Sign configuration profiles in Profile Manager
Profile Manager can sign profiles using a self-signed certificate generated by you, or one with an established chain of trust. This prevents the possible tampering of profiles before they’re installed on the device.
Note: After a device is associated with Profile Manager, the device trusts any profiles downloaded from Profile Manager. It’s necessary to sign only configuration profiles that will be manually downloaded and installed.
Open the Server app, click Profile Manager, then select Sign Configuration Profiles.
A dialog appears, asking you to select your certificate or import one. If you’ve already enabled device management, select your certificate in the list.
Optionally, import a certificate.
If you choose import, you’re asked for three things: your private key, public certificate, and any nonidentity certificates. The nonidentity certificates are optional.