Need advise add certificate on device

Need advise add certificate on device

Hell all,


we have mobicontrol in version

We have a lot of device in zebra TC75X with android 6 and 7.

the client mobicontrol is on version 13.3.2 build 1014


actually, we migrate all url we call in http to https.

i can install the certificate on the device without problem all works fine.


I would like to know if some people has experience with certificate.

Is it better to add the certificate in a separate profile or it's better to add the certificate in the main profile (where authentifcation kiosk is added) ?


Actually, for testing i have created a separate profile who contains just the certificate

I have a main profile where i have (bookmark, kiosk, …) and so on.


I can install all, remove all, all seems to work but i would like to have some advice or suggestion.


thanks for sharing your knowledge

3 Answers

Order By:   Standard | Newest | Votes
Matt Dermody | posted this 18 September 2019

Certificate profiles require there to be an Authentication profile in place in order for the keystore to be initialized for storing certificates on the device. Kiosk/Lockdown profiles also require Authentication so its common to find the Authentication configuration within the same profile as the Kiosk/Lockdown. I personally pull Authentication out and have it in its own profile that is applied at the highest level in the hierarchy so that it is not inadvertently removed by Kiosk Profile application changes in the future. The Android keystore can be finicky and seemingly once its initialized it can be corrupted or become unusable if you unapply and reapply Authentication. That has been my experience at least. 


In addition to these points, these are Zebra devices which means they also have StageNow and the MX layer available for configuration. If StageNow was used during enrollment and certificates were involved (eg. certificate based WiFi) then it is possible that the keystore has already been initialized, but by the MX layer and not by SOTI. In those cases I have found that you may have to continue to use MX to apply certificates to the devices in profiles distributed from SOTI rather than using the Certificate profile option. 

  • 1
  • 0
Raymond Chan | posted this 18 September 2019

In general, most profile payloads can be independently deployed or revoked in any order without causing any side-effect or malfunctioning.    However, if if it is found that a payload that needs to be deployed only after another payload,  then the two payloads should put into two separate profiles.   The main reason is that for a profile with multiple payloads, the exact order how the payloads are actually deployed is not 100% controllable.  The order can only be precisely controlled at the profile level.


How payloads are grouped into profile sensibly is actually dependent on many factors, such as how the device group tree are defined, how the profiles can be targeted to multiple device groups and shared by multiple administrators to maximize reuse, etc.  In the above case when deployment order is crucial,  the dependent one should definitely be separated to allow more precise control over deployment order. 

  • 1
  • 0
christopheBERNARD | posted this 19 September 2019

Hello matt and raymond,


thanks a lot for your remak and shared your knowledge.


Sorry also it's not possible to validate (is solution) the two post :)


I will add the certificate inside the profile




  • 0
  • 0

Give us your feedback
Give us your feedback