份证书。当它过期时，配置文件显示此配置文件已过期。更新此配置文件以获取更新版本，并显示更新配置文件按钮。

So I set up the SCEP server to generate an iOS identity certificate which is only valid for a short time. When it expires the profile says "This profile has expired. Update this profile for a newer version", and presents an "Update Profile" button.

但是，只需单击此按钮即可告诉我配置文件无法更新。请联系您的网络管理员。不会尝试联系MDM服务或SCEP服务，也不会在日志中显示任何MDM活动或错误。

However clicking this button simply tells me "Profile could not be updated. Please contact your networks Administrator". No attempt is made to contact either the MDM service or the SCEP service, and no indication of any MDM activity or errors appear in the log.

再次注册设备可以正常工作，所以我不怀疑打电话给网络管理员实际上是一个解决方案。那么如何更新过期的MDM配置文件？

Enrolling the device again works fine, so I don't suspect calling a network administrator is actually a solution. So how do you update an expired MDM profile?

推荐答案

我在一年多前就使用过MDM。所以，我可能错了一些细节。

I worked with MDM more than a year ago. So, I could be wrong with some details.

这是我记得的：

a）设备没有两个SCEP呼叫OTA MDM。

a) Device does two SCEP calls for OTA MDM.

看看这个图

第一次SCEP呼叫是作为OTA证书注册的一部分完成的（第2阶段图）

First SCEP call is done as part of OTA Certificate Enrollment (phase 2 on the diagram)

第二次SCEP调用是在OTA提供具有MDM和SCEP有效载荷的配置文件时完成的（如图中的第3阶段）。

And second SCEP call is done when OTA delivers profile with MDM and SCEP payload (as phase 3 on the diagram).

根据你的问题，有哪些事情并不明显，哪个iOS认证证书是短期生活。

One thing which isn't not obvious from your question which of iOS identify certificate is short living.

b）如果您的MDM身份已过期，您将停止接收所有MDM命令。

b) If your MDM identity has expired, you will stop receiving all MDM commands.

c）如果您的OTA身份已过期，则无法升级您通过无线传送的任何配置（例如MDM）。

c) If you OTA identity has expired, you can't upgrade any of configurations wich your delivered over the air (as example MDM).

如果您有权访问Apple Enter奖项开发者计划，您可以在那里找到MDM文档。它会说如果你做了OTA MDM，你需要在即将到期时更新它。

If you have access to Apple Enterprise Developer Program, you can find MDM document in there. It will say that if you did OTA MDM, you need to Update it when it's about to expire.

我记得，如果你的话OTA + MDM已经过期然后你被搞砸了（除了重新注册之外你没有任何其他选择）。

And as I remember, if your OTA + MDM has expired then you are screwed (you don't have any other option than reenrollment).

BTW。我认为通常的做法是让这些身份长期存在（正是因为这些问题）。

BTW. I believe it's common practice to make these identities quite long living (exactly because of these problems).

如果你担心你不能阻止某人接收更新，你可以随时：

If you are worried that you can't prevent somebody from receiving updates, you can always:

• 发送擦除命令


• 删除所有托管配置文件


• 撤销身份证明

这篇关于更新过期的iOS MDM配置文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！