MDM OTA: Last profile in iDevice enrollment

Question

I meet a problem when install last profile on device, the console complains: Underlying error: MDM com.company.com.mdm5: The MDM payload com.company.com.mdm5 contains an invalid topic.

I think mybe I input the wrong topic value, I tried following value, but all failed. 1. the UID of Developer cert's Subject. 2. the "application-identifier" value in my .mobileprovision file

Any suggestions? Thanks in advance.

The SCEP cert was successfully issued from the device, my profile is generated by iPCU. blow is part of my target profile:

<dict>
                    <key>AccessRights</key>
                    <integer>8191</integer>
                    <key>CheckInURL</key>
                    <string>https://192.168.0.105/cgi-bin/checkin.py</string>
                    <key>CheckOutWhenRemoved</key>
                    <true/>
                    <key>IdentityCertificateUUID</key>
                    <string>000000-0000-0000-0000-0000</string>
                    <key>PayloadDescription</key>
                    <string>Configures MobileDeviceManagement.</string>
                    <key>PayloadIdentifier</key>
                    <string>com.company.com.mdm5</string>
                    <key>PayloadOrganization</key>
                    <string>Company</string>
                    <key>PayloadType</key>
                    <string>com.apple.mdm</string>
                    <key>PayloadUUID</key>
                    <string>7AF006C2-E2BC-4606-8C3B-29A9C421F62D</string>
                    <key>PayloadVersion</key>
                    <integer>1</integer>
                    <key>ServerURL</key>
                    <string>https://192.168.0.105/cgi-bin/server.py</string>
                    <key>SignMessage</key>
                    <false/>
                    <key>Topic</key>
                    <string>com.apple.pineapple</string>
                    <key>UseDevelopmentAPNS</key>
                    <true/>
            </dict>

Answer 1

First, you must generate a certificate request with the correct data and format. Then, you would log in to your identity.apple.com account, and upload this certificate request, after which apple send you back(by browser download) a signed push certificate. This contains a valid topic as described by rlandster. This is the topic which you must generate/write into your enrollment profile. When you will be sending command to a device, the previous push certificates topic and the topic in the enrollment profile must match, otherwise the device will not listen to your commands!

Answer 2

The topic should look something like this:

com.apple.mgmt.External.b503419d-1e2a-a60f-7451-5b8832b5a9cb

You can find it by looking at the subject of the APNS certificate that Apple provisioned for your MDM service (use openssl to display the details of the certificate).

The profile used to enroll a device in an MDM system contains a "topic" string identifier. The device will not respond to an MDM push-notification unless the certificate's subject used to send the notification matches the enrollment topic.

Answer 3

If there are multiple users of your Enterprise developer accounts,then prefer to use Agent account to create the APNS certificate, and verify that the APNS certificate subject should contain com.apple.mgmt.External.b503419d-1e2a-a60f-7451-5b8832b5a9cb as rlandster mentioned.

Answer 4

All topics must begin with com.apple.mgmt., however they must match the value of your MDM push certificate ID.