In your pre-stage enrollment do you have the "Make MDM Profile Mandatory" box checked?

Yes we do @etbragg. Allowing the users to disable the certificate defeats the purpose of making the MDM profile mandatory.

How do they disable the cert? I'll try to reproduce it and see if I can figure anything out. It makes me worry about my own devices.

On the iPad go to settings>general>about>certificate trust settings>shows JSS signing certificate.

Sorry, I was in a meeting earlier and misspoke. I meant to ask if "Disallow MDM Profile Removal" was checked. With my test device, I'm unable to remove any certificates. I'll take that option away, wipe, and see if that changes anything.

/deleted

I think you found a real problem here. I've put every restriction available on my test device and the option is still there. I'll be interested to see if anyone else chimes in.

@etbragg Once you disable it, does it stop communicating with the JSS?

If you're using DEP and the devices are supervised I don't think you should be able to remove the root certificate. Are your devices in DEP and did you enroll them with a Prestage Enrollment with the Devices Supervised and Make MDM Profile mandatory options checked? Maybe it's a bug in iOS 10.0.2 that you have installed on your device. I'm not seeing that on 9.3.5 or 10.1.

@mpermann It isn't removing the root certificate but, it is disabling it.

Sorry, I typed the wrong word. I can't disable it on either my iPhone 5s running 10.1 or on my iPad mini running 9.3.5. My iPhone 5s isn't even DEP enabled but it will not let me slide the slider over to disable it. On the iPad mini with iOS 9.3.5 I don't have Certificate Trust Settings as an option to tap on, just Trust Store. But it can't be tapped on. I don't have a DEP enabled iPad with 10.1 to look at to see if it's different.

I see this too, but for reason after comparing two devices one I can slide both my radius cert and the JSS cert off. The other one says: "Some certificate settings are enforced by "MDM Profile". It displayed this before a configuration profile was scoped to it so it can't be a restriction.

It must be a bug in IOS 10. Apple needs to fix this because once users figure out that it disables Casper we are going to run into issues.

This might be an issue with iOS 10.0.0.2 specifically. The one I mentioned earlier that had the ability to turn off the certs was running 10.0.0.2 and had an earlier different trust store version number. The one that had the buttons greyed out was running 10.1 and had a newer trust store version number. I just replicated that by updating the other one to 10.1 and the ability to turn them off was disabled.

I too have an iPad that is running 10.1 and the option to turn off trusting the certificate is greyed out. Maybe 10.1 fixed that problem.