Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3007: Certificates are not updated or revoked automatically for iOS devices

Centrify Identity Service, App Edition ,  

12 April,16 at 11:44 AM

Applies to: Centrify for Mobile

 

Problem:

 

After an enrolled iOS device receives a mobile profile for Wi-Fi and/or Exchange ActiveSync that contains a certificate, the certificate is not updated or revoked automatically.

 

Cause:

 

The Centrify Cloud proxy server does not currently check or revoke expired certificates. 

 

The certificate that is delivered to the device from the Certificate Authority (CA) at the time of enrollment is cached in AD within the mobile device computer object and is used regardless of age.

 

Workaround:

 

There are two possible workarounds to update certificates for iOS devices.

 

1. Un-enroll and re-enroll the device after the certificate is updated on the Certificate Authority (CA) - this provides the most direct method to update certificates for iOS devices as the legacy certificates are removed with all mobile profiles when the device is un-enrolled. When the device is enrolled again, it will receive the updated certificate with all mobile profiles.

 

2. Remove the cached certificate information from the mobile device computer object using ADSIEdit after the certificate is updated on the Certificate Authority (CA). Centrify for Mobile stores all certificate information within the altsecurityidenties attribute of the mobile device computer object.

 

To manually remove the cached certificate information from the mobile device computer object using ADSIEdit, follow the below steps:

  1. Launch the ADSIEdit application
  2. Navigate to the container that contains the mobile device computer object
  3. Right-click the mobile device computer object and select Properties
  4. Select the Attribute Editor tab and edit the altsecurityidenties attribute
  5. Delete both centrify.mobile.email.cert and/or centrify.mobile.wifi.cert values

 

To update the iOS device with the new certificates, follow the below steps: 

  1. Open Active Directory Users and Computers (ADUC) or login to the Centrify Cloud Manager administrators portal (https://cloud.centrify.com/manage)
  2. Navigate to the mobile device computer object
  3. Right-click the object and select Reapply Policies from the All Tasks menu. You can also highlight the mobile device computer object and select Reapply Policies from the Actions menu
  4. The device will receive the updated certificates

 

Note: 

 

If the iOS device receives an updated Exchange ActiveSync profile, it will prompt the user to enter their Exchange password. 

 

This is required by Apple for iOS devices and cannot be disabled.

 

Solution:

 

This will be addressed in a future release of Centrify for Mobile

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles