How to enroll an iOS device to a Mobile Management Server when the SSL Certificate is not from a trusted root certificate authority

Article:HOWTO64245  |  Created: 2011-12-23  |  Updated: 2014-04-02  |  Article URL
Article Type
How To

Different types of Certificates can be used to secure IIS, and although web browsers allow you to temporarily accept an untrusted certificate, the MDM Profile will not install if the certificate is from an untrusted authority.  An example of this would be an internal CA within an enterprise domain.

It is possible to push the root certificate out to the mobile device.  When enrolling the device and installing the MDM profile, it will install the Root Certificate before trying to trust the other certificates off that root cert.  To retrieve the Root Certificate from the server hosting IIS:

  1. Open up the MMC > Certificates snap-in for the Local Computer and navigate to the Personal certificates, to find the certificate IIS is using.
  2. Go to the Certificate Path tab, and view the parent (root) certificate it was created with.
  3. Go to the Details tab, and choose Copy to File...
  4. Export the certificate with the default settings (e.g. DER encoded binary X.509 .CER file) and save it.
  5. Go into the Management Platform Console to Home > Mobile Management > Settings > iOS Enrollment > Additional Configurations.
  6. Select  from the list of credential payloads, or click Create to configure a new Credentials payload.
  7. If you Create a new Credentials payload use the below steps to import your Root CA into the payload. 
    A. Select iOS Configuration > Credentials > Starburst (Yellow Icon to the right of iOS Configuration label)
    B. Click on Select cert file ...
    C. Browse to the location of your exported certificate from step 4 above.
    D. Select Open
    E. Update the Credential Name and Description, if desired, then click Save Changes.
  8. Select OK.
  9. Returning to the Additional Configuration page, select Save changes to update your iOS MDM Enrollment configuration.
  10. Restart the MDM server or restart the Altiris Services.
  11. The next time a device tries to enroll and install a profile, the Root Certificate will show up as part of the profile.

UPDATE for iOS 7.1

With Apple’s new requirement for iOS7.1, you must use https to download any In-House apps, including the SMM agent, so it is no longer possible to access the new device through the link to download the SSL certificate. The best way to enroll iOS 7.1 and later devices is to have an SSL certificate that Apple already trusts.

Here is the list of Apple's list of trusted certs from their site:

Article URL

Terms of use for this information are found in Legal Notices