Exporting S/MIME Certificate Identities For iOS Use

Cryptographically-signed email is a complicated subject. There’s keys and certificates, there’s signing authorities, all of the wonderful PKI structures that allow us to communicate securely. Securely signed email is an easy way to indicate to other parties that you’re taking some precautions with your email that authenticates the sender in an end-to-end way. A typical free commercial certificate, say, from Comodo, will affirm that the original certificate creator can receive email at a given address. This allows you to sign outgoing emails, which wraps the message in a secure envelope that confirms that you are who you represented yourself to the certifying authority to be.

Generally, these certificates are commissioned on a desktop computer, like any Mac. You end up with a certificate stored in your Login keychain that Mail.app or Outlook use to sign your outgoing messages, or decrypt messages signed with your public certificate. If you open Keychain Access, select your Login Keychain, and then set it to filter by certificates, you will see your email signature.

If you want to sign email with your iPhone or iPad (and you do), you’ll need to move this certificate to your device in a way that your device will be able to work with it.

keychain-access-cert

Normally, you might just drag your certificate out to the desktop and embed it in an MDM Profile, or something similar. Your certificate also contains a private key, and that is a critical element. The drag and drop method won’t work this time. What you need to do is export the certificate in .p12 format (also known as PCKS #12). To do this, right-click on the Certificate and select Export.

keychain-access-export

Pick a location for the file. I recommend the Desktop, since we’re going to be emailing this file.

pick-a-location

You’ll be prompted to pick a password for this .p12 file. You’re going to need this when the certificate gets to the iOS device. This is what lets you securely move the certificate and private key together in a safe package.

enter-a-password

Pick a password that you’ll remember and that isn’t just password. If your email is compromised, an attacker could take this .p12, and with suitable equipment, some good luck, and a super computing farm, sign email on your behalf, unless you revoke the certificate at the Certificate Authority. Note the password down carefully, you’ll need it in a moment.

pick-a-good-password

You may be asked to allow access to the private key by the system. You’ll need to allow access in order to export. I think this step might be unnecessary in most cases. If it doesn’t present, don’t worry about it.

allow-access-to-key

Now, attach the .p12 file to an email that your device can receive. Now, what follows is instructions for use with the built-in Mail app on the iPhone. There may be ways to work with S/MIME in other mail clients, but this post will not cover them.

attached-email

Once you have the .p12 in Mail on your iOS device, tap on the attachment to open it. The Settings app on your iOS device will now open and you’ll go through the standard profile installation process. If you have an iOS Device that is paired with an Apple Watch, you will get prompted to pick whether you want to install the certificate on your Watch or your iPhone. You want it on your iPhone.

location-picker

Keep in mind – you aren’t working with a signed standard identity certificate, but that doesn’t mean the payload won’t certify up the trust chain.

confirm-cert-details

install-warning

Accept these dialogs by tapping Install, and continue. You will now have to enter the password for the .p12 container that you wrapped around your certificate and private key. Enter it and tap Next when you’re ready.

certificate-password

Lastly, you’ll need to finalize the profile and confirm the install.

confirm-install

Your certificate is now resident on the iOS device, and it’s time to go turn on S/MIME in your Mail Account. Go to Mail Settings, and select your account, and then head to the Advanced Settings. Turn on S/MIME, and turn on the signing settings.

smime-account-settings

You can confirm that your identity is selected, or select which identity your device is using to sign messages, by tapping on Sign.

signing-settings

You can tap the i at the end of the line to review the signing identities that are configured for your account. If you start using S/MIME certificates, be ready to keep old expired certificates around in the event that you are not just signing messages, but encrypting them. Messages encrypted with your public certificate by other people will only be decrypted by that old, expired certificate and its private key.

If you want to review your S/MIME certificates, you can do so in the Profiles section of Settings. Tap on Settings, then General, then Profiles.

profiles-list

You can get detail on an individual certificate and see more information surrounding the certificate, which should be on your calendar.

cert-identity

Sierra Features & Recommendations

Today, Apple releases the 13th major revision of what began life as Mac OS X, turned into OS X, and is now macOS. Sierra, macOS 12, will appear in the App Store this morning for free. The tentpole features this time out are subdued, and Sierra represents a refinement of the changes that began in OS X Yosemite in 2014, and continued in OS X El Capitan last year.

Our advice, as in previous years, is that discretion is the better part of valor, and waiting until you have a convenient time to be without your computer for an hour or so, after you’ve determined if your working application load is functional in Sierra, is the best way to proceed. This basically means we don’t recommend updating today unless you enjoy pushing the boundaries of the future. We will, of course, support you as best we are able, but our general advice is:

  1. Don’t update without a backup. If you’re not sure if you have a backup, you need to be 100% sure before proceeding.
  2. Don’t update without checking the compatibility of your applications with the new OS. Our management and monitoring systems are compatible at this time, and our tools will work with Sierra. If you’re not sure your tools are compatible, please check. We’re happy to help.
  3. Don’t update without being aware of the new iCloud features listed below, and understanding the consequences of turning them on could include data loss, or being without your data offline.

