Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Changes in User-Initiated Enrollment with Untrusted Certificate Authority (CA) Signed SSL Certificates in iOS 10.3 and Later


Apple has enabled an important security enhancement beginning with iOS 10.3. This security enhancement requires untrusted root certificates installed manually on unsupervised iOS devices to be manually trusted in Certificate Trust Settings during user-initiated enrollment, or installation of the MDM profile will fail. Other forms of enrollment, such as DEP, are unaffected.

This change impacts on-premise and Jamf Cloud customized environments using a non-publicly-trusted web server certificate: JSS built-in CA, internal CA, or untrusted issuer not natively trusted by iOS: Jamf Cloud standard service and other environments using a natively-trusted web server certificate are not affected.

Versions Affected

iOS 10.3 and later


Option A (Preferred)

It is recommended that you obtain a publicly-trusted web server certificate to avoid security vulnerabilities.

For information on enabling SSL on Tomcat with a public certificate, see the following Knowledge Base article:

For a list of root certificates that are trusted by default for iOS devices, see the following Apple Knowledge Base article:

Option B (Not Recommended)

If you are unable or unwilling to obtain a publicly-trusted certificate, your devices may be at risk during the enrollment process. User-initiated enrollment with an untrusted certificate will require your end users to manually trust the untrusted Tomcat SSL certificate.
Warning: Manually trusting the incorrect certificate can cause significant security vulnerabilities.

After installing the CA certificate during user-initiated enrollment, but before installing the MDM profile, your end users must manually trust your server's SSL certificate by doing the following:

  1. On the device, go to Settings > General > About > Certificate Trust Settings.
  2. Verify the certificate listed is the correct certificate for your Jamf Pro server. Warning: Enabling full trust for the incorrect certificate will put your devices at risk.
  3. Enable full trust for your server's untrusted SSL certificate.
  4. Click Continue on the Root Certificate pop-up.

The CA certificate is now trusted. Return to the enrollment page in your web browser, and proceed with the installation of the MDM profile.

Like Comment
Order by:
SOLVED Posted: by CasperOSD

Thank you for this Knowledge Base post - it saved significant time and frustration and we were able to move past the MDM profile error to resolution quickly. Much appreciated!

SOLVED Posted: by krispayne

Option B is not currently working for iOS 11.1 and JSS 9.97

SOLVED Posted: by MandyDroid

For Option B - how can I push my internal root CA cert instead of the JSS Built In Cert?


Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!