Can enrolled devices upgraded to the forthcoming iOS12 stay under full control in an old (v10-v13) implementation using 1024-bit MobiControl Root Certificate?

Can enrolled devices upgraded to the forthcoming iOS12 stay under full control in an old (v10-v13) implementation using 1024-bit MobiControl Root Certificate?

Forthcoming iOS12 requires all MDM/EMM solutions to use an SSL certificate with minimum key-length of 2048-bit and using at least SHA2 hashing.  Is there similar new requirement(s)  for the root certificate in the MDM server?   

In particular, can all iOS 10/11 enrolled devices stay under full control by a v10-13 MobiControl server using length-1024-bit self-signed root certificate, when such devices are upgraded to iOS12?

 

5 Answers

Order By:   Standard | Newest | Votes
Adil Katchi | posted this 20 August 2018

Please see my KB article that explains how to ensure that your devices will continue to be managed by MobiControl after upgrading to iOS 12.

  • 0
  • 0
Raymond, Chan | posted this 20 August 2018

Hi Adil,

 

I did read about your article on SSL certificate for IOS12 before I posted my question.  However, I'm more concerned about MobiControl root certificate, not the SSL certificate.

 

  • 0
  • 0
Adil Katchi | posted this 20 August 2018

Only the SSL certificate needs to conform to ATS. The key length of the MobiControl Root certificate can continue to be 1024 bits.

  • 0
  • 0
Raymond, Chan | posted this 20 August 2018

Then, the follow-up question is this:

Many of my corporate and governmental customers have internal security policy to phase out length 1024-bit certificates in the IT infrastructure.   Many asked about migration of their existing v11/v12/v13 length-1024-bit  MobiControl root certificate to length-2048-bit.  As they have hundreds or thousands of device enrolled, they cannot tolerate device recall and re-enrollment.  

 

Someone from Soti support team informed me about the procedure to use MCadmin to install, bind and push the new 2048-bit root certificate to all enrolled devices.  However , he hadn't confirmed with me whether or not the old 1024-bit root certificate can eventually be removed from all the migrated devices and from the v11/v12/v13 MobiControl server.   Do you have any idea?

 

If not,  the security policy requirement to phase out all length-1024-bit certificate is still not met.

  • 0
  • 0
Adil Katchi | posted this 20 August 2018

As this is unrelated to the original question, please start a conversation with Support or Professional Services for assistance with this matter.

  • 0
  • 0
Give us your feedback
Give us your feedback
Feedback