You’re now watching this thread. If you’ve opted in to email or web notifications, you’ll be notified when there’s activity. Click again to stop watching or visit your profile to manage watched threads and notifications.
You’ve stopped watching this thread and will no longer receive emails or web notifications when there’s activity. Click again to start watching.
sjlacroix OP
Created Jun ’15 Replies 4 Boosts 0 Views 4.8k Participants 4
We have MDM installed on hundreds of devices, the signing cert and MDM push cert expires Friday, they have been renewed but reading the MDM Docs, extract below, It states that we need to replace the MDM profile. Well since it's over the air, does that mean the users will need to go throught the enrolment process AGAIN?
SSL Certificate Trust
MDM only connects to servers that have valid SSL certificates. If your server's SSL certificate is rooted in your organization's root certificate, the device must trust the root certificate before MDM will connect to your server.
You may include the root certificate and any intermediate certificates in the same profile that contains the MDM payload. Certificate payloads are installed before the MDM payload.
Your MDM server should replace the profile that contains the MDM payload well before any of the certificates in that profile expire. Remember: if any certificate in the SSL trust chain expires, the device cannot connect to the server to receive its commands. When this occurs, you lose the ability to manage the device.
Replies 4
Boosts 0
Views 4.8k
Participants 4
muenzpraeger OP
Jun ’15
That article/statement is about replacing SSL certs which may be contained in your MDM profile.
If your MDM servers' SSL host certificate is signed by on an official SSL Certification Authority (i. e. Verisign, Thawte etc.) you don't have to do anything.
Share this post
Copied to Clipboard
djcreedy OP
Jun ’15
As another said. The link you reference is about the website SSL cert. If you use a trusted CA you don't need to worry about this.
Share this post
Copied to Clipboard
wrp OP
Apr ’16
Getting back to the original question: The signing certificate can be renewed and kept current on the MDM server but the signing certificate included with the initial mdm profile will still be the old one, which will expire.
Does it only matter that it's valid when the profile is installed, and doesn't matter when it expires down the road? Or, are administrators required to re-enroll every device when the certificate inevitably expires?
Share this post
Copied to Clipboard
Dec ’16
Today I was wondering why my devices wouldn't enroll. Turns out it was active directory having gone down. In the process of poking around I accidentally (as in stupidly) renewed a certificate. Then the server would not be trusted by the iPads. I had to add a new exception to safari to access the device manager. Of course the backup to time machine didn't work and I was not aware of that. No way back. How deep am I screwed ?
Share this post
Copied to Clipboard