iOS and Root/Intermediate Certficates + iCloud

SeanP1971's picture
Your rating: None (1 vote)

I was wondering if anybody has any information around how certificates are handled in iOS and what iCloud retains?

In our environment we have an MDM solution which deploys certificate based ActiveSync and VPN profiles as well as other policies. We also have to manually install our internal root/intermediate certificates on the device which are required for the in-house iOS web apps and the Active Directory chain of trust over the MDM automated VPN.

Two things -

1) We discovered that in some cases one or two of the profiles would fail to install and after much troubleshooting it appeared to be solved by doing the following workaround steps -
Installing the manual certificates, re-booting the device, removing them cleanly, rebooting again and re-enroll the device to successfully bring down the profiles.
It also seems to suggest that the iCloud backup retains remnants of the certificates even when they are not present which comes down to the device or a new device but not sure how? e.g. If it's a fresh new device it was always work 100%.

2) Are you aware of what tools can be used to deploy these certificates over the air automatically?

Any advice greatly appreciated.

Configurator 1.4.3 is out; improves VPP code redemption (updated with release notes)

Your rating: None (6 votes)

Apple today release Configurator 1.4.3, which "improves redemption of VPP codes when installing App Store apps.

Configuration is a very handy tool for setting up and deploying multiple iOS devices. It is free and available on the Mac App Store.

Update: Apple has released release notes:


Apple Configurator 1.4.3 is a recommended update for all Apple Configurator users. This update is available from the Updates tab of the Mac App Store. It requires OS X Mountain Lion or later, and iTunes 11.1 or later.

What's new in Apple Configurator 1.4.3?

  • Improves redemption of VPP codes when installing App Store apps by fixing an issue in which valid codes were incorrectly reported as "already redeemed".
  • Fixes an issue with skipping Setup Assistant steps while preparing an unsupervised device.
  • Resolves an issue that could prevent quitting the Apple Configurator app.

Want to get together at NRF 2014? Let me know...

Your rating: None (3 votes)

The National Retail Federation "Big Show" is January 12-15 in my hometown, New York City. We have the opportunity to get together for an Enterprise iOS networking event. Sound interesting? Please drop me a line that you are interested.

strange error during mail synch - when a certificate is used to authenticate, sometimes certificate cannot be validate

bongio's picture
No votes yet

We have the following situation:
- native ios email client
- certificate for user authentication.
- ios 7.04 (this happen even with 6.x.x)

Usually it works fine, but sometimes for some users we have a strange behaviour:
- the error is "..certificate cannot authenticate.." or mail client requests a user password
- after a lot of log checking, it appears the device does not arrive to external firewall, then the exchange too

We checked the error is showed immidiatly and it appears the device does not try to connect to the external url

Debugging the ipad we see this type of error:
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|Failed to get version string
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|error syncing folder: Error Domain=MFMessageErrorDomain Code=1054 "The operation couldn’t be completed. (MFMessageErrorDomain error 1054.)"
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|ASGetOptionsTask failed: Error Domain=DAErrorDomain Code=63 "The operation couldn’t be completed. (DAErrorDomain error 63.)"
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|Failed to get version string
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|error syncing folder: Error Domain=MFMessageErrorDomain Code=1054 "The operation couldn’t be completed. (MFMessageErrorDomain error 1054.)"
Nov 28 15:42:18 s-iPad MobileMail[174] : ERROR: MFMessageErrorDomain/Missing Password - No password provided for “Exchange ActiveSync”

If I enter in settings\mail,contact,calendar\email_configured and I turn off and turn on the "Mail", the mail client starts again to work. After some hours, it stop again...
It appears a device problem, but now we have 400 devices, the end use cannot access the email configuration and this error is becoming a big issue.

Thank you for your help

How iOS decides which wireless network to auto-join

Your rating: None (1 vote)


iOS follows these guidelines when deciding which wireless network to auto-join.

iOS defines two categories of networks: hotspot and private.

  • A hotspot network can be an HS2.0/Passpoint (802.11u) network, a "captive" network, or an EAP-SIM network. iOS distinguishes between captive / EAP-SIM and HS2.0/Passpoint hotspots.
  • A private network is any network that is not a hotspot.

When iOS evaluates SSIDs to auto-join, it prefers known networks, higher levels of security, and stronger relative signal strength (RSSI).

iOS will try to connect to networks in this order:

  1. The private network it has most recently previously joined
  2. Connect to a private network
  3. Connect to a hotspot network

If iOS finds more than one network, it will evaluate SSIDs by security level and choose one based on the following order:

  1. Private network: EAP
  2. Private network: WPA
  3. Private network: WEP
  4. Private network: Unsecure/open
  5. Hotspot network: HS2.0/Passpoint
  6. Hotspot network: EAP
  7. Hotspot network: WPA
  8. Hotspot network: WEP
  9. Hotspot network: Unsecure/open

If iOS finds multiple networks of identical type and security level, it will choose the SSID with the stronger RSSI.

