Updated on-premise and dedicated SaaS AirWatch server security requirements for iOS 9 with AirWatch Agent 5.2
With iOS 9, Apple has increased the security requirements for apps using their native communication libraries. In order to meet these iOS requirements, AirWatch Agent 5.2 for iOS will require an updated configuration on AirWatch servers in order to maintain communication with iOS 9 devices. Note that this applies to enrollment and communication through the AirWatch Agent specifically. Additionally, other AirWatch iOS apps will adopt these requirements in the future, so make sure your configuration meets the requirements below if you are using any AirWatch productivity apps.
If you currently have an on-premise AirWatch deployment or a dedicated SaaS environment, make sure your servers meet the following requirements:
- The server must support TLS version 1.2.
- Certificates must use a signature with a SHA256 or better algorithm.
- The server must support cipher suites that leverage elliptic curve Diffie-Hellman key exchange and forward secrecy.
Dedicated SaaS (using custom URL for enrollment or environment access):
- Ensure your SSL certificate is using a signature with a SHA256 or better algorithm.
- When you are ready to update your SSL certificate, call your local AirWatch support line or submit a Support Request via myAirWatch.
In particular, the following cipher suites will be supported for iOS9 devices using AirWatch Agent 5.2:
Information on making sure your server is configured appropriately is available in our Troubleshooting: SSL Protocols and Cipher Suites article. Specifically note the sections titled Identifying the Available Cipher Suites for a Server and Updating Available Protocols and Cipher Suites. If using the Qualys SSL Lab to validate your server, make sure the line titled iOS 9 is fully functional.
If the AirWatch Agent is unable to communicate with your server, you will receive the error message "An SSL error has occurred and a secure connection to the server cannot be made."
In cases where a device is enrolled and then the Agent is pushed in a managed state, you may instead see the error message "After a delete and re-install, you must have an active internet connection to your device management server before we can continue."