Some MDM Payloads might be specific to an individual device because they require some kind of authentication, like SCEP Payloads for example. Perhaps, a payload might need information that corresponds to the device’s user like an email address, such as the case of the Mail Payload. Addigy provides a way to accomplish this in an easy and straightforward way. 


Prerequisites

  1. A device that has the Device Fact or the Custom Fact needed for the Payload

The identifier of the Device Fact can be found in the following folder within your Addigy device /Library/Addigy/auditor-facts/facts. You will need the identifier of the fact as listed within that folder for your MDM Payload. 


For example, if you need the Admin Users fact in the MDM Payload you can visit this folder in your device and get the identifier for this fact, in this case, the identifier is "admin_users". 



There are two simple ways to find the identifier of a Custom Fact. One of them is by searching in Dashboard > Events using Field equals Any, Is equals =, Value equals [Fact Name]. The identifier of the Custom Fact will be found under Receiver > Identifier. 


 The other way is by going to Policies > [Select the Policy you deployed the Custom Fact to] > View details > Custom Fact > Click on Success. Once you click on Success you will see something similar to the screenshot below and you will be able to click View under Output. You will be able to get the identifier from there.


If you are not able to get the Custom Fact identifier using the two methods mentioned above, you could use the same method for the Device Fact but it would be more complicated to identify the Custom Fact this way.


Setting up an MDM Payload with Device Facts


Currently, our Custom MDM Configurations support the following variables:


  • {{.OrgID}}
  • {{.AgentID}}
  • {{.Fact “fact_identifier_goes_here”}} 


Some examples of how you could integrate these variables to your payload are:


<key>OrganizationID</key>

<string>{{.OrgID}}</string>


<key>AgentID</key>

<string>{{.AgentID}}</string>


<key>DeviceFact</key>

<string>{{.Fact "local_ip"}}</string>   This name corresponds to the fact Local IP.


<key>CustomFact</key>

<string>{{.Fact "3786ea94-a5fc-4404-b486-5d4e240df23a"}}</string>  This identifier corresponds to a Custom Fact called Policy Name. 


If using an app like Profile Creator or iMazing to create your MDM Payloads you will just need to use {{.Fact “fact_identifier_goes_here”}} in the field where you would need the fact to be used. 


The screenshot below is an example of what this would look like in Profile Creator.


                       


Note: These variables will get applied upon profile deployment from Addigy. 


Setting up a SCEP Payload using Device Facts


This example uses three facts. The Organization ID (OrgID), which is unique to each environment within Addigy, can be found in line 23 in the plist provided below. The Wifi MAC address (wifi_max_address), which is unique to each device, can be found in line 36. The device name (device_name) found in line 38. 


Another way to create a SCEP Payload is to use software such as iMazing or Profile Creator. However, if you are not familiar with this software you can just proceed to modify the plist/mobileconfig file provided below. 


These screenshots below are from Profile Creator. They can be used as a reference for the creation of this Payload. 



To edit this plist/mobileconfig to apply to your organization you can proceed to replace the bolded phrase in the following lines:


Line 11 <string>challengegoeshere</string>        This is the Challenge (pre-shared secret).

Line 15 <integer>2048</integer>                            This is the Key Size in bits. It could be replaced if different from 2048.

Line 17 <string>Example CA</string>                    This is the Name. It can be used to differentiate between multiple CA certificates. 

Line 29 <string>Example SCEP Profile</string>   This is the Common Name (CN).

Line 42 <string>scep.server.goes.here</string>   This is your SCEP server’s URL. 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadContent</key>
      <dict>
        <key>Challenge</key>
        <string>challengegoeshere</string>
        <key>Key Type</key>
        <string>RSA</string>
        <key>Keysize</key>
        <integer>2048</integer>
        <key>Name</key>
        <string>Example CA</string>
        <key>Subject</key>
        <array>
          <array>
            <array>
              <string>O</string>
              <string>{{.OrgID}}</string>
            </array>
          </array>
          <array>
            <array>
              <string>CN</string>
              <string>Example SCEP Profile </string>
            </array>
          </array>
        </array>
        <key>SubjectAltName</key>
        <dict>
          <key>ntPrincipalName</key>
          <string>{{.Fact "wifi_mac_address"}}</string>
          <key>rfc822Name</key>
          <string>{{.Fact "device_name"}}</string>
        </dict>
        <key>URL</key>
        <string>scep.server.goes.here</string>
      </dict>
      <key>PayloadDisplayName</key>
      <string>SCEP</string>
      <key>PayloadIdentifier</key>
      <string>com.github.erikberglund.ProfileCreator.E4F4124F-20F8-48AF-92A6-340680F3799C.com.apple.security.scep.531A991D-2C92-456B-971E-D9D1A6818A46</string>
      <key>PayloadOrganization</key>
      <string></string>
      <key>PayloadType</key>
      <string>com.apple.security.scep</string>
      <key>PayloadUUID</key>
      <string>531A991D-2C92-456B-971E-D9D1A6818A46</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>SCEP Payload</string>
  <key>PayloadIdentifier</key>
  <string>com.github.erikberglund.ProfileCreator.E4F4124F-20F8-48AF-92A6-340680F3799C</string>
  <key>PayloadOrganization</key>
  <string>ProfileCreator</string>
  <key>PayloadScope</key>
  <string>User</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>E4F4124F-20F8-48AF-92A6-340680F3799C</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

Once you have made the necessary modifications to the plist/mobileconfig file you can proceed to save it. Make sure to use the .mobileconfig extension when saving your file. 


After you have followed all the instructions above and have a .mobileconfig file ready to deploy, you can proceed to your Addigy instance and follow the steps below.

  1. Go to Policies > MDM Configurations > Add Configuration +.

  2. Click on macOS, then Custom configuration

  3. Proceed to click Select .mobileconfig file, you will be prompted to select the file from your device.

  4. Click Create Configuration.

  5. Finally, add and deploy this MDM Configuration to the policies you would like to receive this Payload. 

You have now created and deployed an MDM Payload using variables. If you have any questions please contact support@addigy.com for assistance. 


Additional Notes:

GUI based functionality to manage this feature will be added to your Addigy environment when IP-615 gets released. 

For additional information on how to improve your network security, you can refer to this article How to Deploy SCEP Certificates Using Addigy and SecureW2






If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.