.mobileconfig generator

[ammnt]

Hello,

as you know, new versions of iOS and macOS support DNS encryption by native. But to do this, we need to generate a configuration file in a special format (.mobileconfig). Here is an example of such a file:
https://www.reddit.com/r/MacOSBeta/comments/i21e59/how_to_set_up_cloudflare_dns_over_tls_secure_dns/

Is it possible to add the function of its generation and download in the section with settings? What do you think about this feature?

Thank you.
Cheers!🤘

[ameshkov]

What we should do:

1. Add a mobile profile generator URLs:
   • https://aghome/apple/dot.mobileconfig
   • https://aghome/apple/doh.mobileconfig
2. These URLs should be available to authorized users only
3. These links are only available if encryption is configured
4. We should add these links to the Setup guide.

Here's how mobileconfig looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
        <dict>
            <key>Name</key>
            <string>AdGuard DNS over HTTPS</string>
            <key>PayloadDescription</key>
            <string>Configures device to use AdGuard DNS</string>
            <key>PayloadDisplayName</key>
            <string>AdGuard DNS</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.767A11FC-31D2-4950-815E-B37B15448CA2</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>767A11FC-31D2-4950-815E-B37B15448CA2</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>HTTPS</string>
                <key>ServerURL</key>
                <string>https://dns.adguard.com/dns-query</string>
            </dict>
        </dict>
    </array>
	<key>PayloadDescription</key>
	<string>Adds AdGuard DNS toBig Sur and iOS 14 or newer systems</string>
	<key>PayloadDisplayName</key>
	<string>AdGuard DNS</string>
	<key>PayloadIdentifier</key>
    <string>E3E3CB8B-C59E-486B-A713-D765328DB2A2</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>F2609BEA-93D6-4966-8487-33713DBCB644</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

For DOT it looks like this:

                <key>DNSProtocol</key>
                <string>TLS</string>
                <key> ServerName</key>
                <string>dns.adguard.com</string>

[ammnt]

@ameshkov, thanks for the answer! For DoT it has to be <key>ServerName</key> string, not <key>ServerURL</key>, i suppose. NextDNS have already implemented something like this and you can see how it works with them.

And we will need to consider one more thing for the future - these are clients identifiers and their indication in .mobileconfig. It must be dynamic variables <key>ServerURL</key> and <key>ServerName</key>, i think? NextDNS don't have this yet🙃

[ammnt]

@ameshkov, please also pay attention that this will allow us to identify the device model too (iphone, macbook, ipad etc.). Can't this profile be signed by your developer certificate?

[ameshkov]

please also pay attention that this will allow us to identify the device model too (iphone, macbook, ipad etc.).

Only in conjunction with #1383

Can't this profile be signed by your developer certificate?

We can't use our cert to sign third-parties' profiles.