Replace / Update Apple signing certificate to resolve profile service “Not Verified” when enrolling an iOS device on Blackberry UEM

If you enroll your very first iOS device on Blackberry UEM after it is implemented (you can check out my series on implementation by clicking here), you may notice that the device profile is Not Verified.

appleprofile1.jpg

Per Blackberry KB, this is the expected behavior as out of the box Apple profile signing certificate is self-signed. This is somewhat similar to another use case I shared via this blog post except this is not ideal since it has user-facing component.

Blackberry offers two solutions:

  1. The user must browse to https://.bbsecure.com:443//ca to download the CA certificate with both country code and SRP Identifier and save it to the iOS device (i.e. https://us.bbsecure.com/your_SRP_ID/ca)
  2. You can create your own self-sign certificate and then get it signed by an Apple (iOS) trusted root certificate, or you can buy your own certificate. Please check the following link for further information https://support.apple.com/en-ca/HT204132

Solution 1 will only result in many unhappy users due to the steps involved no matter how small they may seem. Since I have a wildcard certificate from a 3rd party Certificate Authority, I resolved the issue with solution 2.

*Please note: If you deploy Blackberry UEM in the cloud instead of on-premise, solution 2 will not be available at all.

In summary, the steps required for solution 2 are:

  • Take a snapshot of the UEM virtual machine (or export existing cert on the server)
  • Log onto UEM web console
  • Go to Settings -> Infrastructure -> Server certificates
  • Browse to Apple profile signing certificate
  • Click View Details and Replace certificate
  • Upload certificate
  • Restart Blackberry UEM Core service

Let’s get started!

Go to Settings -> Infrastructure -> Server certificatesThen, browse to Apple profile signing certificate. Click View Details.

appleprofile2.jpg

Under Apple profile signing certificate, click Replace certificate.

appleprofile3.jpg

appleprofile4.jpgappleprofile10.jpgappleprofile6.jpgappleprofile7.jpg

If the incorrect password is entered when replacing the certificate, you will get the error below.

appleprofile8.jpg

Going forward, you should see Verified when enrolling the iOS device with Blackberry UEM.

appleprofile9.jpg

As always, stay mobile!

3 comments

  1. So I need to worry about the deactivating devices? The “Warning” about users may need to reactivate? That’s a little concerning since I have users already on.

    Thanks

    Like

    • You don’t need to re-activate any device prior to and after making this change as users hardly notice this setting anyway. However, I recommend making this change for best pratice.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.