Note: This applies only to devices registered before June of 2013
Kaseya leverages the Apple Provisioning server in order to manage iOS (iPad, iPhone) devices through the Mobile Device Management (MDM) function. In order to authenticate the communication between Kaseya and the device, Apple uses a certificate that is installed on the mobile device when the Kaseya agent is installed. This certificate can be found under Settings > General > Profiles.
We have recently updated our Apple iOS certificate as part of regular maintenance. This process replaced a certificate which is set to expire on or before August 16th, 2012. We have identified an issue which may require manual intervention on MDM endpoints to accept and install the new certificate. If the certificate is not updated, the device will stop communicating all MDM functions that pass through the Apple Provisioning server.
Impacted functions include (these leverage the Apple Provisioning server):
- Mobile device audit
- Deployment of security profiles
- Deployment of WiFi profiles
- Remote wiping of a device (factory reset)
- PIN code reset
Functions not impacted include (these do not leverage the Apple Provisioning server):
- Device Settings
SYMPTOMS - IMPORTANT INFORMATION
All communication handled by the Apple provisioning server (listed above) will cease once the certificate expires. Device users will not receive any indication that the certificate has expired. VSA admins will not receive notification within the VSA that the certificate has expired. Admins may want to verify communication by attempting to deploy a security profile, WiFi profile, or conducting a mobile device audit. If these commands do not complete, the certificate on the device may be out of date. Device users should be encouraged to check the expiration date of the existing certificate and update, if necessary. Instructions for checking the expiration date are available in the "Verifying the Certificate" section at the end of this article.
The existing certificate must be removed (Step 1) and a new certificate installed (Step 2). End users will need to be instructed to take the appropriate action.
STEP 1: To remove the certificate, instruct the user to navigate to Settings > General > Profile, select the "Kaseya MDM" profile, then click the "Remove" button:
STEP 2: Choose from the options below to instruct the user to install the new certificate
OPTION 1: Phone-enabled devices with SMS service:
- Within the VSA, navigate to Mobile > Device Status and select the appropriate iOS device(s).
- Verify the iOS device has a valid phone number showing in the "Phone Number" field. If necessary, double click on the filed to update the phone number associated with the device.
- Select the Resend Invitation button from the command bar.
- In the Invitation text, replace the existing text with a customized customized message that includes the URL https://mobile.kaseya.com/vsaws/v1/mdm.ashx?g=1 or use our example message below. Be aware that the message must be 132 characters or less (to allow for the message header). Note: It is the URL that is critical and must be included in the message. When the user presses on the URL they will be redirected via Safari to the MDM provisioning portal which contains the new certificate and profile.
- After pressing the link, the user must select "Install Profile" or "Install" to allow the certificate to install. The user should follow the on-screen instructions to allow the installation to complete. Once the installation completes, All MDM commands should fully function.
OPTION 2: iPads or iPhones without SMS service (these steps are completed on the iOS device):
- Provide the user with the VSA’s Mobile Server ID found on the VSA’s Mobile tab under the System Settings function (this will be required in a later step)
- Open the Kaseya app on the device
- Click the “Login” button in the upper right corner of the app
- Enter the VSA’s ServerID (found on the VSA under Mobile > Server Settings)
- Click “login”
- Click “Complete Login"
The user will be prompted to install a new certificate. The user must follow the on-screen prompts to continue with the installation. This may include notification about pairing with a VSA, a prompt to Install the new certificate, prompts for the user to provide the device PIN to allow the installation, and clicking “Done” once the new certificate is installed. Once the installation completes, All MDM commands should fully function.
OPTION 3: Send an email with the necessary URL and instructions
If the above options are not feasible, you can elect to send an email (outside of Kaseya) to the device user. The user should open the email from the mobile device and select the link. This should prompt Safari to download and install the updated certificate. The user will be prompted to allow the installation, may be required to enter their PIN, etc. The user should follow the on-screen instructions to ensure the certificate gets installed. In your email, instruct the user to visit https://mobile.kaseya.com/vsaws/v1/mdm.ashx?g=1 and complete the certificate installation (link must be launched on the mobile device or pasted into the mobile device's browser). Once the installation completes, All MDM commands should fully function.
VERIFYING THE CERTIFICATE
If you would like to verify the new certificate, on the iOS device, navigate to Settings > General > Profile, select the "Kaseya MDM" profile, press "More Details" and note the expiration date of the new certificate. This date should be in August of 2013.
Kaseya recognizes the difficulties this certificate expiration will cause for iOS customers and we are working to address how this will be handled in the future. We are working to develop an in-house process in lieu of an OEM-provided tool to allow future certificates to update behind the scenes. We are confident that this issue will not be repeated at the next expiration.