Apple ADE - MDM Certificate vs. MDM Trust Chain
What
For ADE/DEP enrollments there are certificates that go in the enrollment profile. In FileWave 16.2.0 we have made a change to what is included in that profile by default.
When/Why
We've had some support issues where customers would see ADE/DEP profiles duplicate. Investigation has found that because of the way we would include the certificates we would sometimes have to update the profiles when certain things like renewing your SSL certificate would happen. After investigation with Apple we had found that our method was very secure, but created complexity that could be avoided. The root cause of DEP profile duplication is that we add MDM server in ADE profile, which is the most secure (device checks if MDM server has the same certificate as the one in ADE profile), but it requires us to recreate profiles when certificate is renewed.
How
In FileWave 16.2 we are changing what we are including in the ADE/DEP enrollment profiles by default. We have new setting to only add trust chain (parent certificates), so enrolment will work, but the device will not verify the cert (cert must still be valid, but device won't verify it's the same cert). It's a bit less secure, but still secure (unless someone has a way to create his own cert with your fqdn). But this allows us to not recreate ADE profiles each time we renew certificates, because it's not required anymore.
You'll find the setting in Central's Preferences as shown in the below image. It is in the VPP & ADE tab there. We recommend leaving it on MDM Trust Chain to avoid duplication of ADE/DEP enrollment profiles. We have left the option there to pick MDM Certificate in case there was a customer who had the security requirement to do that, but know that it can result in profiles being duplicated when you update your SSL certificates if you change it to MDM Certificate.
No comments to display
No comments to display