Allow tolerance for pkcs7 signing time during device enrolment #73
Comments
|
It's funny you bring this up. This was a topic in the #micromdm channel with @korylprince a few days back and resulted in micromdm/micromdm#871. Part of the discussion was that the code has been like this for however many years the MicroMDM project has been a thing and we hadn't heard of it (though, admittedly, because the errors were effectively hidden it's hard to rule out that people just weren't seeing the error). Anyway a couple notes/questions:
Can you give a basis for your recommendation of 2-5 seconds here? Kory suggested five minutes (in the issue). I'm curious why you couldn't just wait for NTP to sync and re-attempting enrollment? Secondly since this is NanoMDM and because of our previous Slack conversations I'd highly suggest taking a look at using mTLS (instead of relying on the |
|
See relevant discussion in smallstep/pkcs7#21. |
An iPad failed to enrol due to a clock issue, most likely due to the iPad's clock not having properly synced yet (server clock confirmed correct and NTP synchronised).
level=info handler=cert-extract trace_id=7dc2a24bd394756e msg=verifying Mdm-Signature header err=pkcs7: signing time "2023-04-07T00:16:58Z" is outside of certificate validity "2023-04-07T00:16:59Z" to "2033-04-04T00:16:59Z" caller=mdm_cert.go: 92As the iPad was enrolled in DEP and management was mandatory, this left the following consequences:
While chances of this happening are small, it can leave users in a tricky situation with regards to recovering the device.
A tolerance on the signing time when checking against NotBefore of around 2-5 seconds is proposed to mitigate this event.
The text was updated successfully, but these errors were encountered: