On attempting to enrol iOS 12 devices, we have seen some instances of the profile installation failing. In these cases it has been related to the server certificate.
As of iOS 11 and macOS High Sierra, Apple introduced stricter rules regarding MDM server to device communication:
However, it appears that these have not been fully implemented, until iOS 12, with respect to certificates. Certificates of RSA key sizes below 2048 have still managed to work on iOS 11. iOS 12 no longer allow this.
As 3rd party suppliers have been supplying appropriate keys now for some time, this is likely to impact Self-Signed Certificates only.
The following command may be used to check the certificate RSA key size.
openssl x509 -in /usr/local/filewave/certs/server.crt -text -noout | grep Public-Key
C:\OpenSSL-Win64\bin\openssl.exe x509 -in C:\ProgramData\FileWave\FWServer\certs\server.crt -text -noout | FINDSTR Public-Key
N.B. Windows does not have openssl installed as standard. Please see the below Root Trusted Certificate KB for further details.
If the output is anything less than 2048, then the server certificate will need to be updated.
If you are using a Self-Signed Cert, you will need to either:
- Re-use your process for generating the certificate to update to ensure it has a RSA key size of 2048 or larger
- Consider moving to an official 3rd party certificate
Please take into consideration the following KB when moving to a new certificate:
Root Trusted SSL Certificate (Using and Renewing)