Apple ADE - MDM Certificate vs. MDM Trust Chain
What
HereFor ADE/DEP enrollments there are certificates that go in the enrollment profile. In FileWave 16.2.0 we wanthave made a change to explain the purpose of this content...i.e. what doesis thisincluded functionin do?that profile by default.
When/Why
NowWe've had some support issues where customers would see ADE/DEP profiles duplicate. Investigation has found that because of the way we know what this function is used for, when/why would include the certificates we usewould it?
How
have We'reto addingupdate a change in 16.2 regarding DEP/ADEthe profiles andwhen certificates.
things like renewing your SSL certificate would happen. After investigation with Apple we had found that our method was very secure, but created complexity that could be avoided. The root cause of DEP profile duplication is that we add MDM server in ADE profile, which is the most secure (device checks if MDM server has the same certificate as the one in ADE profile), but it requires us to recreate profiles when certificate is renewed.
How
In FileWave 16.2 we are changing what we are including in 16.2,the weADE/DEP enrollment profiles by default. We have new setting to only add trust chain (parent certificates), so enrolment will work, but the device will not verify the cert (cert must still be valid, but device won't verify it's the same cert). It's a bit less securesecure, but still secure (unless someone has a way to create his own cert with your fqdn). But this allows us to not recreate ADE profiles each time we renew certificates, because it's not required anymore.
You'll find the setting in Central's Preferences as shown in the below image. It is in the VPP & ADE tab there. We recommend leaving it on MDM Trust Chain to avoid duplication of ADE/DEP enrollment profiles. We have left the option there to pick MDM Certificate in case there was a customer who had the security requirement to do that, but know that it can result in profiles being duplicated when you update your SSL certificates if you change it to MDM Certificate.
