If you manually download a Configuration Profile from the JSS, you’ll see that the profile largely reads as gobbledegook.

Luckily a couple of bash commands later & you’ll have a readable profile.

Gobbledegook

The above is a profile downloaded via the JSS & opened in TextWrangler, as said gobbledegook.

Line 3 is the profiles payload, & lines 5, 7, 16 & 18 should that the profile has been signed by the JSS’s Signing Certificate & Certificate Authority.

Stripping The Signing

With the profile downloaded the signing can be stripped via the below (obviously replace /path/to/downloaded.mobileconfig & /path/to/de-signed.mobileconfig as needed):

openssl smime -inform DER -verify -in /path/to/downloaded.mobileconfig -noverify -out /path/to/de-signed.mobileconfig

The above should return:

Verification successful

Opening up the profile we exported at the path: “/path/to/de-signed.mobileconfig” should show something like the below:

Which is nice & all, but still not as readable as we’d like.

Formatting The Plist

To format the plist, run:

plutil -convert xml1 /path/to/de-signed.mobileconfig

Opening the profile again, or returning to your text editor, & it should look like the below:

Now we have a configuration profile downloaded from the JSS & easily readable.

Automator Action

The good folks over at Moof-IT have an automator service, which can perform the above with a click.