Jump to content
Martin Fired Up

iOS12 MDM - Not Supported - Certificate Issues

Recommended Posts

We have  some iOS devices with iOS 12 and they dont work with the kaspersky mdm (KES), When trying to induct a new device the profile fails to install and after debugging with xcode it would appear its related to certificates (intermediates), ios devices on 11.4 and below work fine. Also existing devices upgraded to iOS12 have the profile installed but fail to respond to commands. Where up to date running the latest versions of all the KES, MDM Server Etc.

I've emailed support but they didn't seem to know if iOS12 will be supported by MDM in KES, or if its being worked on.

Oddly the documents below make some hints of iOS 12 for some components just not specifically MDM, Given the Beta for iOS12 has been out since June i'm surprised its not supported.

Anyone else experiencing the same issues or know if this is going to get fixed?

We have a high number of iOS devices and given that the iOS software model forces you to upgrade as security vulnerabilities are only fixed in the latest version this seems like a bit of a problem.

 

https://products.s.kaspersky-labs.com/endpoints/ksmobile10/10.8.0.43/multilanguage-20180906_073651/english-20180906_073651/4a7dc6c6/release_notes_sp4_en.txt

https://products.s.kaspersky-labs.com/endpoints/ksmobile10/10.8.0.43/multilanguage-20180906_073651/english-20180906_073651/4a7dc6c6/SP4_KSM_Impl_Guide_EN.pdf

 

 

Share this post


Link to post

Yes those settings are all correct, it gets all the way t the install stage in IOS and its after you press trust you get the failed to install message.

to me it seems like somethings changed in iOS12 relating to certificate trust, possibly even to do with the certificate key length only being 1024 bits that kaspersky generates might be an issue. but thats just a guess.

Thanks

Martin.

 

Share this post


Link to post

Thanks for helping on this one, Yes I've tried that one also there is nothing displayed in that section on the phone as it doesn't get to install the certificate.

 

Thanks 

Martin.

Share this post


Link to post

We are facing with the same issue. Updated IOS devices to IOS 12 not response to commands.

Share this post


Link to post

Dear Martin,

 We use Appleconfigurator and i can provide a log (part of a log) which is maybee useful for you.  Currently no xcode installed....

Do you have any news with IOS 12?

logfile.txt

Share this post


Link to post

No News, i keep checking here https://www.kaspersky.co.uk/small-to-medium-business-security/downloads/mobile for a new release and any details but nothing yet.

Whats concerning me is that i couldn't get and answer if it was being worked on by Kaspersky from support, so i'm faced with do i wait and see if they release a fix / update or do i go elsewhere.

from your log i do think it's the same error we are seeing, however we dont use apple configurator we just email the link to the profile and install over the air.

 

If you hear anything let me know and i'll do the same.

Thanks

Martin.

 

Share this post


Link to post

Hello. Today faced the same issue. User updated iPhone to latest IOS12, and installation of MDM profile fails. Double cheked MDM profile installation on older iOS versions work just fine.

Share this post


Link to post

Any reason why you cannot "roll back" to the previous version that worked, until the issues with "iOS devices,with iOS 12" in the latest version is fixed?

 

Share this post


Link to post

For us reverting back to a previous iOS version is problematic as a lot of these devices are personal devices, also i know the signing window is still open at the moment but obviously that will close soon.

Thanks

Martin.

Share this post


Link to post

We got this from Kaspersky Support, but i have not time to check it ...

"

the issue is most likely caused by iOS 12, which is not compatible with our currnet MDM server. In terms of Kaspersky MDM solution, the most important change in iOS 12 is, that devices will no longer trust iOS MDM servers with 1024-bit server certificates and will require ECDHE ciphers as a must. It means that devices with iOS 12 installed will stop communicating with current iOS MDM server installations and will no longer be able to receive policies and commands from iOS MDM server. For new installations, you will not be able to install profile to iOS12 devices.

Here are the solutions for two cases, but please note that KSC and MDM server must be first upgraded to latest version 10.5.1781.0. After that you can follow these steps:

I. For customers, who already have iOS MDM implemented:

1) Install PF5 SP3 on iOS MDM Server (attached)
2) We highly recommend purchasing 2048-bit key from trusted third-party CA like Thawte or DigiCert.
3) Full certificate chain should be installed for iOS MDM server (see attached screenshot)

*Customers who do not want to purchase certificates from public authorities may follow the instructions from part II. and re-deploy
profiles to managed devices.

II. For customers, who only plan to implement iOS MDM:

1) Install iOS MDM Server and apply PF5 SP3
2) Remove %ProgramData%\KasperskyLab\IOSMDM\kliosmdmserver_cert.pem
3) Restart iOS MDM Server and Network Agent services
4) Enroll profiles to the devices.

