Certificates MDM payload settings for Apple devices
You can configure Certificates settings on iPhone, iPad, Mac, and Apple TV devices enrolled in a mobile device management (MDM) solution. Use the Certificates payloads to add certificates and an identity to the device.
The Certificates payloads support the following. For more information, see Payload information.
Supported payload identifiers: com.apple.security.pem, com.apple.security.pem1, com.apple.security.pem12, com.apple.security.root
Supported operating systems and channels: iOS, iPadOS, Shared iPad device, macOS device, macOS user, tvOS, watchOS.
Supported enrollment types: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one Certificates payload can be delivered to a user or device.
You can use the settings in the table below with the Certificates payloads.
The display name for the certificate.
Certificate or identity data
iPhone, iPad, Mac, and Apple TV devices can use X.509 certificates with RSA keys. The formats and recognized file extensions are:
PKCS #12 files also include the private key and contain exactly one identity. To ensure the protection of the private key, PKCS #12 files are encrypted with a passphrase.
A passphrase that is used to secure the credentials.
Note: Each MDM vendor implements these settings differently. To learn how various Certificate settings are applied to your devices and users, consult your MDM vendor’s documentation.
When adding a certificate or identity
When you install a root certificate, you may also install the intermediate certificates to establish a chain to a trusted certificate that’s on the device. This can be important for technologies such as 802.1X. To view a list of preinstalled roots for Apple devices, For more information, see the Apple Support article List of available trusted root certificates in iOS 16, iPadOS 16, macOS 13, tvOS 16, and watchOS 9.
If the certificate or identity that you want to install is in your keychain, use Keychain Access to export it in PKCS #12 (.p12) format. Keychain Access is located in /Applications/Utilities/. For more information, see the Keychain Access User Guide.
To add an identity for use with Microsoft Exchange or Exchange ActiveSync, single sign-on, VPN, and network or Wi-Fi, use that specific payload.
When deploying a PKCS #12 (.p12 or .pfx) file, if you omit the certificate identity’s passphrase, users are asked to enter it when the profile is installed. The payload content is obfuscated but not encrypted. If you include the passphrase, be sure the profile is available only to authorized users.
Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates to their device from a webpage using that certificate (you shouldn’t host the certificate). Or you can send certificates to users in a mail message. You can also use Simple Certificate Enrollment Protocol SCEP MDM payload settings to specify how the device obtains certificates when the profile is installed.
A certificate has automatic full trust if it is:
Installed by an Apple Configurator instance that has the same supervision identity as the device
Automatically installed from a supported MDM solution
Manually installed by a payload attached to an enrollment profile from a supported MDM solution
As a best practice, avoid having users manually install certificates. Instead, make sure the Certificates payload is in the MDM enrollment profile in order to remove the step of manually trusting the certificate.