Apple has enabled an important security enhancement beginning with iOS 10.3. This security enhancement requires untrusted root certificates installed manually on unsupervised iOS devices to be manually trusted in Certificate Trust Settings during user-initiated enrollment, or installation of the MDM profile will fail. Other forms of enrollment, such as DEP, are unaffected.
This change impacts on-premise and Jamf Cloud customized environments using a non-publicly-trusted web server certificate: JSS built-in CA, internal CA, or untrusted issuer not natively trusted by iOS: https://support.apple.com/kb/HT207177. Jamf Cloud standard service and other environments using a natively-trusted web server certificate are not affected.
iOS 10.3 and later
It is recommended that you obtain a publicly-trusted web server certificate to avoid security vulnerabilities.
For information on enabling SSL on Tomcat with a public certificate, see the following Knowledge Base article: https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate
For a list of root certificates that are trusted by default for iOS devices, see the following Apple Knowledge Base article: https://support.apple.com/kb/HT207177
If you are unable or unwilling to obtain a publicly-trusted certificate, your devices may be at risk during the enrollment process. User-initiated enrollment with an untrusted certificate will require your end users to manually trust the untrusted Tomcat SSL certificate.
After installing the CA certificate during user-initiated enrollment, but before installing the MDM profile, your end users must manually trust your server's SSL certificate by doing the following:
The CA certificate is now trusted. Return to the enrollment page in your web browser, and proceed with the installation of the MDM profile.