As most of you know, iOS 13 has been released. During our testing of beta version of iOS 13, we have seen a change in behavior which I want to share with you.
In iOS 13 Apple has placed some additional restrictions on certificates which are used for establishing secure communication. These restrictions are documented here -
Impact on managing iOS devices with ZENworks
For ZENworks, the impact of this change means that if the server certificate of MDM server doesn't meets this criterion, the communication between server and iOS device would break and would result in following
Already enrolled devices - As and when iOS devices upgrade to iOS 13, they would stop trusting the server and thus would stop communicating with server. The policies and applications would still be there on device, but it won't be possible to manage or communicate with device.
New device enrollments - Any iOS device running iOS 13 would fail to enroll.
How to find out if you are impacted -
Navigate to ZCC of MDM server and retrieve the certificate presented (from the browser navigation bar). You can inspect the certificate details and make sure it meets the criterion.
What to do if you are impacted -
If you are impacted, then only way to fix the issue would require re-minting of certificate of the MDM server.
In case, you are using an externally issued certificate (not by inbuilt ZENworks CA), you would need to get a new certificate issued which meets the guidelines and deploy it.
However, in case you are using Internal ZENworks certificate for the MDM server, our current re-minting workflow present in ZENworks 2017.x won't generate the certificate meeting the required criterion. To fix the re-minting workflow on ZENworks 17.4.x, you can refer to following:
Please do note that ZENworks 2020 already has the updated certificate re-mint workflow which can generate a certificate meeting the Apple criterion.
If you are running an older version, are impacted and are unable to move to 17.4, please send across an email to firstname.lastname@example.org .
In the meantime if you are impacted, you can take some steps to lessen the impact. A setting called 'OS Update' is available for iOS in Mobile Device Control Policy. Using this setting, it is possible to delay the visibility of OS update on devices by upto 90 days. However, this setting is only applicable for Supervised devices.