Jump to content

ESET MDM and IOS 12


maiki
 Share

Recommended Posts

  • ESET Staff

Hello,

We use iOS built-in MDM which is backward compatible. So it should.

However, I don't recall we had tested this (as it was released recently), so to ensure please raise a support ticket, so our QA engineers can check.

We'll be releasing configuration updates later if there are any notable changes, these will be delivered to existing installations via module updates.

Link to comment
Share on other sites

Hello forum,

ESET MDM is not compatible with IOS 12. If i try to install the profile, the ipad say "Profilinstallation ist fehlgeschlagen Profil konnte nicht installiert werden.

Could somone else please test IOS12

Thanks

Maik

Link to comment
Share on other sites

Me too! Just went to enroll a iOS 12 iPhone and  get "Profile failed to install" on the phone. So my big fear is, am I about to lose ALL my iPhones in the MDM, as users upgrade to 12? ESET please reply!!!

Edited by noorigin
Link to comment
Share on other sites

  • ESET Staff

@maiki & @noorigin Can you please report a specific version of Mobile Device Connector that you are using and also the version of ERA?

We have verified it internally, that it´s possible both to enroll / manage mobile phone via ERA 6.5 & ESMC V7.0, so it might be a different problem.

Also, if possible, please provide logs from the mobile device connector, from the time you were attempting to enroll the device.

I have an iPhone that was managed (connected to my MDM) with iOS 11 & it survived the upgrade to iOS 12 without any issue.

Link to comment
Share on other sites

  • ESET Staff

Please create support tickets as these issues usually require more information.

I'll note we will need log collector logs as we need to check certificate assigned to MDM HTTPS interface.

It's also possible we will need Wireshark logs, as devices may simply refuse communication due to TLS stack and on v6.5 we used windows implementation (switched to OpenSSL on v7). We already encountered some issues with windows TLS, namely security patches (or users) disabling some cipher suites or hash algorithms required for Apple devices (and services) to work correctly.

Link to comment
Share on other sites

 

@MichaelJ Where do I find the MDC version?  ERA is v6.5.522.0

2018-09-25 19:47:00 E [8044] Uncaught exception: NodSslException, NodSsl function completeHandshake.RecvEncryptedData returned an error (Handshake failed to complete) for peer [::ffff:172.58.168.233]:28351, local [::ffff:10.10.10.20]:9981
2018-09-25 19:48:54 E [8756] Uncaught exception: NodSslException, NodSsl function completeHandshake.RecvEncryptedData returned an error (Handshake failed to complete) for peer [::ffff:172.58.168.233]:58175, local [::ffff:10.10.10.20]:9981
 

That is a log entry from from trace.log of what i assume is the error considering the timestamp (I tried again today)

 

@LegacyConnectorSupport Ticket was created. How do I "log collector logs"?

 

Link to comment
Share on other sites

 

On 9/25/2018 at 10:22 AM, MichalJ said:

@maiki & @noorigin Can you please report a specific version of Mobile Device Connector that you are using and also the version of ERA?

We have verified it internally, that it´s possible both to enroll / manage mobile phone via ERA 6.5 & ESMC V7.0, so it might be a different problem.

Also, if possible, please provide logs from the mobile device connector, from the time you were attempting to enroll the device.

I have an iPhone that was managed (connected to my MDM) with iOS 11 & it survived the upgrade to iOS 12 without any issue.

Hello MichalJ

we  have Server 7.0.451.0 and MDC 7.0.413.0.

How can i see the logfiles from the MDC Appliance ?

Thanks Maik

Link to comment
Share on other sites

  • 2 weeks later...
  • ESET Staff

Hello,

Apple changed security requirements for iOS 12.

However what would most customers be affected with is certificate signature algorithm requirements (server certificates with SHA1 signature are no longer accepted)

With ESMC (when advanced security is turned on) You can create such a certificate and then run a certificate change process on MDC.

HTH.

Edited by LegacyConnectorSupport
Link to comment
Share on other sites

  • ESET Staff

No, it's just one of the ways how to generate a valid certificate which will be trusted by iOS 12. (and based on your logs you meet other preconditions)

Your other options are

* create certificate manually (however it must be either self-signed or signed by ERA CA in MDC versions prior to 7)

* purchase a certificate from an official authority which is trusted by iOS implicitly. 1)

Please also ensure when You about to set this certificate to MDC it contains root CA. In version 7 we require this as we no longer use system dependant TLS layer (so You save yourself some work when upgrading)

1) https://support.apple.com/en-us/HT204132

Link to comment
Share on other sites

 

On 10/5/2018 at 10:12 AM, LegacyConnectorSupport said:

* create certificate manually (however it must be either self-signed or signed by ERA CA in MDC versions prior to 7)

The current certificate was created in ERA and ERA CA is the issuer. Would just recreating it work?

Edited by noorigin
Link to comment
Share on other sites

  • ESET Staff

ERA 6.5 AFAIK has the ability to create sha256 signed certificates. (but You will need to enable advanced security)

In the end safest bet when it comes to iOS devices is purchasing a trusted issuer certificate as trust is pre-installed on the device. 99% iOS enrollment issues are due to not established trust between MDM and device, then it's just about finding out which criterium was not met.

We'll be putting up KB with pre-requisites as there are more of them, I will post a link here when it's complete.

Edited by LegacyConnectorSupport
Invalid information.
Link to comment
Share on other sites

On 10/5/2018 at 2:54 PM, LegacyConnectorSupport said:

Hello,

Apple changed security requirements for iOS 12.

However what would most customers be affected with is certificate signature algorithm requirements (server certificates with SHA1 signature are no longer accepted)

With ESMC (when advanced security is turned on) You can create such a certificate and then run a certificate change process on MDC.

HTH.

Hello Forum,

 

i have created a new Certifikate with advanced security is turned on, but on IOS 12 it is not working anymore. What could we do...

 

Thanks Maik

Link to comment
Share on other sites

  • ESET Staff

Can You PM me your MDM site if it's visible to the world? There are other pre-requisites (PFS cipher suites in 6.X this depends on OS/openssl version, etc...)

Link to comment
Share on other sites

We'll be putting up KB with pre-requisites as there are more of them, I will post a link here when it's complete.

On 10/10/2018 at 4:19 AM, Mirek S. said:

We'll be putting up KB with pre-requisites as there are more of them, I will post a link here when it's complete.

Is there an ETA on when the KB will be released? Our issue is still not resolved.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...