Making Downloaded JSS Configuration Profiles Readable



If you manually download a Configuration Profile from the JSS, you’ll see that the profile largely reads as gobbledegook.

Luckily a couple of bash commands later & you’ll have a readable profile.


Screenshot 2015-11-10 21.47.24

The above is a profile downloaded via the JSS & opened in TextWrangler, as said gobbledegook.

Line 3 is the profiles payload, & lines 5, 7, 16 & 18 should that the profile has been signed by the JSS’s Signing Certificate & Certificate Authority.

Stripping The Signing

With the profile downloaded the signing can be stripped via the below (obviously replace /path/to/downloaded.mobileconfig & /path/to/de-signed.mobileconfig as needed):

openssl smime -inform DER -verify -in /path/to/downloaded.mobileconfig -noverify -out /path/to/de-signed.mobileconfig

The above should return:

Verification successful

Opening up the profile we exported at the path: “/path/to/de-signed.mobileconfig” should show something like the below:

Screenshot 2015-11-10 23.09.55

Which is nice & all, but still not as readable as we’d like.

Formatting The Plist

To format the plist, run:

plutil -convert xml1 /path/to/de-signed.mobileconfig

Opening the profile again, or returning to your text editor, & it should look like the below:

Screenshot 2015-11-10 23.23.52

Now we have a configuration profile downloaded from the JSS & easily readable.

Automator Action

The good folks over at Moof-IT have an automator service, which can perform the above with a click.

7 thoughts on “Making Downloaded JSS Configuration Profiles Readable

  1. Another way to strip the signature using Apple-provided tools instead of openssl:

    `/usr/bin/security cmd -D -i signed_profile_path -o unsigned_profile_path`

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.