This article is recommended for the following users:
- Using Local Communication Server (LCS) and self-signed certificate
- Enrolled iOS 12 and below devices
Below are the possible impact of the issue:
- All enrolled iOS 12 and below devices which are upgraded to iOS 13 will have commnunication issue with LCS server.
- Upgraded iOS devices need to re-enroll to TMMS server.
- All iOS 13 devices cannot enroll successfully to LCS server.
This happens due to the new security requirements of iOS 13 for TLS server certificates. The procedure below is best to be implemented before iOS 13 release.
To resolve the issue:
- Deploy TMMS 9.8 SP2 Patch 1.
- Create a new directory named "NewCA" in the LCS.
- On the Communication Server root directory, copy the following files to the NewCA directory:
- On the NewCA directory, double-click CertConfigTool.exe to run the tool.
- Select Create a new self-signed certificate and then click Next.
- Input the Common Name and Password, which should be the same as the old credentials, and click Next. Once completed, the new CA is generated.
- Copy tmmsmdm-ca.pem and rename it to tmmsmdm-ca.crt.
- Log into the TMMS web console and go to Administration > Certificate Management.
- Click Add and browse for tmmsmdm-ca.crt file, then click OK. No need to enter a password.
- Under Certificate Policy of Policy For Group, tick the Enable certificate deployment option.
- Import TMMSMDM-CA, which is recently added in Step 9.
- Save the policy. The policy will then be deployed to all iOS devices.
- Make sure the certificate policy is deployed successfully.
- Go to Settings > General.
- Select Device Management.
- Click MDM Enrollment Profile and click More Details.
- Verify that the iOS device shows two (2) entries of "TMMSMDM-CA" certificates. One is for 1024-bit and another is for 2048-bit.
- Before the new CA is deployed to all enrolled iOS 12 devices, do NOT upgrade to iOS 13 and do NOT proceed to Step 15 yet. If you proceed to Step 15, all enrolled iOS 12 and below devices without successfully deploying the new CA will not be able to communicate with TMMS server, and they need to re-enroll again.
- When the upgrade is complete, back up the following files located in the Communication Server root directory:
- ca directory
- Copy the following files from the NewCA directory and paste them to the Communication Server root directory, to replace the old ones:
- ca directory
- Restart the Mobile Security Communication Server service first, and then restart the Mobile Security Management Module Service after.
- All the enrolled iOS 13 devices don't deploy the new CA yet. Please re-enroll the devices again.
The iOS 13 devices can now successfully communicate with LCS.