Apple has an option to encrypt the MDM profile payloads (both iOS and macOS). But then when you try to view the profile XML in the console (ex. migrating payloads between UAT and Production environments, working with custom profiles) – they are encrypted! Turns out, there is a way to view the XML w/o having to decrypt everything globally, which is actually documented, but easy to overlook! Very niche thing, but may be helpful to someone.
What is profile encryption?
Apple MDM framework allows for encrypting profile payloads. This is actually configurable via Settings -> Devices -> Apple -> Profiles -> Encrypt Profiles and is turned on by default.
When you have it on, your profile contents look like this:
Note that when you access the profile via standard GUI or via API (/mdm/profiles/{id}) – it is not encrypted.
Viewing encrypted profiles w/o decrypting everything
Last week a customer asked me, how they can see the contents of their encrypted profiles, w/o globally decrypting everything and without using API. I took the first available iOS profile in my sandbox, viewed XML, and it wasn’t encrypted at all, despite having Encrypt Profiles set! After checking with colleagues and carefully reading the docs, turned out that profiles are only encrypted when assigned to the devices! Indeed, the profile in my sandbox was not assigned to any devices. I have selected another one (which was assigned), and it was properly encrypted.
So, the actual workaround is very simple – just create a copy of profile and do NOT assign it to any devices!
Summary
- Profile encryption is useful
- Can be disabled globally
- Can be disabled locally if the profile is not assigned to any devices – just create a copy and do not input any smart groups
- Small bit that can be useful when you deal with profile XML in the console
- Or just use the API
- A very niche finding, but may be useful to someone
Arsen Bandurian: Technical Blog 
Leave a comment