cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

747
Views
4
Helpful
3
Replies
Arne Bier
VIP Advisor

BYOD not working on Apple iOS 10.3.x - CSCvd38467

Hi

If this appeared since iOS 10.3.x why is it a Cisco bug?  Can someone please provide a clear explanation of what this means to ISE 2.2 users and what has changed in iOS 10.3.x?

The 'Conditions' in the Bug ID seems to indicate that the PSN's need to install publically signed certificate for the purpose of BYOD onboarding.

thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

The bug is for documentation purposes stating the new flow for systems without certificates signed by a well known root

there is nothing for us to change in the product

View solution in original post

3 REPLIES 3
Jason Kunst
Cisco Employee

The bug is for documentation purposes stating the new flow for systems without certificates signed by a well known root

there is nothing for us to change in the product

View solution in original post

Also this has nothing to do with the ISE release, its specifically an IOS 10.3 change in how Apple handles untrusted certificates

Since Apple iOS 10.x, if you manually install a connection profile (as in BYOD) the root cert is not automatically trusted, instead you have to manually select "Enable full trust for root certificates" in Settings > General > About > Certificate Trust Settings. Then BYOD should work at the second attempt.

Apple recommend using Apple Configurator or Mobile Device Management (MDM) to install certs because root certs installed this way are automatically trusted.

There's an Apple doc (dated 2nd January 2018) explaining this - https://support.apple.com/en-us/HT204477.

So any BYOD process using a self-signed or internal root cert will run into this problem. This is why Cisco recommend using BYOD with a public cert from those already trusted by iOS - see https://support.apple.com/en-gb/HT20812 for iOS 11 or https://support.apple.com/en-gb/HT207177 for iOS 10.

So Cisco can't fix this, it's due to a change in Apple iOS.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel