So I set up the SCEP server to generate an iOS identity certificate which is only valid for a short time. When it expires the profile says "This profile has expired. Update this profile for a newer version", and presents an "Update Profile" button.
However clicking this button simply tells me "Profile could not be updated. Please contact your networks Administrator". No attempt is made to contact either the MDM service or the SCEP service, and no indication of any MDM activity or errors appear in the log.
Enrolling the device again works fine, so I don't suspect calling a network administrator is actually a solution. So how do you update an expired MDM profile?
I worked with MDM more than a year ago. So, I could be wrong with some details.
Here is what I remember:
a) Device does two SCEP calls for OTA MDM.
Look at this diagram
First SCEP call is done as part of OTA Certificate Enrollment (phase 2 on the diagram)
And second SCEP call is done when OTA delivers profile with MDM and SCEP payload (as phase 3 on the diagram).
One thing which isn't not obvious from your question which of iOS identify certificate is short living.
b) If your MDM identity has expired, you will stop receiving all MDM commands.
c) If you OTA identity has expired, you can't upgrade any of configurations wich your delivered over the air (as example MDM).
If you have access to Apple Enterprise Developer Program, you can find MDM document in there. It will say that if you did OTA MDM, you need to Update it when it's about to expire.
And as I remember, if your OTA + MDM has expired then you are screwed (you don't have any other option than reenrollment).
BTW. I believe it's common practice to make these identities quite long living (exactly because of these problems).
If you are worried that you can't prevent somebody from receiving updates, you can always:
- Send wipe command
- Remove all managed configuration profiles
- Revoke identity certificates
I have problems with profile update close to certificate expiration on iOS 6.1.3, but on iOS 7 everything works fine. After certificarte expiration date come under 14 days, profile update button appears on the MDM profile. The status of the profile is always "Profile is expired", so Apple documentation is not correct, status is never "about to expire". On iOS 7 I can update the profile, it actually does the new enrollment automatically. On iOS 6.1.3, there is always error "Profile could not be updated. Please contact your networks Administrator", and there is no trace of any network activity from the device.
Any idea?
Thanks,
Ratko
来源:https://stackoverflow.com/questions/14355726/update-an-expired-ios-mdm-profile