MDM Signing Certificate - Renewed

Developer Tools & Services General
sjlacroix OP
Created Jun ’15
Replies 4
Boosts 0
Views 5.2k
Participants 4

We have MDM installed on hundreds of devices, the signing cert and MDM push cert expires Friday, they have been renewed but reading the MDM Docs, extract below, It states that we need to replace the MDM profile. Well since it's over the air, does that mean the users will need to go throught the enrolment process AGAIN?





SSL Certificate Trust

MDM only connects to servers that have valid SSL certificates. If your server's SSL certificate is rooted in your organization's root certificate, the device must trust the root certificate before MDM will connect to your server.


You may include the root certificate and any intermediate certificates in the same profile that contains the MDM payload. Certificate payloads are installed before the MDM payload.


Your MDM server should replace the profile that contains the MDM payload well before any of the certificates in that profile expire. Remember: if any certificate in the SSL trust chain expires, the device cannot connect to the server to receive its commands. When this occurs, you lose the ability to manage the device.


Replies  4
Boosts  0
Views  5.2k
Participants  4
muenzpraeger OP
Jun ’15

That article/statement is about replacing SSL certs which may be contained in your MDM profile.


If your MDM servers' SSL host certificate is signed by on an official SSL Certification Authority (i. e. Verisign, Thawte etc.) you don't have to do anything.

0
djcreedy OP
Jun ’15

As another said. The link you reference is about the website SSL cert. If you use a trusted CA you don't need to worry about this.

0
wrp OP
Apr ’16

Getting back to the original question: The signing certificate can be renewed and kept current on the MDM server but the signing certificate included with the initial mdm profile will still be the old one, which will expire.


Does it only matter that it's valid when the profile is installed, and doesn't matter when it expires down the road? Or, are administrators required to re-enroll every device when the certificate inevitably expires?

0
marc-etiennefromlyon OP
Dec ’16

Today I was wondering why my devices wouldn't enroll. Turns out it was active directory having gone down. In the process of poking around I accidentally (as in stupidly) renewed a certificate. Then the server would not be trusted by the iPads. I had to add a new exception to safari to access the device manager. Of course the backup to time machine didn't work and I was not aware of that. No way back. How deep am I screwed ?

0
MDM Signing Certificate - Renewed
First post date Last post date
 
 
Q