Apple profile signing certificates

Configure > MDM Configurations > Apple > Profile Signing

When software or settings are pushed to devices through the Apple Push Notification Service (APNS), the device downloads them in a profile. The operating system then performs a security check to see if the profile has been signed using a certificate and if the device trusts the certificate. When the profile is installed, the device user is informed whether the profile is from a trusted source or not.

You have the option to leave the profile unsigned, sign it with the core certificate, or sign it with a certificate that has been signed by a certificate authority.

IMPORTANT: If you change this option after devices have enrolled, all Apple devices are required to re-enroll.

Core certificate. This uses the existing core certificate to sign the profile. Users are notified when they attempt to install the profile who it has been signed by, but warns them that it is not trusted. The name displayed to the user is the common name associated with the core certificate.

Third-party certificate. When you sign the profile with a certificate from a certificate authority, users are notified that the profile is signed and trusted. The name displayed to the user is the common name associated with the certificate. The certificate must be in a PKCS#12 format (.pfx or .p12). It can be a wildcard certificate, and it can be a certificate that is used elsewhere in your environment. If you use the APNS certificate to sign profiles, be aware that it must be replaced every year.

WARNING: You should always replace the signing certificate with a certificate that has the same private key BEFORE it expires. If the certificate expires without a replacement, or if the private key changes, you may be required to re-enroll iOS devices.

To set up Apple profile signing

1. From the Endpoint Manager console, click Tools > Modern Device Management > MDM Configurations > Apple > Profile Signing.

2.Select a signing preference.

3.In the Certificate Settings section, click Browse and select the certificate file.

4.Provide the password to the certificate in the Certificate Password text box.

5.Click OK.

For information about obtaining an APNS certificate, see Apple notification services.