Auto-joining after a restart

After a restart, iOS Wi-Fi credentials are available only after a device is unlocked.

If an iOS 6 device is restarted near both open and secure networks, the device will auto-join the open network because the secure network credentials are not available until the device is unlocked.

After restarting, iOS 7 will not auto-join an open network first because it waits until after the device is unlocked.

Last Modified: Nov 20, 2013

EDA Surveys Enterprise IT Admins about Managing Mobile Devices

Your rating: None (2 votes)

Hello MacEnterprise Community,

The Enterprise Device Alliance is conducting its 3rd annual survey of IT professionals at

In our pursuit to develop the best solutions for your IT management challenges, we ask for your feedback on the use of mobile devices and non-Windows systems integration in large organizations. As the pervasiveness of these devices grows, your experiences and opinions, collected in these survey results every year, help us to better serve your needs.

To thank you for your contribution we will raffle one $50 gift certificate from Amazon for every 100 respondents. We will, of course, provide every participant with a copy of the results. Please make a difference and give us your thoughts.

Take the Survey here:

On December 12 at 2 pm ET/11 am PT. Ryan Faas, noted IT journalist, will discuss the survey results with me, T. Reid Lewis, president of the Enterprise Device Alliance. This webcast will explore the results in detail, offering examples of how other companies are tackling the challenges presented by mobile device management.

Sign up for the Webcast here:

Questions? Write to us at For more information and past survey results, visit

Thank you on behalf of everyone who will benefit from the survey results.

- Reid

T. Reid Lewis
Enterprise Device Alliance

Apple Configurator 1.4.2 and Apple TV 6.0.1.

estrois's picture
No votes yet

Hello eveyone,

For my first post here, I find myself pretty much at the cutting edge of all recently updated Apple Stuff.

Apple Configurator 1.4.2
Apple TV 6.0.1
OS X 10.8 Server and Clients.
Profile Manager.
iOS 7.0.4

Although I've learned computers since DOS and System 6, I'm sitting in front of Apple Configurator and Apple TV and can't quite guess how all these payload that are useful to iOS iPads can be useful to Apple TVs which are new stuff to me.

I googled a lot, asked in discussion dot apple dot com, tried Youtube, Yahoo and even BIng...

How can all these payloads that are useful to iOS iPads can be useful to Apple TVs?

Is there a good walkthrough for Apple Configurator 1.4.2 and Apple TV 6.0.x?


Remote Reboot of OS or APPs?

Joshua Elvey's picture
Your rating: None (2 votes)


I'm wondering if anyone has come across a solution to our problem in any of the MDM software out there. We need to remotely reboot our iPads (NOT wipe). Basically, after a few days of our app running non stop on the devices, they need a refresh. If a remote reboot isn't possible, is it possible to close out the app and the relaunch it remotely? Currently, we're using Airwatch and there seems to be no function similar to this. If you have a solution, know a different provider with this function, or are looking for the same solution, please share.

Apple TV 6.0.2 update "Includes general performance and stability improvements."

Your rating: None (2 votes)

And that's all she wrote.

iOS 7.0.4 fixes FaceTime, enforces App Store authorization

Your rating: None (2 votes)

Apple recently released iOS 7.0.4, which provides:

  • Bug fixes and improvements, including a fix for an issue that causes FaceTime calls to fail for some users.

There's also a security fix, which is:

Impact: App and In-App purchases may be completed with insufficient authorization

Description: A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization.

Automatic Updates for VPP apps

timlings's picture
Your rating: None (4 votes)

I was wondering if anyone had found a solution to this...

We've got some iPad minis which we're supervising with Apple Configurator and then installing VPP apps with. However, on the iPads themselves, under 'iTunes and App Store' in Settings, there is a very tantalising switch for 'Updates' under 'Automatic Downloads', even when you are not signed into the App Store. Has anyone managed to get this to work? Or do you have to be signed in with an AppleID? And would it be craziness to sign in with the iTunes account used to authorise the apps on Apple Configurator?



AirWatch and managed deployment? Anyone?

Aaron Freimark's picture
Your rating: None (1 vote)

Hopefully in the next day or two I'll be able to post a walkthrough of how VPP managed distribution works. But at this moment I'm stuck. On my AirWatch instance, everything works until the last step: I can get AirWatch to push the app to my iTunes purchase history. I've opened a ticket but no luck yet.

It is probably something peculiar about my configuration, but I figure I'd poll the group. Have any early adopters successfully used AirWatch & the new VPP?

