Some MDM payloads might be specific to an individual device because they require some kind of authentication, like SCEP payloads, for example. Perhaps a payload might need information that corresponds to the device’s user, as in the case of the Mail payload. Addigy provides a way to easily accomplish this task.
Custom MDM Profile Variables can also be created
Prerequisites
- A device that has the device fact or the Custom Fact needed for the Payload
- For devices other than Macs, the device must be supported through MDM
The identifier of the device fact can be found in the following folder within your Addigy device: /Library/Addigy/auditor-facts/facts. You will need the identifier of the fact as listed within that folder for your MDM Payload.
For example, if you need the Admin Users fact in the MDM Payload, you can visit this folder in your device and get the identifier for this fact, In this case, the identifier is "admin_users"
There are two simple ways to find the identifier of a Custom Fact. One of them is by searching in Dashboard Events using Field equals Any, Is equals =, Value equals [Fact Name]. The identifier of the custom fact will be found under the receiver identifier.
The other way is by going to Policies > [Select the Policy you deployed the Custom Fact to] > Deployment Status > Custom Facts.
From here, click on the device fact and then click the arrow on a device with a Success status. Once you click on the arrow, you will see an output similar to the screenshot below. You can find the identifier in that output.
If you are not able to get the Custom Fact identifier using the two methods mentioned above, you could use the same method for the Device fact, but it would be more complicated to identify the Custom Fact this way.
Setting Up an MDM payload with Device Facts
Currently, our MDM Profile supports the following variables:
- {{.OrgID}}
- {{.AgentID}}
- {{.Fact “fact_identifier_goes_here”}}
Some examples of how you could integrate these variables to your payload are:
<key>OrganizationID</key>
<string>{{.OrgID}}</string>
<key>AgentID</key>
<string>{{.AgentID}}</string>
<key>DeviceFact</key>
<string>{{.Fact "local_ip"}}</string>
Note: This name corresponds to the "Local IP" fact.
<key>CustomFact</key>
<string>{{.Fact "3786ea94-a5fc-4404-b486-123456789”}}</string>
Note: This identifier corresponds to a Custom Fact called Policy Name.
If using an app like Apple Configurator or iMazing Profile Editor to create your MDM Profiles, you will just need to use {{.Fact “fact_identifier_goes_here”}} in the field where you would need the fact to be used.
The screenshot below is an example of what this would look like in Profile Creator.
Note: These variables will be applied upon profile deployment from Addigy.
Setting Up a SCEP payload using Device Facts
This example uses three facts. The Organization ID (OrgID), which is unique to each environment within Addigy, can be found in line 23 in the plist provided below. The WiFi MAC address (wifi_mac_address), which is unique to each device, can be found in line 36. The Device Name (device_name) is found in line 38.
Another way to create a SCEP Payload is to use software such as iMazing or Profile Creator. However, if you are not familiar with this software, you can just proceed to modify the plist/mobileconfig file provided below.
The screenshots below are from Profile Creator. They can be used as a reference for the creation of this Payload.
To edit this plist/mobileconfig for deployment in your organization, you can proceed to replace the bolded phrase in the following lines:
Line 11: <string>challengegoeshere</string> This is the Challenge (pre-shared secret).
Line 15 <integer>2048</integer> This is the Key Size in bits. It could be replaced if different from 2048.
Line 17: <string>Example CA</string> This is the Name. It can be used to differentiate between multiple CA certificates.
Line 29: <string>Example SCEP Profile</string> This is the Common Name (CN).
Line 42: <string>scep.server.goes.here</string> This is your SCEP server’s URL.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>Challenge</key> <string>challengegoeshere</string> <key>Key Type</key> <string>RSA</string> <key>Keysize</key> <integer>2048</integer> <key>Name</key> <string>Example CA</string> <key>Subject</key> <array> <array> <array> <string>O</string> <string>{{.OrgID}}</string> </array> </array> <array> <array> <string>CN</string> <string>Example SCEP Profile </string> </array> </array> </array> <key>SubjectAltName</key> <dict> <key>ntPrincipalName</key> <string>{{.Fact "wifi_mac_address"}}</string> <key>rfc822Name</key> <string>{{.Fact "device_name"}}</string> </dict> <key>URL</key> <string>scep.server.goes.here</string> </dict> <key>PayloadDisplayName</key> <string>SCEP</string> <key>PayloadIdentifier</key> <string>com.github.erikberglund.ProfileCreator.E4F4124F-20F8-48AF-92A6-340680F3799C.com.apple.security.scep.531A991D-2C92-456B-971E-D9D1A6818A46</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.security.scep</string> <key>PayloadUUID</key> <string>531A991D-2C92-456B-971E-D9D1A6818A46</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDisplayName</key> <string>SCEP Payload</string> <key>PayloadIdentifier</key> <string>com.github.erikberglund.ProfileCreator.E4F4124F-20F8-48AF-92A6-340680F3799C</string> <key>PayloadOrganization</key> <string>ProfileCreator</string> <key>PayloadScope</key> <string>User</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>E4F4124F-20F8-48AF-92A6-340680F3799C</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
Once you have made the necessary modifications to the plist/mobileconfig file, you can proceed to save it. Make sure to use the .mobileconfig extension when saving your file.
After you have followed all the instructions above, create a new Custom Profile in your Catalog using your new .mobileconfig file. Then assign it to any of your policies to deploy it to your devices.
Available MDM Device Facts for Variables
- active_managed_users
- agentid
- authenticated_root_volume_enabled
- awaiting_configuration
- battery_percentage
- bluetooth_mac
- bootstrap_token_allowed_for_authentication
- bootstrap_token_required_for_kernel_extension_approval
- bootstrap_token_required_for_software_update
- build_version
- carrier_settings_version
- cellular_technology
- current_carrier_network
- current_mcc
- current_mnc
- data_roaming_enabled
- days_since_last_cloud_backup
- device_model_name
- device_name
- eas_device_identifier
- ethernet_ma_cs
- filevault_key_escrowed
- free_disk_percentage
- free_disk_space_gb
- hardware_encryption_caps
- hardware_model
- has_mdm
- has_wireless
- iccid
- imei
- is_activation_lock_enabled
- is_cloud_backup_enabled
- is_device_locator_service_enabled
- is_do_not_disturb_in_effect
- is_mdm_lost_mode_enabled
- is_roaming
- is_supervised
- is_user_enrollment
- languages
- last_cloud_backup_date
- last_online
- locales
- localhost_name
- mac_uuid
- manufactured_date
- maximum_resident_users
- meid
- modem_firmware_version
- online
- os_version
- passcode_compliant
- passcode_compliant_with_profiles
- passcode_lock_grace_period
- passcode_lock_grace_period_enforced
- passcode_present
- personal_hotspot_enabled
- phone_number
- policy_id
- policy_ids
- product_name
- registration_date
- serial_number
- sim_carrier_network
- subscriber_carrier_network
- subscriber_mcc
- subscriber_mnc
- system_integrity_protection_enabled
- system_version
- total_disk_space_gb
- udid
- voice_roaming_enabled
- wifi_mac_address
Additional Notes:
GUI based functionality to manage this feature will be added to your Addigy environment when IP-615 gets released.
For additional information on how to improve your network security, you can refer to this article How to Deploy SCEP Certificates Using Addigy and SecureW2