Android 10 SHA-1 Deprecation
As of Android 10, certificates signed with SHA-1 hash will no longer be trusted in TLS connections. As a result, customers that use a SHA-1 certificate for securing communication between Android devices and a SOTI MobiControl Deployment Server will need to update their Deployment Server certificate to use the SHA-2 hashing algorithm prior to upgrading their devices to Android 10. Failure to do so will result in Android 10 devices not being able to connect to the SOTI MobiControl Deployment Server.
Who is impacted?
- Customers with Cloud and On-Premise environments that were upgraded from SOTI MobiControl v13 to newer versions are AFFECTED.
- As upgrades do NOT renew root certificates, upgraded instance(s) will continue to use the SHA-1 certificate.
- SOTI MobiControl v13 and prior: Fresh Installations, with Cloud or On-Premise environments, will have default root certificate type SHA-1.
- SOTI MobiControl v13 and prior: Upgraded to latest SOTI MobiControl v13 build, with Cloud or On-Premise environments, will have default root certificate type SHA-1.
- SOTI MobiControl v14.0.0 and above: Upgraded from SOTI MobiControl v13, with Cloud or On-Premise environments, will have default root certificate type SHA-1.
- Customers with a fresh installation of v14 and above will support SHA-2 root certificates by default and are NOT AFFECTED.
- SOTI MobiControl v14.0.0 and above: Fresh Installations, with Cloud or On-Premise environments, will have default root certificate type SHA-2.
What is the corrective action?
To ensure that management of Android 10 devices continues, the SHA-1 certificate needs to be replaced or regenerated with a SHA-2 certificate. This can be done by changing the existing SHA-1 Deployment Server certificate with a SHA-2 certificate or by upgrading to a supported SOTI MobiControl version and re-generating the certificate.
Prior to updating the SOTI MobiControl Root certificate, it is important to note that some legacy Windows CE/Mobile devices do not support SHA-2 certificates. In this instance, there may be a need to support a multiple DS model where you have both SHA-1 and SHA-2 certificates.
Please Note: Incorrect configuration of the certificates can cause connection failure between devices and the server. In this instance, the only option would be to re-enroll your devices.
Given the complex nature of this task, we strongly recommend SOTI MobiControl On-Premise customers contact SOTI Support for assistance. SOTI MobiControl Cloud customers should contact SOTI Support to identify if they are affected, and schedule an update of their Deployment Server certificates to SHA-2.