What happens when the Apple Configurator Certs Expire?

jsmillie
New Contributor III

So I was looking at some iPads I deployed sometime ago using Apple Configurator. Last summer I brough them all in (about 220 units,) wiped them, used configurator to install iOS 5.1, all supervised, and named according to the Teacher they were given out to and enrolled into the JSS with an enrollment profile. Haven't seen the iPads since. Last few weeks I've had a few come back with misc problems and I noticed within the Supervision Profile the "Signing Certificate" and "Certificate" for Apple Configurator both expire on August 13, 2013. Anyone know what will happen on/after August 13, 2013 with these units?

1 ACCEPTED SOLUTION

AndyBeaver
Contributor II

I spoke to my Apple SE and he advised me that the cert expiration will NOT cause an iOS device to lose the relationship with a Configurator instance. If i have it correctly, a supervised device has the normal paired relationship writing to /var/root/Library/Lockdown/pair_records, and the Configurator instance gets the iOS escrow key as usual. Which makes me want to ask if the only difference between an expired AC cert and a current one, being the verification of the supervision profile? Long story short Apple says its not a deal breaker.

View solution in original post

18 REPLIES 18

AndyBeaver
Contributor II

I am very interested in this as well. I email my Apple SE and will let you know what he says.

AndyBeaver
Contributor II

I spoke to my Apple SE and he advised me that the cert expiration will NOT cause an iOS device to lose the relationship with a Configurator instance. If i have it correctly, a supervised device has the normal paired relationship writing to /var/root/Library/Lockdown/pair_records, and the Configurator instance gets the iOS escrow key as usual. Which makes me want to ask if the only difference between an expired AC cert and a current one, being the verification of the supervision profile? Long story short Apple says its not a deal breaker.

jsmillie
New Contributor III

Thank you so much for writing this info back. I was really worried not necessarily that I couldn't do my normal procedures this summer as they will probably all be looked at again before the expiration date, but during the coming school year could have been a nightmare.

AndyBeaver
Contributor II

Ill also add that if you go into keychain and manually edit the cert changing to "Always Trust" it will again show your supervision profile as verified. Seems to prevent some weird behaviors during refreshes. For what its worth...

pmullen
New Contributor

Thanks for this info.
So how does one "renew" it even if it isn't a "deal breaker"?

Thanks!

sboutot
New Contributor II

You can renew this by going in to keychain access on the computer with apple configurator on it. Within keychain, select login under keychains, and select my certificates under categories. then delete the apple configurator certificate. When you reopen apple configurator, this will generate a new certificate for your use. recommend testing on a device after you renew if possible since you may notice a slowness when unsupervising a device after renewing the certificate.

pmullen
New Contributor

Susan, thank you.

sram
New Contributor II

If you delete the cert from Keychain Access and let AC create a new one on launch, your iOS devices will be wiped and re-supervised the next time you refresh. One thing I think is new with iOS 8 is that the expired supervision cert title displays in red which draws attention to an expired cert more than it did in < 8
As for how to *update* the cert rather than replace, I'm still looking into it. As an earlier post indicates, however, it doesn't actually seem to be necessary. I've not noticed any ill effects of an expired cert.

Sandy
Valued Contributor II

hi,
this seems to be a bigger issue now, whether due to Apple Configurator 1.7.1 or something else.
When I sync with Configurator, my AC certificate is now expired.
If I REPLACE the certificate using Keychain Access per above, the device is wiped, all apps removed, student work deleted, and then it re-adds everything with new certificate. Not the best solution for mid-year
If I leave the expired cert in place and sync to add and update apps, then the Apple Configurator profiles all have giant red delete profile buttons. Since we use the AC profiles to restrict the App Store and prevent App Deletion, this is pretty big hole...We did this as AC Profiles can be locked onto the device. Kids had learned pretty fast to un-enroll the device from MDM to get to the Ap Store
Still not seeing any info on RENEWING the AC cert, so probably will be calling Apple when I get back to my office.
Sandy

asmith1991
New Contributor

Sandy - did you get a response from Apple? I too have the same issue with multiple hundred devices.

RobertHammen
Valued Contributor II

Have a client with the same issue... @Sandy, would appreciate hearing anything from Apple that you can share publicly...

