groovee_
Level 1 (0 points)

Q: Profile Manager - MDM identity certificate

Hello,

 

I would like to know what exactly is "MDM identity certificate"? I can find it in my managed devices (SETTINGS -> General -> Management -> Remote Management -> Details -> (device identity certificates)). It is issued by MACOSX OpenDirectory Intermediate CA.

 

I do not use code signed profiles (I read it is necessary to re-enroll device after cert expiration).

 

I use current Apple configurator to connect to Profile Manager. Above certificate is valid for a year from enrollment date.

 

I would like to know it is possible to create longer than a year certificate instead, and what I should do before that certificate expire to be able to update all my devices from profile manager without taking devices in my hand?

 

I have about 50 iphones (unsupervised) connected to my Profile Manager. Now I would like to connect another 50 iPads, this time as supervised devices.

But I afraid what happen when that certificate expire, would like to avoid that or at least to know what (and when) I should do to avoid loosing contact with my Profile manager.

 

Regards,

Kacper

Posted on Jan 28, 2016 1:18 AM

by John Lockwood,Solvedanswer
John Lockwood John Lockwood
Level 6 (9,349 points)
Servers Enterprise
A:

As long as the APNS certificate is renewed before it expires you do not have to do anything to the client devices.

 

The MDM Identity certificate it generated when a client device 'enrols' in to Profile Manager, it is generated by the SCEP server built-in to Profile Manager. Profile Manager does allow you to push a profile to a client device with settings to access and use a SCEP server but sadly the SCEP server built-in to Apple's Profile Manager cannot be used for this purpose. Typical example uses of a SCEP server after one has enrolled in to an MDM would be to generate a certificate to access an 802.1x protected WiFi network or to access a VPN server using certificate based authentication.

 

The settings Profile Manager uses for enrolling client devices and then generating an MDM Identity Certificate for them are hardcoded and hidden in Profile Manager so I see no way to change their lifespan.

 

Again they should renew automatically as long as your APNS is renewed before it expires and any other certificates your Profile Manager server uses are also renewed before they expire.

 

If you forget to renew them in time then you have to enrol all the devices again.

Posted on Jan 29, 2016 6:22 AM

Close
groovee_

Q: Profile Manager - MDM identity certificate

  • All replies
  • Helpful answers

  • by John Lockwood,Helpful

    John Lockwood John Lockwood Jan 29, 2016 4:44 AM in response to groovee_
    Level 6 (9,349 points)
    Servers Enterprise
    Jan 29, 2016 4:44 AM in response to groovee_

    While it is possible to create your own longer lasting computer server certificate, and your own longer lasting code-signing certificate it is not possible to change the length of time for the Apple generated Push Notifications certificate that is also required for an MDM solution.

     

    So you are regardless going to be stuck with at least one certificate that has to be renewed annually and as you have to do it before it runs out this actually means more like every 11 months.

  • by groovee_,

    groovee_ groovee_ Jan 29, 2016 5:55 AM in response to John Lockwood
    Level 1 (0 points)
    Jan 29, 2016 5:55 AM in response to John Lockwood

    Thank you John for reply.

     

    As I understand, APN certificate is being renewed in Server App. Do I have to (manually) distribute that certificate to my devices, or just renew before it expire?

    What you called "computer server certificate" is located in Certificates tab of Server app, right?

     

    Certificate I'm asking about is located in device being managed by MDM, named "MDM Identity Certificate: [NUMBERS]". It seems every device has its own certificate (different serials). It is valid from date of enrollment for a year.

    I would like to know how should I renew that certificate and should it be sent do device via Profile Manager?

     

    I've found something like this here:

    https://discussions.apple.com/message/21618607#21618607

     

    But I wonder is SCEP the same certificate I'm talking about?

     

    Regards,

  • by John Lockwood,Solvedanswer

    John Lockwood John Lockwood Jan 29, 2016 6:22 AM in response to groovee_
    Level 6 (9,349 points)
    Servers Enterprise
    Jan 29, 2016 6:22 AM in response to groovee_

    As long as the APNS certificate is renewed before it expires you do not have to do anything to the client devices.

     

    The MDM Identity certificate it generated when a client device 'enrols' in to Profile Manager, it is generated by the SCEP server built-in to Profile Manager. Profile Manager does allow you to push a profile to a client device with settings to access and use a SCEP server but sadly the SCEP server built-in to Apple's Profile Manager cannot be used for this purpose. Typical example uses of a SCEP server after one has enrolled in to an MDM would be to generate a certificate to access an 802.1x protected WiFi network or to access a VPN server using certificate based authentication.

     

    The settings Profile Manager uses for enrolling client devices and then generating an MDM Identity Certificate for them are hardcoded and hidden in Profile Manager so I see no way to change their lifespan.

     

    Again they should renew automatically as long as your APNS is renewed before it expires and any other certificates your Profile Manager server uses are also renewed before they expire.

     

    If you forget to renew them in time then you have to enrol all the devices again.

  • by groovee_,

    groovee_ groovee_ Feb 1, 2016 9:17 AM in response to John Lockwood
    Level 1 (0 points)
    Feb 1, 2016 9:17 AM in response to John Lockwood

    Thank you for help!

  • by alessio_ic,

    alessio_ic alessio_ic Mar 1, 2016 2:59 PM in response to groovee_
    Level 1 (0 points)
    Mar 1, 2016 2:59 PM in response to groovee_

    HI,

     

    I posed the same question some months ago. In my experience, even if you renew the ssl certificate of the server and the push server certificate no update is ever made to client devices certificates. To cut a long story short we have to re-enroll manually the devices after one year, but if I'm making some mistake or there is something I have not understood I will be more than glad to hear how this can happen automatically.

     

    Best regards,

     

    alessiof