Windows Mobile/CE Devices Don’t Connect to MobiControl Environments Leveraging SHA2 Certificates and/or TLS 1.2

Windows Mobile/CE Devices Don’t Connect to MobiControl Environments Leveraging SHA2 Certificates and/or TLS 1.2

Issue

MobiControl device agents on some Windows Mobile/CE devices will fail to connect to MobiControl environments where TLS 1.2 is used exclusively (TLS 1.0/1.1 is disabled), and/or where SHA2 certificates are leveraged for the “Deployment Server” certificate as configured in the MobiControl Administration Utility.

When this occurs, the device will repeatedly attempt connections to the MobiControl server but will fail to establish a connection.

Affects

  • SOTI MobiControl where TLS 1.2 is used exclusively and/or where SHA2 certificates are used.
  • SOTI MobiControl v14 Cloud Environments that weren’t upgraded from earlier versions

Cause

MobiControl v14.0.0 introduces support for the exclusive use of TLS 1.2 and SHA2 certificates as the standard configuration for SOTI hosted MobiControl Cloud environments. SOTI has consciously chosen to provide the most secure hosting environments by default, even though this may cause an inconvenience for customers seeking management of legacy devices.

MobiControl on-premises deployments will leverage SHA2 certificates by default, but TLS settings will remain as configured on the Windows host upon which MobiControl is installed. Typically, this means TLS 1.0/1.1/1.2 are all enabled.

Windows Mobile/CE devices do not support TLS 1.2 and only some support SHA2 certificates.

Resolution

Re-enable TLS 1.0/1.1:

  • MobiControl Cloud customers should contact SOTI Support to request TLS 1.0, TLS 1.1 be re-enabled on their environment.
  • MobiControl On-premises customers should re-enable TLS 1.0/1.1 if disabled.

Contact your Windows Mobile/CE device manufacturer to verify whether there is an update for your devices that support SHA2 certificates. If not, you should contact SOTI Support for assistance in downgrading and migrating to SHA1 certificates. NOTE: Incorrect changes to MobiControl certificates, especially the MobiControl Root can lead to devices loosing trust with the MobiControl server and require manual re-enrollment.

  • 2096 Views
  • 2 Favourites

Give us your feedback
Give us your feedback
Feedback