Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

Changes in User-Initiated Enrollment with Untrusted Certificate Authority (CA) Signed SSL Certificates in iOS 10.3 and Later

Overview

Apple has enabled an important security enhancement beginning with iOS 10.3. This security enhancement requires untrusted root certificates installed manually on unsupervised iOS devices to be manually trusted in Certificate Trust Settings during user-initiated enrollment, or installation of the MDM profile will fail. Other forms of enrollment, such as DEP, are unaffected.

This change impacts on-premise and Jamf Cloud customized environments using a non-publicly-trusted web server certificate: JSS built-in CA, internal CA, or untrusted issuer not natively trusted by iOS: https://support.apple.com/kb/HT207177. Jamf Cloud standard service and other environments using a natively-trusted web server certificate are not affected.

Versions Affected

iOS 10.3 and later

Process

Option A (Preferred)

It is recommended that you obtain a publicly-trusted web server certificate to avoid security vulnerabilities.

For information on enabling SSL on Tomcat with a public certificate, see the following Knowledge Base article: https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate

For a list of root certificates that are trusted by default for iOS devices, see the following Apple Knowledge Base article: https://support.apple.com/kb/HT207177

Option B (Not Recommended)

If you are unable or unwilling to obtain a publicly-trusted certificate, your devices may be at risk during the enrollment process. User-initiated enrollment with an untrusted certificate will require your end users to manually trust the untrusted Tomcat SSL certificate.
Warning: Manually trusting the incorrect certificate can cause significant security vulnerabilities.

After installing the CA certificate during user-initiated enrollment, but before installing the MDM profile, your end users must manually trust your server's SSL certificate by doing the following:

  1. On the device, go to Settings > General > About > Certificate Trust Settings.
  2. Verify the certificate listed is the correct certificate for your Jamf Pro server. Warning: Enabling full trust for the incorrect certificate will put your devices at risk.
  3. Enable full trust for your server's untrusted SSL certificate.
  4. Click Continue on the Root Certificate pop-up.

The CA certificate is now trusted. Return to the enrollment page in your web browser, and proceed with the installation of the MDM profile.

Like Comment
SOLVED Posted: 8/24/17 at 6:04 PM by CasperOSD

Thank you for this Knowledge Base post - it saved significant time and frustration and we were able to move past the MDM profile error to resolution quickly. Much appreciated!

Like