How to sign a configuration profile

Hi All. This blog has resulted from recent questions in the Mac Admin Slack group and internally on how to sign a configuration profile.
I’ll start off with the why, then jump into the how!

Why would I need to sign a configuration profile?

As I’m sure you are aware, you can deploy unsigned configuration profiles without many issues. But there are two key reasons where you might want to sign a configuration profile; to protect its contents from tampering, or to stop an MDM solution from modifying them.

Tamper protection?

That’s right, much like signing an Installer or an Application, a signed profile will show warnings to the user / management system should the profile contents be tampered with after you’ve signed it. This can add a layer of trust for your end users and deployment solutions, in much the same way TLS certificates can do for secure websites.
The Jamf Pro MDM solution will always sign all profiles it deploys out via the MDM framework.
Please Note: Tamper-protection doesn’t mean that the contents (such as a Wifi password) are hidden and doesn’t mean that they can’t be extracted. It also doesn’t mean that a profile can’t be ‘de-signed’, modified and sent onto the client device, however this will also show a warning to the end user.

MDM modification protection?

In some situations, you may build your own profile, and upload it to an MDM solution for deployment, only to find that additional keys and items have been added, or, worst case, the settings you attempt to manage have been reversed! By signing your profile before uploading it to the management solution, you can protect the contents from modification and deploy exactly what you meant to, as intended.
An example may make this one easier to understand. I had a requirement to enable FileVault 2 on a number of devices via MDM, but without locking out the remainder of the “Security & Privacy” System Preference Pane. Using Apple’s Profile Manager, or the Jamf Pro solution I would need to use a “Security & Privacy” profile payload, which includes a number of other settings that also must be set. This is not what I wanted. After some work, I figured out a minimum payload profile that would enable FileVault 2 only, and leave the other settings at default (or user set). This profile tested fine when deployed locally, but failed when deployed via Jamf Pro. I found out that as this setting is normally only applied through the full payload, the server was combining them. In order to prevent this, I had to sign the profile, before uploading it to the Jamf Pro Server. I also then had to not click the padlock icon in the upper right of the window to continue to leave the profile read-only. The Jamf Pro server would still deploy this fine.
How to sign a configuration profile –picture 001

Time for the How

So, you have a need to sign a profile or two? Great, let’s get you started:

/usr/bin/security cms -S -N "[Signing Certificate]" -i "[input]" -o "[output]"

The “[Signing Certificate]” is the name of a signing certificate you have stored in your keychain (more on this later).
The “[input]” is the full path to the profile you want to sign.
The “[output]” is the full path to the finished profile (I’d suggest using the same as the input path, but adding ‘-signed’ to the end).
That’s it!

How do I find a signing certificate?

The best one to use is your Apple Developer account to create a signing certificate. It’ll be the price of a Developer account (USD $99 per person, or USD $299 per organisation) and will provide you with a certificate that’ll be trusted by all Apple devices (as long as you don’t do anything to get your certificate revoked)!
Alternatively, if you are running a macOS Server instance on your Mac, the setup should have created a certificate for you (or definitely if you’ve configured Profile Manager to sign certificates too). Simply:

      1. Launch Keychain Assistant from your Utilities folder
      2. Select “System” from your keychains (upper left section)
      3. Select “My Certificates” from the category (lower left section)
      4. Look at the main window for a certificate with a name matching your server name (in the picture below, mine is called ‘Amsys---Darren’ from my Machine name “Amsys – Darren”)

How to sign a configuration profile –picture 002

      1. Use the certificate name (under the “Name” column) as the “[Signing Certificate]” in the code snippet above (e.g. Amsys—Darren)

Obtaining a developer certificate / creating my own (self-signed) signing certificate

I’m afraid these are out of scope for this blog, but I’ll do my best to get together another instinctual blog to walk you through it soon.


As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.
The usual Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.