Viewing the encrypted Apple profiles in Workspace ONE UEM console

Apple has an option to encrypt the MDM profile payloads (both iOS and macOS). But then when you try to view the profile XML in the console (ex. migrating payloads between UAT and Production environments, working with custom profiles) – they are encrypted! Turns out, there is a way to view the XML w/o having to decrypt everything globally, which is actually documented, but easy to overlook! Very niche thing, but may be helpful to someone.

What is profile encryption?

Apple MDM framework allows for encrypting profile payloads. This is actually configurable via Settings -> Devices -> Apple -> Profiles -> Encrypt Profiles and is turned on by default.

Profile encryption is useful and is turned on by default.

When you have it on, your profile contents look like this:

Encrypted Apple profile XML view

Note that when you access the profile via standard GUI or via API (/mdm/profiles/{id}) – it is not encrypted.

Viewing encrypted profiles w/o decrypting everything

Last week a customer asked me, how they can see the contents of their encrypted profiles, w/o globally decrypting everything and without using API. I took the first available iOS profile in my sandbox, viewed XML, and it wasn’t encrypted at all, despite having Encrypt Profiles set! After checking with colleagues and carefully reading the docs, turned out that profiles are only encrypted when assigned to the devices! Indeed, the profile in my sandbox was not assigned to any devices. I have selected another one (which was assigned), and it was properly encrypted.

So, the actual workaround is very simple – just create a copy of profile and do NOT assign it to any devices!

Copy the profile in question…
…do not assign to any devices…
…now in plain text!

Summary

  • Profile encryption is useful
    • Can be disabled globally
    • Can be disabled locally if the profile is not assigned to any devices – just create a copy and do not input any smart groups
  • Small bit that can be useful when you deal with profile XML in the console
    • Or just use the API
  • A very niche finding, but may be useful to someone

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: