"Invalid certificate" notification on device agent

"Invalid certificate" notification on device agent

Hello,
we have setup SOTI MobiControl (14.2) on-premise, for internal (LAN) use only.
When accessing the webconsole, we got a 'https unsafe' indication in the browser,
indicating the website could not be trusted due to its certificates.
With some help of SOTI support, we were able to import/install our own generated certificate in the MC Admin utility,
and this issue is now gone.

However, we still get a similar notification on the mobile devices in the device agent.
Our devices are enrolled as 'work managed device' into SOTI MobiControl, using the afw#mobicontrol 'google account'.
The notification appears when performing the enrollment, immediately after entering the enrollment URL in the MC app.
How can we get rid of this?

br, Steven

4 Answers

Order By:   Standard | Newest | Votes
Raymond Chan | posted this 02 March 2019

What exactly did you do with your self-signed certificate using MCadmin to make the warning on web-console session from the browser go away?   In general, the warning will go only if your SSL certificate is a strong enough certificate bought from a reputable CA.    What did you set for the common name of your self-signed certificate and the device-management address with your MCadmin.exe utility?

 

Irrespective of the notification shown on the devices, did your work-managed devices get successfully enrolled?

 

  • 0
  • 0
Steven | posted this 04 March 2019

Hi Raymond, thanks for the quick reply.

We imported our root certificate in MCAdmin, and then imported the certificate containing the computer name of the server in "Deployment Server Extensions & Web Console" (see screenshot below).

As for enrolling new devices: this still seems to work, but at a given point, I get the 'invalid certificate' warning on the device, which I would really like to get rid of...

Certificates

InvalidWarning

  • 0
  • 0
Raymond Chan | posted this 04 March 2019

As you are using your  private "computer name"  rather than a public FQDN in your self-signed certificate,  there is no way to validate that your server is actually the authentic server the agent is supposed to be communicating with. Hence, the warning you are concerned about is inevitable.

 

If your devices are for iOS and Windows 10 platform, they can't even be enrolled nor controlled any more when Apple and Microsoft has respectively tightened the certificate requirements for any enterprise-grade EMM.  I believe Google will eventually follow suit and won't allow any Android Enterprise devices to be enrolled to an MDM/EMM server without a strong third-party certificate from a reputable CA.

 

  • 0
  • 0
Steven | posted this 04 March 2019

Update:

by installing the root certificate on the mobile device manually, the issue is gone.
But this involves some manual steps (navigating to an url containing the .cer file, installing it, & setting a device pincode/password, which seems to be required to download & install certificates)...

If there is no further downside on the warning dialog in the device agent, I think we can live with this minor annoyance...

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback