Solution FrankM 0 Posted November 30, 2021 Solution Posted November 30, 2021 Hello, I've updated our company wildcard certificate "*.company" within the MDC policy, because the old one will be invalid next week. (See attachement) The MDM shows two alerts: Quote HTTPS certificate change still in progress. The old certificate is still being used The "Force certificate change on" has not yet been reached I checked two iPhones with this alert: Quote Device hasn't updated its HTTPS certificate yet. but, if I check the profile on the phone I can see both "*.company" certificates, the new one and the old one. So for me it looks like, that the certificate is updated.. (Android phones also show the warning, but I didn't check the phones) So I'm really confused! What's running wrong here? Thanks Frank
ESET Staff Mirek S. 18 Posted December 22, 2021 ESET Staff Posted December 22, 2021 (edited) Hello, MDM certificate change is somewhat complicated process due to support for self-signed certificates. MDM first installs dual-trust profile (device will trust both old and new certificate), then replaces enrollment profile with trust to new certificate. At this moment both certificates are still trusted. When all devices arrive into previous state (or timeout happens) MDM exchanges it's outside HTTPS certificate with new one. Then process of uninstallation of dual-trust profile (installed as first step) is run. Until all this is complete there is some protection state on devices / MDM. As a sidenote for newer EESA versions EESA (as iOS) also trusts 3rd party root CAs preinstalled in device certificate store. Currently certificate change process isn't adapted to this, however even if some protection state persists entire process is safer with such certificates as devices which fail to exchange trust will still continue to connect. If some protection state persists after MDM certificate is exchanged please contact support as it (as always) could be issue on our side. HTH, M. Edited December 22, 2021 by Mirek S.
FrankM 0 Posted December 23, 2021 Author Posted December 23, 2021 Hello, thanks for the detailed explanation of the process. After the old certificate had expired, everything was as expected again. The indication is just confusing Frank
Recommended Posts