As always, we take the advice of Salah from Raiders of the Lost Ark.

236

Please note that we don’t mean you should go first, but rather other intrepid OS explorers, who have the correct safety apparatus and a willingness to explore knowing that loss is possible.

While Sierra is a refinement release, there are a couple of interesting tentpole features for Apple to hang its hat on. The first is the arrival of Siri to the Mac platform. Long a mainstay of iOS, Siri now has access to many of the pieces of your Mac’s environment, including your files, your calendar and your personal information. If you have internet access, Siri can perform tasks for you related to your operating system such as “Create an Appointment tomorrow at 9am to call Tom” or “Find all my emails from Tom Bridge” or “Show me all the pictures of Charlie”, and Siri can do those things. Siri can move files, send messages, and other activities.

I find Siri’s inclusion to be a novelty, and a bit of a disappointment, if only because I can’t imagine myself ever speaking to my computer in an open-plan office, or in a coffee shop, or even my home if others were around. I find the idea a talking interface to your computer to be a bit bizarre, but I recognize I may an outlier. I don’t talk to machines in public, I save my talking to people. Is that weird? Maybe. It is straight up humanist discrimination? Well, yes, it is. This is where the computers come for me, isn’t it?

The second tentpole of Sierra is one that I find both intriguing and horrifying all at once. Apple wants you to trust your Documents folder and Desktop to iCloud, and allow your local operating system to figure out what needs to be stored locally, and what can be stored in the Cloud instead. They’ve prepared us for this reality, of course, and this is just iCloud Photo Library, but applied to your Desktop and Documents folder. This is a great concept, designed to save space on your SSD-based Macs that are very definitely space constrained, but there are pitfalls. I am glad that Rich Trouton has made available his configuration profile that blocks this setting for organizations to use on their computers. I’m not interested in turning this feature on any time soon.

There is one convenience feature that I am enjoying so far, and that is unlocking the phone with my Apple Watch. This feature relies on Apple’s Wi-Fi proximity check scripts, as well as access to your iCloud account, which must be set to use the new Apple Two-Factor Authentication for security purposes. This means you’ll have trusted devices that are capable of providing a 6-digit one-time passcode for granting access to your AppleID. If your Watch and Mac are set to use the same (2FA-enabled) AppleID, the presence of the watch (in an unlocked state, on your wrist) will unlock your Mac.

If you want to learn more about the security of macOS and iOS, I strongly recommend watching Ivan Krstic’s Blackhat talk, which goes into depth about the security behind this unlock procedure (Starts at 24 minutes in). The amount of thought that has gone into this process is staggering, but I would absolutely watch the heist flick, or Mr. Robot season, that takes on trying to break it (and failing).

There are some additional features in Sierra that are of interest, but you’re likely already exposed to their arrival, as they’re in iOS 10. Photos’ Memories features and new search capabilities are on your Mac, the Apple Music experience is now available in iTunes, with enhanced capabilities, and the new iMessage types, responses and animations are available in Messages for view.

There are some additional under-the-hood changes in Sierra that are interesting, including changes to the SIP directories, locking down further portions of the underlying OS-facing file system, and the inclusion of APFS as a disk type that the OS can understand, but neither of these concern users at large, who this guidance is for.

As always, we are happy to answer your questions.

iOS 10 Features & Recommendations

Later today, Apple will release the first fully public distribution of the next version of their mobile operating system, iOS 10. We’ve been using iOS 10 since the early part of the beta period, and it’s been on my “daily driver” phone for a little more than a month at this point. Apple has made a lot of behavioral refinements in this release, but they’ve also made some wholesale changes to the way your iPhone operates.

Our advice: Wait a few days for all your apps to become compatible, but then upgrade if you have an iPhone 5S or later. Maybe Friday?

Continue reading iOS 10 Features & Recommendations

Something Siri Should Know: Baseball Magic Numbers

I’ve been trying to use Siri more for tasks in the Sierra Beta, and I finally had an obvious one to go looking for tonight. I asked her what the Nationals Magic Number is. This was her response:

Screen Shot 2016-08-29 at 7.15.57 PM

Well, that’s not ideal. Why doesn’t Siri know how to make this calculation? The magic number to win the division in baseball is a known formula. That formula is

(163 - (leading team's wins + second place team's losses))

. As I type this, the Nationals have 75 wins, and the 2nd place Mets have 64 losses. This makes the Nationals’ magic number 24 (163 – (75+64)). This number should be easily calculable for Siri.

Alternatively, for teams in the Wild Card race, there is an alternate formula, that involves removing the division leaders from the standings tree, and combining the rest of the teams into a single table, and subtracting the wins of the leading team and the losses of the third place team to get the result.

Why isn’t this the sort of thing Siri knows about? Given MLBAM’s tight relationship with Apple (and MLBAM’s use of their data throughout various keynotes over the years!), why isn’t this something Siri knows how to do?

