Due to the new security requirements announced by Apple, Trend Micro Mobile Security (TMMS) users utilizing a Local Communication Server (LCS) and a self-signed certificate must apply this patch and perform certificate deployment as instructed in this article before upgrading the mobile device to iOS 13. If a mobile device is already upgraded to iOS 13 before applying the patch and performing the instructed certificate deployment, the user will need to re-deploy the TMMS iOS App again.
Without a complying certificate, iOS 13 mobile devices will not be able to access the Transport Layer Security (TLS) server, install apps, or access websites in their Safari web browser. For more details, refer to this Apple article: Requirements for trusted certificates in iOS 13 and macOS 10.15.
These security requirements will affect the customer who are:
- using TMMS full version deployment mode
- using a Local Communication Server (LCS) and a self-signed certificate
- enrolled iOS 12 or earlier devices
Below are the possible impact of the updated security requirements:
- All currently enrolled iOS 13 mobile devices that were upgraded from iOS 12 or a lower version will not be able to access the LCS anymore. Such mobile devices need to be re-enrolled after implementing the new security requirements.
- New iOS 13 mobile devices will not be able to enroll to LCS.
To resolve the issue:
- Install TMMS 9.8 SP2 Patch 1.
- Create a new directory named "NewCA" in the LCS.
- On the Communication Server root directory, copy the following files to the NewCA directory:
- On the NewCA directory, double-click CertConfigTool.exe to run the tool.
- Select Create a new self-signed certificate and then click Next.
- Input the Common Name and Password, and click Next. The Common Name should be the same as the Local Communication Server setting, while the password has no requirement. Once completed, the new CA is generated.
- Copy tmmsmdm-ca.pem and rename it to tmmsmdm-ca.crt.
- Log into the TMMS web console and go to Administration > Certificate Management.
- Click Add and browse for tmmsmdm-ca.crt file, then click OK. No need to enter a password.
- Under Certificate Policy of Policy For Group, tick the Enable certificate deployment option.
- Import TMMSMDM-CA, which is recently added in Step 9.
- Save the policy. The policy will then be deployed to all iOS devices.
- Make sure the certificate policy is deployed successfully.
- Go to Settings > General.
- Select Device Management.
- Click MDM Enrollment Profile and click More Details.
- Verify that the iOS device shows two (2) entries of "TMMSMDM-CA" certificates. One is for 1024-bit and another is for 2048-bit.
- Before the new CA is deployed to all enrolled iOS 12 devices, do NOT upgrade to iOS 13 and do NOT proceed to Step 15 yet. If you proceed to Step 15, all enrolled iOS 12 and below devices without successfully deploying the new CA will not be able to communicate with TMMS server, and they need to re-enroll again.
- When the upgrade is complete, back up the following files located in the Communication Server root directory:
- ca directory
- Copy the following files from the NewCA directory and paste them to the Communication Server root directory, to replace the old ones:
- ca directory
- Restart the Mobile Security Communication Server service first, and then restart the Mobile Security Management Module Service after.
- All the enrolled iOS 13 devices don't deploy the new CA yet. Please re-enroll the devices again.
The iOS 13 devices can now successfully communicate with LCS.