Need advise add certificate on device
- 18 September 2019
- SOTI MobiControl - Android
3 Answers- 0 Upvote
- 2 Followers
3 Answers
Certificate profiles require there to be an Authentication profile in place in order for the keystore to be initialized for storing certificates on the device. Kiosk/Lockdown profiles also require Authentication so its common to find the Authentication configuration within the same profile as the Kiosk/Lockdown. I personally pull Authentication out and have it in its own profile that is applied at the highest level in the hierarchy so that it is not inadvertently removed by Kiosk Profile application changes in the future. The Android keystore can be finicky and seemingly once its initialized it can be corrupted or become unusable if you unapply and reapply Authentication. That has been my experience at least.
In addition to these points, these are Zebra devices which means they also have StageNow and the MX layer available for configuration. If StageNow was used during enrollment and certificates were involved (eg. certificate based WiFi) then it is possible that the keystore has already been initialized, but by the MX layer and not by SOTI. In those cases I have found that you may have to continue to use MX to apply certificates to the devices in profiles distributed from SOTI rather than using the Certificate profile option.
In general, most profile payloads can be independently deployed or revoked in any order without causing any side-effect or malfunctioning. However, if if it is found that a payload that needs to be deployed only after another payload, then the two payloads should put into two separate profiles. The main reason is that for a profile with multiple payloads, the exact order how the payloads are actually deployed is not 100% controllable. The order can only be precisely controlled at the profile level.
How payloads are grouped into profile sensibly is actually dependent on many factors, such as how the device group tree are defined, how the profiles can be targeted to multiple device groups and shared by multiple administrators to maximize reuse, etc. In the above case when deployment order is crucial, the dependent one should definitely be separated to allow more precise control over deployment order.
Hello matt and raymond,
thanks a lot for your remak and shared your knowledge.
Sorry also it's not possible to validate (is solution) the two post :)
I will add the certificate inside the profile
thanks