Overview


Apple MDM Systems leverage SSL Certificates when signing MDM Profiles for installation. These MDM Profiles are signed by an SSL Certificate for enhanced security and trust during the installation process. Typically, SSL certificates are valid for one to five years. More recently, Apple, Google, and several others have pushed to only support 1 year SSL Certificates.


When a valid SSL certificate is used to sign profiles, macOS and iOS device users will see that the Addigy MDM profile has been Verified by a trusted source as shown in the image below.  If an expired or otherwise invalid SSL certificate is used then the profile will show as Unverified instead.  In this case, the client cannot be sure that the profile was sent by the server directly.  If no certificate is used at all, then the profile will simply show as Unsigned. 



Verified


Unverified


MDM SSL Signing Profile Expiration


All profiles show as verified during installations, and all profiles that are currently installed show as Verified on the device. Addigy’s SSL Certificate issued by SSL.com DV CA which has signed all Addigy MDM profiles expires July 19 2020. When the certificate expires, profiles that are currently installed on devices will show as Unverified (See image above). Addigy is in the process of replacing the expiring SSL certificate with a new SSL certificate (mdm.addigy.com) which will expire June 14 2021. 



Expiration Impact

Expiration has no functional impact on the behavior of installed profiles. Profiles originally signed with a now expired certificate will continue to function as they always have. 


On devices, the installed profile is tied to the signing certificate that was originally installed on the device. Profiles currently installed on the device will show as Unverified if viewed from the device settings.  Even so, once the profile is installed on the device, it no longer plays a part in any network transactions unless the profile itself is updated and published to the device.  


Even when the new SSL signing certificate is applied, profiles currently on enrolled devices will always display the certificate used when the profile was first installed. Existing profiles will show as Unverified even after a certificate is renewed/applied.


Resolution


Reinstalling the Addigy MDM Profile will replace the existing MDM Profile signed by the previous SSL Certificate. Currently, this can be performed by pressing the +MDM button on the Devices page grid.


An automatic mechanism for updating the MDM Profiles will be deployed on July 6 2020 to update all existing MDM Profiles on devices.


This mechanism will automatically update the installed MDM Enrollment Profile and MDM Configurations assigned to devices via Policies.


Once updated, the MDM Enrollment Profile and MDM Configurations should show they are signed by mdm.addigy.com and are valid until June 14 2021.