Certificates MDM payload settings for Apple devices
You can configure Certificates settings on iPhone, iPad, Mac, and Apple TV devices enrolled in a mobile device management (MDM) solution. Use the Certificates payload to add certificates and an identity to the device.
OS and channel
Supported enrollment types
The display name for the certificate.
Certificate or identity data
iPhone, iPad, Mac, and Apple TV devices can use X.509 certificates with RSA keys. The formats and recognized file extensions are:
PKCS12 files also include the private key and contain exactly one identity. To ensure the protection of the private key, PKCS12 files are encrypted with a passphrase.
A passphrase that is used to secure the credentials.
When adding a certificate or identity
When you install a root certificate, you may also install the intermediate certificates to establish a chain to a trusted certificate that’s on the device. This can be important for technologies such as 802.1X. To view a list of preinstalled roots for Apple devices, see the Apple Support articles:
If the certificate or identity that you want to install is in your keychain, use Keychain Access to export it in .p12 format. Keychain Access is located in /Applications/Utilities/. See the Keychain Access User Guide.
To add an identity for use with Microsoft Exchange or Exchange ActiveSync, single sign-on, VPN, and network or Wi-Fi, use that specific payload.
When deploying a PKCS12 file, if you omit the certificate identity’s passphrase, users are asked to enter it when the profile is installed. The payload content is obfuscated, but not encrypted. If you include the passphrase, be sure the profile is available only to authorized users.
Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates to their device from a webpage using that certificate (you shouldn’t host the certificate). Or you can send certificates to users in a mail message. You can also use Simple Certificate Enrollment Protocol SCEP MDM payload settings to specify how the device obtains certificates when the profile is installed.
A certificate has automatic full trust if it is:
Installed by an Apple Configurator 2 instance that has the same supervision identity as the device.
Automatically installed from Profile Manager or other supported MDM solution
Manually installed by a payload attached to an enrollment profile from Profile Manager or other supported MDM solution
As a best practice, having users manually install certificates should be avoided. The Certificates payload should be in the MDM enrollment profile to remove the step of manually trusting the certificate.