Important information about ZENworks & iOS 13
As most of you know, iOS 13 is about to be released in some time. During our testing of beta version of iOS 13, we have seen a change in behavior which I want to share with you.
In iOS 13 Apple has placed some additional restrictions on certificates which are used for establishing secure communication. These restrictions are documented here -
Impact on managing iOS devices with ZENworks
For ZENworks, the impact of this change means that if the server certificate of MDM server doesn't meets this criterion, the communication between server and iOS device would break and would result in following
- Already enrolled devices - As and when iOS devices upgrade to iOS 13, they would stop trusting the server and thus would stop communicating with server. The policies and applications would still be there on device, but it won't be possible to manage or communicate with device.
- New device enrollments - Any iOS device running iOS 13 would fail to enroll.
How to find out if you are impacted -
Navigate to ZCC of MDM server and retrieve the certificate presented (from the browser navigation bar). You can inspect the certificate details and make sure it meets the criterion.
What to do if you are impacted -
If you are impacted, then only way to fix the issue would require re-minting of certificate of the MDM server.
In case, you are using an externally issued certificate (not by inbuilt ZENworks CA), you would need to get a new certificate issued which meets the guidelines and deploy it.
However, in case you are using Internal ZENworks certificate for the MDM server, our current re-minting workflow won't generate the certificate meeting the required criterion. To fix re-minting workflow, we are currently working on a fix. We expect this fix to be available soon (before release of iOS 13). We are planning to make this fix available as an FTF for latest version of ZENworks - ZENworks 17.4.
If you are running an older version, are impacted and are unable to move to 17.4, please send across an email to email@example.com .
In the meantime if you are impacted, you can take some steps to lessen the impact. A setting called 'OS Update' is available for iOS in Mobile Device Control Policy. Using this setting, it is possible to delay the visibility of OS update on devices by upto 90 days. However, this setting is only applicable for Supervised devices.
Once we have the fix ready, I'll update this post with relevant details.