4

We have a working MDM solution, where enrolling devices and installing profiles works. However since iOS 5 customers have reported that the selfsigned certificate we use is reported as Not Trusted on the devices. Users that had the certificate and profiles installed on iOS 4 reports that is looking correct when they upgrade to iOS 5, as long as they don't re-enroll.

I have been able to reproduce this and taken the following screen dumps.

First I install the needed MDM root certificate. After installing it the root certificate appears to be trusted and looking at the details everything looks correct.

Install profile Profile installed iPhoneCA iPhoneCA details 1 iPhoneCA details 1

The next I do is to install a profile. At first the profile appears verified and I continue to installing it. When the install finishes the profile is no longer verifed and instead it is reported to be unsigned. Generating key Profile installed

Then I go back to the root certificate and now the certificate is no longer trusted. If I click to see the details all information about the certificate is gone.

Not trusted Empty iPhoneCA

When the enrollment has finished we are able to install and delete profiles on the device, however we see these warnings about the certificate not being trusted and the profile being unsigned

Unsigned profile

If I choose to reinstall the root certificate I can do that and I get the details back, a certificate that is reported trusted and a profile that is verified.

I have looked into our SCEP implementation trying to find the problem, but with no luck. Whenever I make changes to what is returned to the device, the device reports to me that what it receives is not valid. This makes me think that what we are sending is actually correct, since the device reports when there is a problem.

Has anyone seen problems like this, or do you have a possible explanation?

Edit

Maybe somebody has an idea about what type the self signed certificate should be? The one used in the screen schots below is x500 v1. If I create a X509 v3 (with extensions or not) the iOS device does not trust it no matter what.

homaxto
  • 5,428
  • 8
  • 37
  • 53
  • what does the iPhone console log (viewable from the iPhone Config Utility) report while you are enrolling? – Abstractec May 01 '12 at 09:54
  • Users have reported that this works as expected on iOS4, and I have tried it myself. If I repeat the exact same procedure using a device running iOS4 everything works perfect. The iPhoneCA certificate remains trusted and the profile is verified. Also if I reinstall the iPhoneCA certificate, it all looks correct. – homaxto May 22 '12 at 08:13

4 Answers4

0

server url you have given in the profile is not of valid ssl connection that is the problem it seems. you need to make the server url connection as valid trusted ssl url. As when you install the profile it triggers your server and hence gets an invalid/untrusted server url.

Varun
  • 111
  • 1
  • 3
  • 9
  • I believe the server URL is valid. It has a certificate signed by RapidSSL, and both Chrome and Safari like it. Also as you can see from my second and 6th iPhone screenshot, both the certificate and the profile are trusted and verified. Reinstalling the root certificate brings everything in a "green-state" marking the profile Verified. – homaxto May 16 '12 at 06:37
  • I generated push certificate for MDM. Its got a valid subject/topic. When viewed in keychain store it says "This certificate was signed by an unknown authority". There's also no private key associated with it. Any idea whats wrong? – Sahil Khanna Sep 05 '12 at 09:15
  • it seems that the ssl certificate at the server has either expired or is signed by local authority not by a valid vendor like godaddy etc. – Varun Sep 13 '12 at 10:34
0

I found the problem to be with our self-signed certificate, though I had to take a detour down the path using a certificate signed by another authority. This raised some question since I was able to make the exact same code work just by changing the certificate.

The result described with all the screenshots was actually just confusing, since the certificate appeared to be valid in the beginning.

Finally I realized that the way the self-signed certificate was signed was the problem. It resulted that is was not actually signed with itself, it was only created and then used.

homaxto
  • 5,428
  • 8
  • 37
  • 53
-1

MDM Server has to be on https with valid SSL certificate. This is the simple problem of having a self signed ssl certificate.Please use a valid certificate.

Varun
  • 111
  • 1
  • 3
  • 9
  • 1
    Varun, thanks for your reply. I am using a certificate from a known CA on my https connection. The certificate used in SCEP is selfsigned. Why would this be a problem? As you can see I start trusting this selfsigned certificate. – homaxto Apr 30 '12 at 07:04
  • APNS server do not trust the self-signed certificate but as your connection is on valid certificate. Its looks fine to me. But this problem arise because of self-signed certificate. Please recheck again. – Varun May 05 '12 at 07:29
-1

If you are still facing the issue,please check are you using identity.p12 is correct one.The server which you are using that should exist. Please refer MDM_Protocol pdf document, this_page and this very carefully.

Community
  • 1
  • 1
User97693321
  • 3,336
  • 7
  • 45
  • 69
  • Everything is working perfect for us, except this isssue which only is a "cosmetic" (security) issue - but the enrollment process and the daily communication with the enrolled devices is working perfect. – homaxto May 22 '12 at 05:26