iOS 12.x devices fails to sync or enroll if ZENworks MDM Server has SHA-1 Certificates

  • 7023475
  • 25-Oct-2018
  • 18-Mar-2019

Environment

ZENworks Configuration Management 2017
ZENworks Configuration Management 2017 Update 1
ZENworks Configuration Management 2017 Update 2

Situation

iOS 12 has deprecated support for SHA-1, preventing them from communicating over SSL with SHA-1 certificates.
 
Internal ZCM Certificate Authorities created prior to ZCM 11.4.0 would have been created using SHA-1 certificates.
Any internal ZCM Certificate Authority created OR reminted using ZCM 11.4.0 or later would have been created using SHA-256, which is supported by iOS12.
 
 

Resolution

ZENworks Configuration Management 2017 Update 2 or later is recommended to ensure all steps below can be completed successfully.
 
1. Verify your Internal Certificate Authority is configured using SHA-256 instead of SHA-1.  (Any Internal CA minted started with ZCM 11.4.0 or later should already be SHA-256)
If you suspect your CA is SHA-1, it is recommended to contact Micro Focus Technical Support to confirm as well as review the process. 
Reminting the Certificate Authority incorrectly can break communication between all ZCM managed devices and the zone.
2. Once the Internal CA is confirmed to be SHA-256 and the ZCM Primaries are running at least ZENworks 17.2...
All new IOS12 devices should register correctly.
Previously registered IOS devices which cease communicating after upgrading to IOS12 may require the following steps to update their existing certificate if it was issued a SHA-1 certificate.
  • Un-enroll the existing iOS devices with Delete option in ZCC .
  • Enroll the existing or new iOS 12.x devices again after CA is successfully reminted and activated on all the Primary Servers. 

Reminder - An iOS profile bundle to postpone the iOS update to existing devices by some days or weeks to prevent iOS11 devices from upgrading to iOS12 while any required updates are performed to your ZCM setup.

Additional Information

You can contact Micro Focus support if unable to determine whether the Certificate Hashing Algorithm is using SHA-1  for Internal self-signed CA Zone