Overview
Apple MDM Systems leverage SSL Certificates when signing MDM Profiles for installation. These MDM Profiles are signed by an SSL Certificate for enhanced security and trust during the installation process. Typically, SSL certificates are valid for one to five years. More recently, Apple, Google, and several others have pushed to only support 1 year SSL Certificates.
When a valid SSL certificate is used to sign profiles, macOS and iOS device users will see that the Addigy MDM profile has been Verified by a trusted source as shown in the image below. If an expired or otherwise invalid SSL certificate is used then the profile will show as Unverified instead. In this case, the client cannot be sure that the profile was sent by the server directly. If no certificate is used at all, then the profile will simply show as Unsigned.
Verified
MDM SSL Signing Profile Expiration
All profiles show as verified during installations, and all profiles that are currently installed show as Verified on the device. Addigy’s SSL Certificate issued by SSL.com DV CA which has signed all Addigy MDM profiles expires every year. When the certificate expires, profiles that are currently installed on devices will show as Unverified (See image above). Addigy renews the certificate every year.
Expiration Impact
Expiration has no functional impact on the behavior of installed profiles. Profiles originally signed with a now expired certificate will continue to function as they always have.
On devices, the installed profile is tied to the signing certificate that was originally installed on the device. Profiles currently installed on the device will show as Unverified if viewed from the device settings. Even so, once the profile is installed on the device, it no longer plays a part in any network transactions unless the profile itself is updated and published to the device.
Even when the new SSL signing certificate is applied, profiles currently on enrolled devices will always display the certificate used when the profile was first installed. Existing profiles will show as Unverified even after a certificate is renewed/applied.
Resolution
Reinstalling the Addigy MDM Profile will replace the existing MDM Profile signed by the previous SSL Certificate. Currently, this can be performed by pressing the +MDM button on the Devices page grid.
Once updated, the MDM Enrollment Profile and MDM Configurations should show they are signed by mdm.addigy.com and are valid until the next expiration date.
If you would like to rectify this in a group of devices without using +MDM, a heavier-handed mechanism can be leveraged but may have an additional impact on the devices such as redeploying all MDM Configurations. Please create a support ticket for more information on this mechanism.