Sandy
Valued Contributor II

Hi,

I never got any response from my email to Apple, and then kind of just forgot about it :(

Since we were not in a position to wipe our devices, we just resynced with the expired cert. The syncing was successful, the devices stayed supervised.
On a few after syncing we were able to then remove the Apple Configurator installed profiles. This did not hold true across all of them however (of course, because this is Apple Configurator!)
Since we are working on gr 3-4 iPads we decided to live with it...
Sorry I do't have anything more useful!
S

RobertHammen
Valued Contributor II

I didn't get a chance to test this today. Wondering what happens with the old volume license app codes assigned by Configurator, when you replace the expired cert, and then wipe/resync the devices, if the codes are reclaimed or marked as used.

+1 for #becauseConfigurator...

RobertHammen
Valued Contributor II

Alright, had the opportunity to try this on an iPad that could be wiped.

Quit Configurator, archived and deleted the expired Configurator certificate. Re-opened Configurator, and sure enough, a new one was created, with an expiration in a year.

Unsupervised the test iPad, then let it Prepare and re-supervise it. Enrolled my iOS device into the JSS using an enrollment profile, and everything worked...

EXCEPT

my MDM Profile and my Apple Configurator profile are removable. Uh, if Configurator is handling the installation, these should NOT be removable!

(there were some other issues/devices were all enrolled in DEP and assigned to the server, removed them/removed the DEP server from Casper before this test as I did not want this to potentially conflict with Configurator).

Anyone ever have this experience? Not necessarily a Casper issue...

Sandy
Valued Contributor II

Hi Robert!
Actually, the only way to prevent the MDM profile from being deleted is enrollment via DEP. Apple Configurator does not allow us to prevent the removal of the MDM.

Upon further testing of the expired certificate, we found that the Apple Configurator profile was removable but I was not able to find any negative impact from this.
I had previously reported that the expired AC cert allowed my App Store restrictions (created in AC) to be deleted but this was actually the setting in the profile that had been changed to Allow Removal: Always
So for us, we went forward with the expired certificate rather than having to un-supervise re-supervise in order to acquire a new certificate.
The thing about Apple Configurator... despite what seems like exactly the same treatment from cart to cart often gives different results, for no reason that we can verify....

Mar
New Contributor

Hi Sandy!

I'm very worried about that situation too. I'm in contact with Air-Watch but they told me don't worry about that.
Their words were:

"The Configurator Certificate is ONLY used to authenticate the devices to the configurator Mac machine.
This certificate expiry will not affect Air-Watch. You do not need to renew this certificate."

Anyway, I'm worried because we have all the devices distributed around Europe and if we have to re-enroll all the devices with renewed AC certificate....we would have a big problem.

Regards
Paco

St0rMl0rD
Contributor III

We have been having the same issue with Configurator for a while for our 600+ iPads. But now, it is giving us issues with re-activating the devices after they've been unsupervised. Basically, it wants to have the Apple ID and password of the user that last used the device with iCloud and Find my iPad. For most devices, we have the Activaton Lock Bypass Code, but for two (at the moment), we do not. Since the users have left our company, we cannot get the Apple ID information from them, so we will have to contact Apple and ask them to activate the device with proof of purchase.

I have also contacted our Apple Senior Systems Administrator and he also said he doesn't know how to solve that, so...

If anyone has any new information on how to solve the expired Apple Configurator certificate, please post it.

St0rMl0rD
Contributor III

OK, we submitted a bug via bugreporter, and we got this response from Apple:
------------------------------------------------------------------------
Engineering has determined that your bug report is a duplicate of another issue and will be closed.

The open or closed status of the original bug report your issue was duplicated to appears in the yellow "Duplicate of XXXXXXXX" section of the bug reporter user interface. This section appears near the top of the right column's bug detail view just under the bug number, title, state, product and rank.

An example of the duplicate section from the bug reporter user interface with your bug and the duplicate bug info is included below:

(bug number here) Apple Configurator certificate on the iOS device shows as expired, resulting in unexpected behavior
------------------------------------------------------------------------

So it's an Apple Configurator bug, looks like we just have to wait for the engineering team to fix it.