iOS 10.3 MDM Profile Installation Failed

hottingert
New Contributor III

My MDM Profile fails when I try to install it on an iPad Air with iOS 10.3. When I install it on a non iOS 10.3, it works. Any suggestions?

33dd7af0d570426f82fcdc5e3d54e4e6

5 REPLIES 5

antzinoz
New Contributor II

You could be running into this issue if you're running 9.98:

http://docs.jamf.com/9.98/casper-suite/release-notes/Known_Issues.html

Beginning with iOS 10.3, during user-initiated enrollment of a device, the MDM profile is unable to be installed if the device does not trust the JSS built-in certificate authority (CA) signed Tomcat SSL certificate. This is also true of any Tomcat SSL certificates that are self-signed or issued from a CA that the device does not trust by default. In previous versions of iOS, installing the CA certificate during enrollment caused the device to trust the CA but this is no longer the case. This is the result of intended behavior and will not be resolved.
To manually trust the CA certificate installed during enrollment on the iOS device, go to Settings > About > Certificate Trust Settings.
For a list of trusted certificates for iOS devices, see the following Apple Knowledge Base article: https://support.apple.com/en-us/HT204132

msmith80
New Contributor III

I had a very similar issue if not the same. I had to delete the Safari cache and always allow cookies to get the MDM to install. The above steps from JAMF didn't work for me.

Aaron
Contributor II

I came across this today - I'm assuming that this feature will make its way into macOS eventually?

So the ultimate fix would be to stop using self signed certificates altogether?

jaymckay
New Contributor II

Antzinoz's steps worked for me. I think the trick is before you go to install the MDM profile (right after you install the certificate) hop over to settings, toggle the switch in that About-Trust Certificates area, then hop back to safari and finish the MDM installation. This worked perfectly for me...

jgalligan
New Contributor

Antzinoz's steps also worked for me. Thanks!