Certificates MDM payload settings for Apple devices
You can configure Certificates settings on iPhone, iPad, Mac and Apple TV devices enrolled in a mobile device management (MDM) solution. Use the Certificates payload to add certificates and an identity to the device.
OS and channel | Supported enrolment types | Interaction | Duplicates |
|---|---|---|---|
iOS iPadOS tvOS macOS device macOS user | User Device Automated Device | Combined | Multiple |
Setting | Description | Required |
|---|---|---|
Certificate name | The display name for the certificate. | Yes |
Certificate or identity data | iPhone, iPad, Mac and Apple TV devices can use X.509 certificates with RSA keys. The formats and recognised file extensions are:
PKCS12 files also include the private key and contain exactly one identity. To ensure the protection of the private key, PKCS12 files are encrypted with a passphrase. | Yes |
Passphrase | A passphrase that is used to secure the credentials. | No |
When adding a certificate or identity
When you install a root certificate, you may also install the intermediate certificates to establish a chain to a trusted certificate that’s on the device. This can be important for technologies such as 802.1X. To view a list of pre-installed roots for Apple devices, see the Apple Support articles:
If the certificate or identity you want to install is in your keychain, use Keychain Access to export it in .p12 format. Keychain Access is located in /Applications/Utilities/. See the Keychain Access User Guide.
To add an identity for use with Microsoft Exchange or Exchange ActiveSync, single sign-on, VPN, and network or Wi-Fi, use that specific payload.
When deploying a PKCS12 file, if you omit the certificate identity’s passphrase, users are asked to enter it when the profile is installed. The payload content is obfuscated, but not encrypted. If you include the passphrase, make sure the profile is available only to authorised users.
Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates to their device from a web page using that certificate (you shouldn’t host the certificate). Or you can send certificates to users in a mail message. You can also use Simple Certificate Enrolment Protocol SCEP MDM payload settings to specify how the device obtains certificates when the profile is installed.
Certificate trust
A certificate has automatic full trust if it is:
Installed by an Apple Configurator 2 instance that has the same supervision identity as the device.
Automatically installed from Profile Manager or other supported MDM solution
Manually installed by a payload attached to an enrolment profile from Profile Manager or other supported MDM solution
As a best practice, having users manually install certificates should be avoided. The Certificates payload should be in the MDM enrolment profile to remove the step of manually trusting the certificate.