Thanks for understanding.

 

"
 

Share this post


Link to post

We got this from Kaspersky Support, but i have not time to check it ...

"

the issue is most likely caused by iOS 12, which is not compatible with our currnet MDM server. In terms of Kaspersky MDM solution, the most important change in iOS 12 is, that devices will no longer trust iOS MDM servers with 1024-bit server certificates and will require ECDHE ciphers as a must. It means that devices with iOS 12 installed will stop communicating with current iOS MDM server installations and will no longer be able to receive policies and commands from iOS MDM server. For new installations, you will not be able to install profile to iOS12 devices.

Here are the solutions for two cases, but please note that KSC and MDM server must be first upgraded to latest version 10.5.1781.0. After that you can follow these steps:

I. For customers, who already have iOS MDM implemented:

1) Install PF5 SP3 on iOS MDM Server (attached)
2) We highly recommend purchasing 2048-bit key from trusted third-party CA like Thawte or DigiCert.
3) Full certificate chain should be installed for iOS MDM server (see attached screenshot)

*Customers who do not want to purchase certificates from public authorities may follow the instructions from part II. and re-deploy
profiles to managed devices.

II. For customers, who only plan to implement iOS MDM:

1) Install iOS MDM Server and apply PF5 SP3
2) Remove %ProgramData%\KasperskyLab\IOSMDM\kliosmdmserver_cert.pem
3) Restart iOS MDM Server and Network Agent services
4) Enroll profiles to the devices.

Thanks for understanding.

 

"

Plus information:

I asked the support about consequence deleting the "kliosmdmserver_cert.pem". Answer was the following:

"yes, in this scenario the profiles must be re-deployed. It doesn't mean that the drivers need to come back to company with the phones, but the profile can be sent via email or installed via self-service portal."

Share this post


Link to post

I really dont like the disclaimer of the PF5 SP3 fix.

was anyone successfull with the ios 12 and MDM?

Did I understood correctly - we dont need to uninstall MDM service. We have to apply PF5 SP3 and remove kliosmdmserver_cert.pem  on existing/current MDM installation?

 

Share this post


Link to post
On 10/11/2018 at 11:04 PM, kpcz said:

I really dont like the disclaimer of the PF5 SP3 fix.

was anyone successfull with the ios 12 and MDM?

Did I understood correctly - we dont need to uninstall MDM service. We have to apply PF5 SP3 and remove kliosmdmserver_cert.pem  on existing/current MDM installation?

 

Hi, yes that is correct.

Share this post


Link to post

I tried it doesn't work. The problem is "Client root certificate" still using 1024 bit, even applied FP5 sp3.

I checked the Apple push cert is 2048 bit , I also change IOS mdm server certificate  to self sign 2048 bit cert. but can't change "Client root certificate".

I think the key point is change this cert, i even delete this cert but it still generate 1024 bit, any method? 

Edited by edpckfc

Share this post


Link to post

edpckfc i presume this is on new devices on ios 12 being inducted?

have you any success with existing device inducted before upgrading to ios 12?

i just checked and our client root cert is 1024bits also.

 

Thanks

Martin.

Share this post


Link to post

before IOS12 sure no problem , after upgrade 12 device then not work. 

I think kaspersky should repackage MDM server to support IOS12 to make it work before let user download. 

 

Share this post


Link to post

I find out the problem is IOS 12 doesn't trust kaspersky IOS MDM generate cert.,  I must install cert which is purchasing 2048-bit key from trusted third-party to make it work. 

Even new install kaspersky MDM server and applied PF5 sp3 is no use. 

Share this post


Link to post

Yes, it works, change third-party cert. Now i use comodo certificate on kaspersky IOS MDM cert (don't use kaspersky one) . and  deploy IOS 12 device is working. But all existing IOS device will loose connection when change new cert. , So recommend you install a new kaspsersky mdm server and redeploy all device profile again. 

Edited by edpckfc

Share this post


Link to post
36 minutes ago, edpckfc said:

Yes, it works, change third-party cert. Now i use comodo certificate on kaspersky IOS MDM cert (don't use kaspersky one) . and  deploy IOS 12 device is working. But all existing IOS device will loose connection when change new cert. , So recommend you install a new kaspsersky mdm server and redeploy all device profile again. 

Hi, great technical information that you actually performed and tested to get Kaspersky MDM and IOS 12 device working.

Also thank you for taking the time to let other Kaspersky subscribers know how to configure this "certificate" issue with IOS 12.

Thanks 

 

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.