If you manually download a Configuration Profile from the JSS, you’ll see that the profile largely reads as gobbledegook.
Luckily a couple of bash commands later & you’ll have a readable profile.
The above is a profile downloaded via the JSS & opened in TextWrangler, as said gobbledegook.
Line 3 is the profiles payload, & lines 5, 7, 16 & 18 should that the profile has been signed by the JSS’s Signing Certificate & Certificate Authority.
Stripping The Signing
With the profile downloaded the signing can be stripped via the below (obviously replace /path/to/downloaded.mobileconfig & /path/to/de-signed.mobileconfig as needed):
openssl smime -inform DER -verify -in /path/to/downloaded.mobileconfig -noverify -out /path/to/de-signed.mobileconfig
The above should return:
Opening up the profile we exported at the path: “/path/to/de-signed.mobileconfig” should show something like the below:
Which is nice & all, but still not as readable as we’d like.
Formatting The Plist
To format the plist, run:
plutil -convert xml1 /path/to/de-signed.mobileconfig
Opening the profile again, or returning to your text editor, & it should look like the below:
Now we have a configuration profile downloaded from the JSS & easily readable.
The good folks over at Moof-IT have an automator service, which can perform the above with a click.
7 thoughts on “Making Downloaded JSS Configuration Profiles Readable”
Another way to strip the signature using Apple-provided tools instead of openssl:
`/usr/bin/security cmd -D -i signed_profile_path -o unsigned_profile_path`
/usr/bin/security cms -D -i signed_profile_path -o unsigned_profile_path
Using cms get error:
security: failed to add data to decoder: UNKNOWN (-8183(d)
security: problem decoding
FYI, should be `cmd` NOT `cms` in command.
`openssl smime -inform DER -verify -in signed_profile_path -noverify | plutil -convert xml1 -o unsigned_profile_path — -`
The linting for the comments converted two minus signs to an em-dash lol. The end should be ‘minus minus space minus’