Apple Launches "Managed Distribution" for App Store Volume Purchase Program (VPP) for Business and Education

Your rating: None (13 votes)

Apple tonight updated its app Volume Purchase Program with several long-anticipated and important additions. The updates introduce a new "managed distribution" of apps to iOS 7 devices, allowing assignment and revocation' through Mobile Device Management. Here are the highlights:

  • Works with most apps available in the public app store (both paid and free), custom B2B apps created for your organization by 3rd parties, and books from the iBooks store
  • Either download the legacy redeemable codes, or use managed distribution to link your MDM server to have reassignable apps
  • Managed distribution allows your institution to maintain ownership of the apps. Revoke apps from users when no longer needed, and reassign the licenses to different users.
  • Managed distribution requires iOS 7 and a suitable MDM.
  • MDM providers must be updated to work with the new system. Expect announcements over the next days and weeks.
  • App assignment does not reveal the individual's Apple ID to the institution.
  • Assigned apps are installed automatically on supervised devices. Unsupervised devices show a prompt to install.
  • Education customers will be able to purchase by Purchase Order "coming later this fall". The rest of us need a credit card.
  • Education customers are able to set up multiple administrators. The rest of us use a single login.
  • Available in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain, United Kingdom, and United States.
  • Unused codes and codes redeemed by Apple Configurator may be migrated to managed distribution.

There are new web pages on VPP for both business and education. There is also a VPP Guide for Business and VPP Guide for Education.

We'll have more information coming soon.

Single-User/Multi-User iPads: Are we doing it right?

jlscott's picture
Your rating: None (2 votes)

There’s quite a lot of information around but no definitive setup and scenario guides, so I thought I’d run this past the community for your thoughts and tips.

We support an Acute hospital who’s thirst for iPads seems unending! To help us manage them we’ve bought Airwatch, in conjunction with using Apple Configurator. There are essentially two scenarios we’re challenged with: a dedicated user / individual and a team or shared device situation.

The dedicated user or individual is easy enough – we get them setup with an Apple ID using their work email (to keep it separate from any home accounts) and enrol them into Airwatch without touching Apple Configurator. Users buy their own apps, although we’re hoping through the enhanced VPP to be able to offer this centrally. We are starting to remove the App Store though, and only provide a route to purchasing and installing apps via the internal Airwatch App Catalog, allowing us to risk assess apps prior to making them available. With our current setup, we’re losing out on some of the management functionality available with supervision, so we’re considering putting that step into the process first – supervise the device then enrol as normal. We don’t install apps with Configurator because we want to avoid the situation where users cannot update an app because it’s tied to our Apple ID.

The second scenario is one or more iPads shared and used by a group of staff (team based). We believe these should be locked down more tightly than for dedicated users. Quite often there is a need for some additional apps to be installed, so we were considering loading this via Configurator at the time of deployment. But this means any updates or new apps require the device be returned to IT for a refresh. So we’re considering setting up a team / generic Apple ID, which the target group of users own and maintain, but which allows them to receive apps and updates over-the-air. This would give them freedom to configure their own payment method, or allow us to assign apps purchased through VPP. I guess the only problem we’d encounter is hitting the limit (10?) on the number of devices an Apple ID can be associated with.
So, that’s where we are currently.

Any thoughts, suggestions and comments would be greatly appreciated!

How IT can cope with Activation Lock: a step-by-step guide

Your rating: None (5 votes)

User clifhirtle has contributed an awesome post on how to deal with Activate Lock.

As far as I know this is not advertised anywhere but confirmed directly with Apple last week that if you have a corporate-owned device and no access to the iCloud account a past employee used, you can also call AppleCare enterprise support and prove ownership to have the device unlocked on Apple's side directly. Here's a standard Activation Lock process I put together for our IT support team...

Resolving iOS Activation Locks

Apple offers a FAQ for Activation Lock at the following page:
iCloud: Find My iPhone Activation Lock in iOS7 (

It is critical to understand that as of 10/13 there are only 3 means of preventing a NON-supervised iOS 7 device with Find My Phone enabled from locking activation:

1) Deactivate Find My Phone on device before erasing data (requiring access to device).
2) Remove device from the iCloud account has been activated with (requiring Apple ID credentials).
3) Remove Lock through Apple Enterprise Support (requiring proof of ownership).

To prevent activation lock out on company-owned devices that are returned/retired follow these steps:

Scenario 1: Device is Returned by Not Yet Wiped
Users/IT deactivates Find My Phone from Settings > iCloud > Find My Phone before erasing/wiping the device.

Scenario 2: Device is Returned by Already Wiped
User must follow Apple's deactivation directions, log into their iCloud account, and remove the device from their list of iCloud devices.

Scenario 3: Device is Returned, Already Wiped, Previous User Unknown/Unreachable
IT / Enterprise Mobile must call Apple Enterprise Support and put in a request to for activation lock reset (2-3 day expected turnaround)
Contact: 866-752-7753. Provide purchase date of device, invoice number of purchase, business name + postal address, and both IMEI and serial number of device (obtainable by tapping the "i" icon lower-right corner of initial iOS setup screen).

Please continue the discussion in our forum.

Recent Activity