Think of the opportunities for fun things to say. You could ask Siri what the Yankees magic number is, and instead of this, you might get something funny like “Well, I’m sorry to tell you John, they’re not getting their 28th this year.”

Screen Shot 2016-08-29 at 7.24.54 PM

I mean, how great would it be if Siri was an inveterate Red Sox fan and just spent the whole time needling Yankees fans?

Anyway, I’ve filed a bug, and if you’d like to dupe it, it’s number 28066166, and it follows here:

Summary:
Currently, if you ask Siri what the Nationals’ magic number is, she isn’t sure. The magic number to win the division in baseball is a known formula. That formula is 163 – (leading team’s wins + second place team’s losses).

As I type this, the Nationals have 75 wins, and the 2nd place Mets have 64 losses. This makes the Nationals’ magic number 24 (163 – (75+64)). This number should be easily calculable for Siri.

Alternatively, for teams in the Wild Card race, there is an alternate formula, that involves removing the division leaders from the standings tree, and combining the rest of the teams into a single table, and subtracting the wins of the leading team and the losses of the third place team to get the result.

Steps to Reproduce:
1. Ask Siri for the Nationals magic number
2. Be denied.

Expected Results:
1. Ask Siri for the Nationals magic number
2. Be displayed the division standings (good!) and get the correct answer for their magic number for the playoffs.

Actual Results:
1. Ask Siri for the Nationals magic number
2. Be displayed the division standings (good!) and get a noncommittal answer (bad.)

Version:
10.12 Beta (16A313a)

Notes:
Major League Baseball should also be able to furnish this data directly.

Techno Bits vol. 77: Summer Engineering Project

This week’s Techno Bits focuses on my Summer Engineering Project: using Raspberry Pis for fun and profit! It was a lot of fun to do some hardware stuff for once, and I’ve ordered some extra kit goodies to try and do some other fun stuff with the Raspberry Pi with cameras and sensors and stuff. I also explain how to buid a RetroPie machine for retro gaming.

Testing iOS 10 & Sierra in Your Environment

Testing Sierra & iOS 10 Slide

Last night, I presented at MacDMV on the importance of Testing iOS 10 and Sierra in your environment. The slides and presenters notes are available as a PDF Download. You can also watch the presentation below via Facebook video. The presentation begins about 3:30.

Testing Sierra and iOS 10 is incredibly important, because you need to be ready on Day 1 in case your users update ahead of your wishes. You need to know whether you can make your existing systems work, or if you’re going to have to expend the political capital to roll them back. Do you have a testing setup? Do you have a testing plan? Do you know how to submit good feedback to Apple? This presentation will help.

I’ve also built a Sample Testing Checklist for your environment, available as a PDF below, and also as an editable OmniOutliner file so you can make your own editable list.

Helpful Links:

Maslow’s Wi-Fi
Mike Boylan’s 2014 Presentation: Getting Your Issue on Apple’s Radar
Sample Testing Checklist PDF
Testing Checklist OO3 File

Techno Bits vol. 74: Technical Debt

This Week’s Newsletter has a doozy:

Conferences also show you exactly how much work you have left to do. And that’s okay, work isn’t a bad thing. It just sometimes puts that workload in stark relief and that can feel a little bad sometimes. Technical Debt is difficult to overcome because it requires a change in understanding – and often times training – but it serves to make your organization stronger.

Read on, or better yet, subscribe!

MacDevOps YVR 2016: Securing Munki

Securing Munki

Below are the slides for my 2016 Talk at MacDevOps on Securing Munki. The talk was a good way to revisit what I’ve done with Munki in a Box and discuss some of the maybe not-so-great choices that were made along the way to get to where we are now with the security branch.

The talk focuses on the nature of the munki transaction, and where your deployment system can be vulnerable to attacks from casual interference, dedicated individuals with a grudge or a motive, or larger actors. There is also some advice about how to mitigate the problems that are presented by the architecture.

I’m not a fulltime security anything, but I’ve learned a lot in the last year by doing things that maybe aren’t advisable any longer. So, to anyone who used MIAB before 1.5.0 beta 2, there’s some work you should do to secure your repository if you meet certain use cases, and I strongly recommend that you adopt SSL encapsulation of the munki transaction, and the use of HTTP Basic Auth to secure your repository against prying eyes.

I’ll be making some changes to MIAB over the summer to automate the creation of a CA and enrollment of device certificates using the micromdm scep library and a web server that actually isn’t part of Server.app (likely to be the Go-based Caddy server as described by Viktor in a great blog post)

Download my slides & notes!

MacAdmins Podcast Episode 6: Dreyer, Rhymes with Slayer

We got the chance recently to sit down with Arek Dreyer, author of so, so many books, in time for the release of his new 3rd Edition of Managing Apple Devices. We talked about WWDC, writing books like Managing Apple Devices, as well as nearly getting arrested in a Chicago Server Room, and the first apps we bought. Co-hosts Charles Edge and Emily Kausalik were awesome, as was our mixing engineer Aaron Lippincott, who made us sound amazing.