Unless I've missed an available setting somewhere, it does not appear possible to make a private key non-exportable if the certificate containing it was installed from a mobileconfig profile.
This is a big problem for me- it means I can either keep the network up when users aren't logged in, or I can comply with my security requirements, but not both.
Anyone found a way to make a private key non-exportable when installed from a mobileconfig?
