You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

NOTIFICATIONS for "Cannot Verify Server Identity" on iPadOS

Hello,


This pop-up notification error ("Cannot Verify Server Identity", "The identity of 'm.hotmail.com' cannot be verified") is well-documented on this site, however my question is specific to the notification/pop-up exclusively.


To clarify: This message only appears when using my iPad at my work. I am on a very restrictive hospital network, which I am 99.9% certain is responsible for authentication error. My iPhone has a security profile installed (from the hospital), so I am able to use it on the network without issue. My iPad does NOT have this profile, nor do I wish to install it.


When offline, or on ANY other wireless network, the iPad does not produce the error and I am able to access my hotmail account without issue.


I accept that my employer does not allow the use of personal email accounts on devices that are not secured with their profile. I accept that using the iPad to access personal email is something I simply cannot / will not do while on the hospital network. I accept that the issue is almost certainly due to my employer's policy and not Apple or Microsoft's.


I am, however, having a hard time accepting that I am unable to use the iPad for any other purpose while at work. I am looking for a method to acknowledge the authentication error and continue using the device for purposes other than email. I am not currently able to do this, as the error pop-up re-appears instantly after dismissal and continues to pop-up infinitely as long as the iPad wifi is enabled. I have disabled background refresh for the Mail and Outlook apps, which are the only ones I can think of that would be attempting to authenticate my hotmail account.


Short of removing the mail account from the device, is there ANY way I can simply prevent the appearance of this error message, or at the very least reduce its frequency so the iPad can be used "between errors"?

iPad

Posted on Sep 1, 2021 10:53 AM

Reply
Question marked as Top-ranking reply

Posted on Sep 1, 2021 11:41 AM

The trusted profile likely suppresses the warnings arising here, but almost certainly not the interception.


Newer secure connections and websites and services using a technique known as “pinning” will make this traffic interception more difficult to perform silently, too. The profile used here will increasingly be detected and connections blocked by the remote servers involved, as network connection security is upgraded.


There’s no device masking involved, you’re all getting routed through the same network path, and a path which almost certainly contains a box providing traffic interception, decryption, and monitoring.


It’s this traffic interception that being detected and reported.


Use the guest network, use cellular (of available) or a MiFi-like device, or use the profile, or don’t use this network for private activities.


I’d tend to keep private devices off the organizational network, absent specific approvals.


I don’t want to be the path used my miscreants or malware to gain access onto an organizational network.


If you’d like Apple to make ignoring these warnings easier, log some feedback: Product Feedback - Apple

Similar questions

11 replies
Question marked as Top-ranking reply

Sep 1, 2021 11:41 AM in response to sonofzell

The trusted profile likely suppresses the warnings arising here, but almost certainly not the interception.


Newer secure connections and websites and services using a technique known as “pinning” will make this traffic interception more difficult to perform silently, too. The profile used here will increasingly be detected and connections blocked by the remote servers involved, as network connection security is upgraded.


There’s no device masking involved, you’re all getting routed through the same network path, and a path which almost certainly contains a box providing traffic interception, decryption, and monitoring.


It’s this traffic interception that being detected and reported.


Use the guest network, use cellular (of available) or a MiFi-like device, or use the profile, or don’t use this network for private activities.


I’d tend to keep private devices off the organizational network, absent specific approvals.


I don’t want to be the path used my miscreants or malware to gain access onto an organizational network.


If you’d like Apple to make ignoring these warnings easier, log some feedback: Product Feedback - Apple

Sep 3, 2021 7:18 AM in response to sallenmd

Thank you all for your responses!


I have been dealing with storm damage here in the Northeast, so apologies I've not been able to reply sooner.


Based on the information provided by @mrhoffman, it seems that the device will recognize the connection to hotmail servers as suspicious and potentially harmful and continue to warn me as long as the iPad is trying to talk to them.


As mentioned, I don't (nor do I intend to) attempt to use my personal email on the hospital network, but I do like having the ability to do so when I'm not at work. I was hoping that I could configure the iPad to allow me to just accept the authentication error once and not in an incessant pop-up loop, but that doesn't seem possible. 😒


I will suggest adding the ability to suppress the notifications as suggested, but for now it seems my options are limited to:

  1. Use the guest network (and sacrifice sidecar capabilities) or
  2. Remove my personal MS account from the iPad (and sacrifice its ability to access personal email outside of work)


Neither is the answer I was looking for, but it's an answer nonetheless. Thanks again for everyone's help!

Sep 1, 2021 11:24 AM in response to MrHoffman

Thank you for the reply!


Yes, the health system I work for uses a secure firewall and has crowdstrike policies enforced. I admit network security is outside my area of expertise, but there is obviously some type of "masking" implemented, as every one of the 200,000+ devices in our system will appear to have an identical public IP address.


They do offer a solution for accessing personal email on personal devices; it's a MaaS360 / MS InTune package that installs a security profile on the device itself. This profile is installed on my iPhone, allowing the network to recognize it as a "trusted device". Unfortunately, it also enforces a number of restrictions, including (but not limited to) password complexity/expiration requirements, limited app installations, location/usage monitoring, and remote lock/wipe capabilities. That being said, I can access my hotmail account on my phone and it does not produce the authentication error noted above.


My intended use for my iPad while at work is limited to sidecar and note-taking. I could install the same profile that is on my phone, but that would eliminate my ability to install or use certain apps that I use on the iPad frequently (when NOT at work) - namely photo editors and video streaming apps.


