iOS 12 / macOS 10.14 Devices Fail to Enroll with error "An SSL error has occurred and a secure connection to the server cannot be made."
The following error is presented to the user when the user attempts to enroll an iOS 12 / macOS 10.14 device into MobiControl:
“An SSL error has occurred and a secure connection to the server cannot be made”.
- iOS 12+ / macOS 10.14+
- Customers that leverage the SSL server certificate generated by SOTI MobiControl older than v14.1.8 to bind to SOTI MobiControl’s “Deployment Server Extensions & Web Console”
iOS 12 / macOS 10.14 introduces a change in its security requirements that impacts the ability of an iOS 12+ / macOS 10.14+ device to communicate with a default installation of SOTI MobiControl older than v14.1.8. In particular, iOS 12+ / macOS 10.14+ enables App Transport Security (ATS) for communication between the iOS device and an MDM server such as SOTI MobiControl. ATS is a security standard defined by Apple, which enforces best practices in communication between a client and a server by imposing the following security requirements:
The connection must use TLS 1.2 or greater.
TLS 1.2 has been a requirement since iOS 11 / macOS 10.13, so MobiControl customers that can enroll iOS 11 / macOS 10.13 devices are not affected by this requirement. For more information on the requirements to enroll iOS 11 devices, please see this Knowledge Base article.
The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:
The cipher suites required by iOS 12+ / macOS 10.14+ are standard cipher suites that have been available since Microsoft Windows Server 2008 R2.
The SSL server certificate must meet the following requirements:
- Be signed with one of the following types of keys:
- RSA key with a length of at least 2048 bits
- ECC key with a size of at least 256 bits
- The certificate’s hashing algorithm must be SHA-2 with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater)
Although SOTI MobiControl older than v14.1.8 uses SHA-256 as the certificate hashing algorithm for the self-signed SSL server certificate it generates, the certificate is signed using RSA with a 1024-bit public key, which violates this requirement.
Therefore, customers whose SOTI MobiControl’s “Deployment Server Extensions & Web Console” is bound to the default SSL server certificate generated by SOTI MobiControl older than v14.1.8 will neither be able to enroll nor manage iOS 12+ / macOS 10.14+ devices. Customers that have changed this binding to use a commercial SSL server certificate that meets the requirements set out above are not affected.
For customers that are affected, the recommended course of action is as follows:
- Purchase a commercial SSL server certificate that meets the requirements set out above and bind it to SOTI MobiControl’s “Deployment Server Extensions & Web Console”. This is considered a best practice and therefore it is the recommended option. With this option, an upgrade of the MobiControl server is not required assuming the customer is already managing iOS 11 / macOS 10.13 devices. For information on the versions of MobiControl that support iOS 11 / macOS 13, please refer to this article.
- Customers running MobiControl v14.x with a MobiControl Root certificate that uses SHA-256 as its hashing algorithm can upgrade to MobiControl v14.1.8 or higher and regenerate the SSL server certificate that is bound to SOTI MobiControl’s “Deployment Server Extensions & Web Console”. However, the use of commercial SSL server certificates is considered a best practice, so the customer should only proceed with this option if the recommended option is not viable.
Apple has provided a tool built into macOS 10.11 or higher that allows customers to check whether their SOTI MobiControl server is ATS-compliant and therefore can enroll and manage iOS 12 / macOS 10.14 devices. It is strongly recommended that affected customers run this tool before and after performing the recommended course of action.
The tool must be executed using Terminal:
nscurl --ats-diagnostics https://<DMA>/mc/mdm/checkin
where DMA is the Device Management Address as shown in the “Deployment Server” section of the MobiControl Administration Utility. TLS v1.3 is not required for iOS 12 / macOS 10.14 and so any errors reported by the tool when testing for compatibility with TLS v1.3 can be safely ignored.