NOTIFICATIONS for "Cannot Verify Server Identity" on iPadOS

The trusted profile likely suppresses the warnings arising here, but almost certainly not the interception.

Newer secure connections and websites and services using a technique known as “pinning” will make this traffic interception more difficult to perform silently, too. The profile used here will increasingly be detected and connections blocked by the remote servers involved, as network connection security is upgraded.

There’s no device masking involved, you’re all getting routed through the same network path, and a path which almost certainly contains a box providing traffic interception, decryption, and monitoring.

It’s this traffic interception that being detected and reported.

Use the guest network, use cellular (of available) or a MiFi-like device, or use the profile, or don’t use this network for private activities.

I’d tend to keep private devices off the organizational network, absent specific approvals.

I don’t want to be the path used my miscreants or malware to gain access onto an organizational network.

If you’d like Apple to make ignoring these warnings easier, log some feedback: Product Feedback - Apple

The connection certificate and the DNS likely don’t match.

One potential cause of these is connection interception and monitoring.

Another is that the iPad trusted certificate chain doesn’t include the CA being used by Microsoft.

I’d suggest chatting directly with your IT security organization, as this is a security-relevant error.

Let IT sort this.

Either it gets fixed by IT, or IT wants you to not use Hotmail.

Has your employer explicitly stated that you can't use their network for personal things? I get this pop-up occasionally from random networks that I connect do, but just accept it and move on. Does your hospital have a guest WiFi that you could connect to? Or are you also using the device for work and thus need to connect to the hospital's protected private WiFi? Another option would be to turn off WiFi and use cellular (if you have cellular on your iPad) or use your phone as a hotspot when doing personal stuff.

I’ll attempt to keep this explanation relatively simple - avoiding the deep intricacies of Certificate Authorities (CA) and details of how the Chain of Trust Operates…

Your issue stems from the way that SSL/TLS Security Certificates work in securing the encrypted communication between your iPad and the servers to which it is attempting to connect.

In essence, your iPad is attempting to verify that end-to-end encryption between your iPad and servers is secure - however, your network appears to be attempting to intercept and “inspect” your encrypted network traffic. This interception breaks the SSL/TLS certificate chain of trust - as your network traffic is decrypted, inspected and re-encrypted using the encryption key of a different Certificate. This tampering is detected - and you see the error. For corporate networks, this behaviour is not unusual.

By installing the management profile, additional certificates are loaded into your iPad Certificate Store - and your iPad is reconfigured to “trust” this new certificate.

In many cases, you might attempt to “tunnel” your traffic past this intrusive inspection, through using a VPN. However, NHS networks block VPN connections - forcing inspection of network traffic.

Fundamentally, you have a choice. You can accept and install the profile - and accept that your traffic is being intercepted and inspected by your employer - or you can live with your iPad disallowing [what it believes to be] a security-compromised connection.

I wouldn't consider using the guest WiFi to be circumventing policy if just doing personal email and such just like visitors and patients do, but clearly won't work for you when doing the sidecar display. Good luck. Hope you can (with IT help?) find a workable solution.

sonofzell wrote:

Based on the information provided by @mrhoffman, it seems that the device will recognize the connection to hotmail servers as suspicious and potentially harmful and continue to warn me as long as the iPad is trying to talk to them.

The network connections are NOT reaching the Hotmail servers.

That’s the fundamental issue here.

The connections are reaching some intermediate server configured to intercept and decrypt and (presumably) scan and/or log network connections and data. That server then passes those connections along to (the real) Hotmail.

Here, your iPad is reporting that your connections intended for Hotmail are reaching some server pretending (badly) to be Hotmail.

Less scrupulous interception services would do other things, possibly vacuuming up your data, or would pretend fully to be the server that you had thought and intended to connect to, or more subtly modifying parts of the actual data retrieved from or sent to the intended destination server.

What to do? Disconnect from the secure network, connect to cellular or MiFi or guest Wi-Fi, then access your private email. You probably don’t want all of your private mail captured and/or scanned and/or logged, which is what is (and will) happen with the connection interception configured here, anyway.

And you really don’t want to be the origin of malware on the restricted network, or associated with any leaks of confidential or protected data, all of which is what that connection-intercepting server is trying to detect, log, and preferably prevent.

Talk to your manager and to IT? If you need something akin to Side Car, that would best be acquired from the organization’s budget. Not yours. Various organizations can have “spare” monitors around, for instance.