The "Fix" that I am seeking is not to eliminate the authentication error itself, but rather to prevent it from presenting a persistent pop-up notification that prevents me from using the device in any other way while on the hospital network.



Sep 1, 2021 11:03 AM in response to sonofzell

The connection certificate and the DNS likely don’t match.


One potential cause of these is connection interception and monitoring.


Another is that the iPad trusted certificate chain doesn’t include the CA being used by Microsoft.


I’d suggest chatting directly with your IT security organization, as this is a security-relevant error.


Let IT sort this.


Either it gets fixed by IT, or IT wants you to not use Hotmail.

Sep 1, 2021 11:08 AM in response to sonofzell

Has your employer explicitly stated that you can't use their network for personal things? I get this pop-up occasionally from random networks that I connect do, but just accept it and move on. Does your hospital have a guest WiFi that you could connect to? Or are you also using the device for work and thus need to connect to the hospital's protected private WiFi? Another option would be to turn off WiFi and use cellular (if you have cellular on your iPad) or use your phone as a hotspot when doing personal stuff.

Sep 1, 2021 11:13 AM in response to sonofzell

I’ll attempt to keep this explanation relatively simple - avoiding the deep intricacies of Certificate Authorities (CA) and details of how the Chain of Trust Operates…


Your issue stems from the way that SSL/TLS Security Certificates work in securing the encrypted communication between your iPad and the servers to which it is attempting to connect.


In essence, your iPad is attempting to verify that end-to-end encryption between your iPad and servers is secure - however, your network appears to be attempting to intercept and “inspect” your encrypted network traffic. This interception breaks the SSL/TLS certificate chain of trust - as your network traffic is decrypted, inspected and re-encrypted using the encryption key of a different Certificate. This tampering is detected - and you see the error. For corporate networks, this behaviour is not unusual.


By installing the management profile, additional certificates are loaded into your iPad Certificate Store - and your iPad is reconfigured to “trust” this new certificate.


In many cases, you might attempt to “tunnel” your traffic past this intrusive inspection, through using a VPN. However, NHS networks block VPN connections - forcing inspection of network traffic.


Fundamentally, you have a choice. You can accept and install the profile - and accept that your traffic is being intercepted and inspected by your employer - or you can live with your iPad disallowing [what it believes to be] a security-compromised connection.

Sep 1, 2021 11:39 AM in response to sallenmd

Thanks for the reply!


My employer's stance (which I understand and respect) is that "personal" usage on its network can only be done using approved devices. This includes hospital-provided desktops/notebooks that have been imaged with a restricted OS (primarily Windows10 loaded with GPO restrictions), as well as personal devices that have been secured with the profile.


Semantically, I am using the device for work "purposes", but realistically, no - I have no access to my hospital Office 365 account or any other health system applications from the iPad. I simply wish to use it for note-taking and the occasional sidecar display (the latter is the reason I connect to the primary wlan instead of our guest network).


I have no intention of abusing or circumventing my employer's policies, and I'm starting to conclude that my only option will be to remove my personal MS credentials from the iPad altogether in order to use it within the hospital. What I was hoping for was to have the ability to simply acknowledge the authentication error when waking the device without having it perpetually reappear immediately after I respond with "cancel". Even if it appeared every 5-10 minutes, I could probably make it work. As it behaves currently, I don't even have time to launch an app between pop-ups.

Sep 3, 2021 8:23 AM in response to sonofzell

sonofzell wrote:

Based on the information provided by @mrhoffman, it seems that the device will recognize the connection to hotmail servers as suspicious and potentially harmful and continue to warn me as long as the iPad is trying to talk to them.


The network connections are NOT reaching the Hotmail servers.


That’s the fundamental issue here.


The connections are reaching some intermediate server configured to intercept and decrypt and (presumably) scan and/or log network connections and data. That server then passes those connections along to (the real) Hotmail.


Here, your iPad is reporting that your connections intended for Hotmail are reaching some server pretending (badly) to be Hotmail.


Less scrupulous interception services would do other things, possibly vacuuming up your data, or would pretend fully to be the server that you had thought and intended to connect to, or more subtly modifying parts of the actual data retrieved from or sent to the intended destination server.


What to do? Disconnect from the secure network, connect to cellular or MiFi or guest Wi-Fi, then access your private email. You probably don’t want all of your private mail captured and/or scanned and/or logged, which is what is (and will) happen with the connection interception configured here, anyway.


And you really don’t want to be the origin of malware on the restricted network, or associated with any leaks of confidential or protected data, all of which is what that connection-intercepting server is trying to detect, log, and preferably prevent.

Sep 3, 2021 9:01 AM in response to MrHoffman

I do understand - apologies for the misrepresentation.


I do just want to reiterate... accessing my hotmail from the hospital network is NOT my intention or goal. I know that the iPad will not reach the MS servers without the profile installed.


What I want is the ability to take notes and/or use sidecar at work. When on my hospital network, I do not open or attempt to use Mail, Outlook, or any other app that I can imagine would be trying to talk to m.hotmail.com. Despite that fact, the iPad obviously is trying to communicate with that server constantly. I've disabled background app refresh for both but that has not done the trick.


I haven't tested, but I presume removing my MS account from the device entirely would likely stop the pop-ups, but as stated above I'd prefer to have the ability to use email on this device from other locations. It seems I will need to choose which sacrifice I want to make... either no MS account on the device or no sidecar (ie: using the guest wlan).

NOTIFICATIONS for "Cannot Verify Server Identity" on iPadOS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.