So I set up the SCEP server to generate an iOS identity certificate which is only valid for a short time. When it expires the profile says "This profile has expired. Update this profile for a newer version", and presents an "Update Profile" button.
However clicking this button simply tells me "Profile could not be updated. Please contact your networks Administrator". No attempt is made to contact either the MDM service or the SCEP service, and no indication of any MDM activity or errors appear in the log.
Enrolling the device again works fine, so I don't suspect calling a network administrator is actually a solution. So how do you update an expired MDM profile?
解决方案
I worked with MDM more than a year ago. So, I could be wrong with some details.
Here is what I remember:
a) Device does two SCEP calls for OTA MDM.
Look at this diagram
First SCEP call is done as part of OTA Certificate Enrollment (phase 2 on the diagram)
And second SCEP call is done when OTA delivers profile with MDM and SCEP payload (as phase 3 on the diagram).
One thing which isn't not obvious from your question which of iOS identify certificate is short living.
b) If your MDM identity has expired, you will stop receiving all MDM commands.
c) If you OTA identity has expired, you can't upgrade any of configurations wich your delivered over the air (as example MDM).
If you have access to Apple Enterprise Developer Program, you can find MDM document in there. It will say that if you did OTA MDM, you need to Update it when it's about to expire.
And as I remember, if your OTA + MDM has expired then you are screwed (you don't have any other option than reenrollment).
BTW. I believe it's common practice to make these identities quite long living (exactly because of these problems).
If you are worried that you can't prevent somebody from receiving updates, you can always:
Send wipe command
Remove all managed configuration profiles
Revoke identity certificates
277
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
