diff --git a/SignalMessaging/profiles/ProfileFetcherJob.swift b/SignalMessaging/profiles/ProfileFetcherJob.swift
index 333687e66..c63d9a445 100644
--- a/SignalMessaging/profiles/ProfileFetcherJob.swift
+++ b/SignalMessaging/profiles/ProfileFetcherJob.swift
@@ -134,13 +134,14 @@ public class ProfileFetcherJob: NSObject {
 
         Logger.error("getProfile: \(recipientId)")
 
-        // TODO: Use UD socket for some profile gets.
-        if socketManager.canMakeRequests(of: .default) {
-            let request = OWSRequestFactory.getProfileRequest(recipientId: recipientId, unidentifiedAccess: nil)
+        let unidentifiedAccess: SSKUnidentifiedAccess? = self.getUnidentifiedAccess(forRecipientId: recipientId)
+        let socketType: OWSWebSocketType = unidentifiedAccess == nil ? .default : .UD
+        if socketManager.canMakeRequests(of: socketType) {
+            let request = OWSRequestFactory.getProfileRequest(recipientId: recipientId, unidentifiedAccess: unidentifiedAccess)
             let (promise, fulfill, reject) = Promise<SignalServiceProfile>.pending()
 
             self.socketManager.make(request,
-                                    webSocketType: .default,
+                                    webSocketType: socketType,
                 success: { (responseObject: Any?) -> Void in
                     do {
                         let profile = try SignalServiceProfile(recipientId: recipientId, responseObject: responseObject)
@@ -154,8 +155,7 @@ public class ProfileFetcherJob: NSObject {
             })
             return promise
         } else {
-            // TODO unidentified AUTH
-            return self.signalServiceClient.retrieveProfile(recipientId: recipientId, unidentifiedAccess: nil)
+            return self.signalServiceClient.retrieveProfile(recipientId: recipientId, unidentifiedAccess: unidentifiedAccess)
         }
     }
 
@@ -207,4 +207,8 @@ public class ProfileFetcherJob: NSObject {
             }
         }
     }
+
+    private func getUnidentifiedAccess(forRecipientId recipientId: RecipientIdentifier) -> SSKUnidentifiedAccess? {
+        return self.udManager.getAccess(forRecipientId: recipientId)?.targetUnidentifiedAccess
+    }
 }
diff --git a/SignalServiceKit/src/Messages/OWSMessageSend.swift b/SignalServiceKit/src/Messages/OWSMessageSend.swift
index 6245b9d8e..45a95e6fd 100644
--- a/SignalServiceKit/src/Messages/OWSMessageSend.swift
+++ b/SignalServiceKit/src/Messages/OWSMessageSend.swift
@@ -62,35 +62,17 @@ public class OWSMessageSend: NSObject {
         self.message = message
         self.thread = thread
         self.recipient = recipient
+        self.localNumber = localNumber
 
-        let senderCertificate = senderCertificate
-
-        let udAccessKey: SMKUDAccessKey?
-        var isLocalNumber: Bool
         if let recipientId = recipient.uniqueId {
-            switch udManager.unidentifiedAccessMode(recipientId: recipientId) {
-            case .enabled:
-                udAccessKey = udManager.udAccessKeyForRecipient(recipientId)
-            case .unrestricted:
-                udAccessKey = udManager.generateAccessKeyForUnrestrictedRecipient()
-            case .disabled, .unknown:
-                udAccessKey = nil
-            }
-            isLocalNumber = localNumber == recipientId
+            self.unidentifiedAccess = udManager.getAccess(forRecipientId: recipientId)?.targetUnidentifiedAccess
+            self.isLocalNumber = localNumber == recipientId
         } else {
-            isLocalNumber = false
-            udAccessKey = nil
             owsFailDebug("SignalRecipient missing recipientId")
-        }
-        if let udAccessKey = udAccessKey, let senderCertificate = senderCertificate {
-            self.unidentifiedAccess = SSKUnidentifiedAccess(accessKey: udAccessKey, senderCertificate: senderCertificate)
-        } else {
+            self.isLocalNumber = false
             self.unidentifiedAccess = nil
         }
 
-        self.localNumber = localNumber
-        self.isLocalNumber = isLocalNumber
-
         self.success = success
         self.failure = failure
     }
diff --git a/SignalServiceKit/src/Messages/UD/OWSUDManager.swift b/SignalServiceKit/src/Messages/UD/OWSUDManager.swift
index ee5758e3c..68a701175 100644
--- a/SignalServiceKit/src/Messages/UD/OWSUDManager.swift
+++ b/SignalServiceKit/src/Messages/UD/OWSUDManager.swift
@@ -29,17 +29,15 @@ public enum UnidentifiedAccessMode: Int {
     // MARK: - Recipient State
 
     @objc
-    func unidentifiedAccessMode(recipientId: String) -> UnidentifiedAccessMode
+    func setUnidentifiedAccessMode(_ mode: UnidentifiedAccessMode, recipientId: String)
 
     @objc
-    func setUnidentifiedAccessMode(_ mode: UnidentifiedAccessMode, recipientId: String)
+    func getAccess(forRecipientId recipientId: RecipientIdentifier) -> SSKUnidentifiedAccessPair?
 
     // Returns the UD access key for a given recipient if they are
     // a UD recipient and we have a valid profile key for them.
-    @objc func udAccessKeyForRecipient(_ recipientId: String) -> SMKUDAccessKey?
+    @objc func udAccessKeyForRecipient(_ recipientId: RecipientIdentifier) -> SMKUDAccessKey?
 
