Configuring a reserve iOS MDM Server certificate

The iOS MDM Server functionality lets you issue a reserve certificate. This certificate is intended for use in device management profiles to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires.

If your iOS MDM Server uses a default certificate issued by Kaspersky, you can issue a reserve certificate (or specify your own custom certificate as a reserve one) before the iOS MDM Server certificate expires. By default, the reserve certificate is automatically issued 60 days before the iOS MDM Server certificate expires. The reserve iOS MDM Server certificate becomes the main certificate immediately after the iOS MDM Server certificate expires. The public key is distributed to all managed devices through configuration profiles, so you do not have to transmit it manually.

Please note that the reserve iOS MDM Server certificate is not issued automatically if you use an iOS MDM Server custom certificate. If you use a custom certificate, we recommend that you specify a reserve certificate when installing iOS MDM Server or no later than 30 days before the expiration of the existing iOS MDM Server certificate.

If the certificate expires and no reserve has been specified, the connection between iOS MDM Server and iOS MDM devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall device management profiles on each of the managed devices.

To issue a reserve iOS MDM Server certificate or specify a custom reserve certificate:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)MobileiOS MDM Servers. In the list of iOS MDM Servers that opens, click the iOS MDM Server whose settings you want to configure.
  2. In the iOS MDM Server settings window, select Application settings.
  3. Select the Certificates tab.
  4. In the iOS MDM Server reserve certificate block of settings, do one of the following:
    • If you plan to continue using a self-signed certificate (the one issued by Kaspersky):
      1. Click Issue.

        If you have a custom iOS MDM Server certificate specified, the Issue button for the iOS MDM Server reserve certificate will be unavailable. You need to specify the reserve certificate manually by clicking Install.

      2. In the Apply iOS MDM Server reserve certificate window that opens, select one of the two options for the date when the reserve certificate should be applied:
        • If you want to apply the reserve certificate when the current certificate expires, select the After the current certificate expires option.
        • If you want to apply the reserve certificate before the current certificate expires, select the After specified period (days) option. In the entry field next to this option, specify the duration of the period after which the reserve certificate must replace the current certificate.

        The validity period of the reserve certificate that you specify cannot exceed the validity period of the current iOS MDM Server certificate.

      3. Click OK.

      The self-signed reserve iOS MDM Server certificate is issued and specified as the reserve iOS MDM Server certificate.

      Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

    • If you plan to use a custom certificate issued by your certification authority:
      1. Click Install.
      2. In the File Explorer window that opens, specify a certificate file in PEM, PFX, or P12 format, and then click Open.

        Make sure the certificate you install complies with the following security requirements:

        • a correct Subject Alternative Name (SAN) of DNS is specified and matches the iOS MDM Server connection address;
        • a correct certificate publisher is specified;
        • a correct certificate expiration date is specified;
        • the certificate chain is complete;
        • Extended Key Usage (EKU) is XKU_SSL_SERVER (1.3.6.1.5.5.7.3.1 serverAuth);
        • the root certificate is the same as the root certificate of the current certificate;
        • the RSA key size in the certificate chain is at least 2048 bits;
        • the RSA key size of the root certificate is at least 4096 bits;
        • the hash algorithm in the certificate chain is from the SHA-2 family.
      3. In the Installing certificate window that opens, enter the certificate password, and then click Install.
      4. Click Save.

      Your custom certificate is specified as the reserve iOS MDM Server certificate.

      Please note that when you specify the date when the reserve certificate should be applied, the certificate will be issued before you save the changes in the Certificates section. If you want to issue a new reserve certificate, open the iOS MDM Server settings again, remove the previously issued reserve certificate by clicking Delete, and issue a new reserve certificate by following the instructions above.

You have a specified reserve iOS MDM Server certificate. The reserve certificate details are displayed in the iOS MDM Server reserve certificate block of settings.

Page top