-    @objc
-    func generateAccessKeyForUnrestrictedRecipient() -> SMKUDAccessKey
     // MARK: - Local State
 
     // MARK: Sender Certificate
@@ -112,7 +110,38 @@ public class OWSUDManagerImpl: NSObject, OWSUDManager {
     // MARK: - Recipient state
 
     @objc
-    public func unidentifiedAccessMode(recipientId: String) -> UnidentifiedAccessMode {
+    public func getAccess(forRecipientId recipientId: RecipientIdentifier) -> SSKUnidentifiedAccessPair? {
+        guard let theirAccessKey = self.udAccessKeyForRecipient(recipientId) else {
+            return nil
+        }
+
+        guard let ourSenderCertificate = self.senderCertificate() else {
+            return nil
+        }
+
+        guard let ourAccessKey: SMKUDAccessKey = {
+            if self.shouldAllowUnrestrictedAccessLocal() {
+                return SMKUDAccessKey(randomKeyData: ())
+            } else {
+                guard let localNumber = self.tsAccountManager.localNumber() else {
+                    owsFailDebug("localNumber was unexpectedly nil")
+                    return nil
+                }
+
+                return self.udAccessKeyForRecipient(localNumber)
+            }
+        }() else {
+            return nil
+        }
+
+        let targetUnidentifiedAccess = SSKUnidentifiedAccess(accessKey: theirAccessKey, senderCertificate: ourSenderCertificate)
+        let selfUnidentifiedAccess = SSKUnidentifiedAccess(accessKey: ourAccessKey, senderCertificate: ourSenderCertificate)
+        return SSKUnidentifiedAccessPair(targetUnidentifiedAccess: targetUnidentifiedAccess,
+                                         selfUnidentifiedAccess: selfUnidentifiedAccess)
+    }
+
+    @objc
+    private func unidentifiedAccessMode(recipientId: RecipientIdentifier) -> UnidentifiedAccessMode {
         if tsAccountManager.localNumber() == recipientId {
             if shouldAllowUnrestrictedAccessLocal() {
                 return .unrestricted
@@ -135,7 +164,7 @@ public class OWSUDManagerImpl: NSObject, OWSUDManager {
     // Returns the UD access key for a given recipient
     // if we have a valid profile key for them.
     @objc
-    public func udAccessKeyForRecipient(_ recipientId: String) -> SMKUDAccessKey? {
+    public func udAccessKeyForRecipient(_ recipientId: RecipientIdentifier) -> SMKUDAccessKey? {
         guard let profileKey = profileManager.profileKeyData(forRecipientId: recipientId) else {
             // Mark as "not a UD recipient".
             return nil
@@ -149,11 +178,6 @@ public class OWSUDManagerImpl: NSObject, OWSUDManager {
         }
     }
 
-    @objc
-    public func generateAccessKeyForUnrestrictedRecipient() -> SMKUDAccessKey {
-        return SMKUDAccessKey(randomKeyData: ())
-    }
-
     // MARK: - Sender Certificate
 
     #if DEBUG
diff --git a/SignalServiceKit/src/Network/SignalServiceClient.swift b/SignalServiceKit/src/Network/SignalServiceClient.swift
index e35507481..ecfc9c20b 100644
--- a/SignalServiceKit/src/Network/SignalServiceClient.swift
+++ b/SignalServiceKit/src/Network/SignalServiceClient.swift
@@ -8,20 +8,6 @@ import SignalMetadataKit
 
 public typealias RecipientIdentifier = String
 
-@objc
-public class SSKUnidentifiedAccess: NSObject {
-    @objc
-    let accessKey: SMKUDAccessKey
-
-    @objc
-    let senderCertificate: SMKSenderCertificate
-
-    init(accessKey: SMKUDAccessKey, senderCertificate: SMKSenderCertificate) {
-        self.accessKey = accessKey
-        self.senderCertificate = senderCertificate
-    }
-}
-
 public protocol SignalServiceClient {
     func getAvailablePreKeys() -> Promise<Int>
     func registerPreKeys(identityKey: IdentityKey, signedPreKeyRecord: SignedPreKeyRecord, preKeyRecords: [PreKeyRecord]) -> Promise<Void>
diff --git a/SignalServiceKit/src/Network/UnidentifiedAccess.swift b/SignalServiceKit/src/Network/UnidentifiedAccess.swift
new file mode 100644
index 000000000..e4ae99fc8
--- /dev/null
+++ b/SignalServiceKit/src/Network/UnidentifiedAccess.swift
@@ -0,0 +1,31 @@
+//
+//  Copyright (c) 2018 Open Whisper Systems. All rights reserved.
+//
+
+import Foundation
+import SignalMetadataKit
+
+@objc
+public class SSKUnidentifiedAccessPair: NSObject {
+    public let targetUnidentifiedAccess: SSKUnidentifiedAccess
+    public let selfUnidentifiedAccess: SSKUnidentifiedAccess
+
+    init(targetUnidentifiedAccess: SSKUnidentifiedAccess, selfUnidentifiedAccess: SSKUnidentifiedAccess) {
+        self.targetUnidentifiedAccess = targetUnidentifiedAccess
+        self.selfUnidentifiedAccess = selfUnidentifiedAccess
+    }
+}
+
+@objc
+public class SSKUnidentifiedAccess: NSObject {
+    @objc
+    let accessKey: SMKUDAccessKey
+
+    @objc
+    let senderCertificate: SMKSenderCertificate
+
+    init(accessKey: SMKUDAccessKey, senderCertificate: SMKSenderCertificate) {
+        self.accessKey = accessKey
+        self.senderCertificate = senderCertificate
+    }
+}