Certificate Transparency Policy for TLS certificates in iOS 12.1.1 and macOS 10.14.2

As of WWDC 2018 in June of this year, Apple confirmed that publicly-trusted Transport Layer Security (TLS) server authentication certificates issued after October 15, 2018 must meet their Certificate Transparency (CT) policy to be evaluated as trusted on Apple platforms. 

Certificates that fail to comply will this policy will result in a failed TLS connection, which can break an app’s connection to Internet services or Safari’s ability to seamlessly connect. This could impact your MDM server connection for on-premise servers and Exchange or Tunnel servers that use TLS trust certificates.

This change was further confirmed to be enforced as part of Apple’s next round of beta OS releases with iOS 12.1.1. As a reminder, please remember to ensure your organizations TLS certificates and certificate authorities are adhering to the outlined policy.

If you are unsure or unable to ensure your TLS certificates meets this criterion, there are some resources that can assist which include reviewing Apple's Certificate Transparency policy here.

iOS 12.1.1 allows MDM to install a Certificate Transparency payload to disable this requirement for specific hosts or certificates. The Custom XML is provided below with the full component scheduled to be part of a future Workspace ONE release. Please review Apple’s Configuration Profile Reference for more information for generating the required SHA hashes to include.

 

<?xml version="1.0" encoding="UTF-8"?>
<array>
   <dict>
      <key>DisabledForCerts</key>
      <array>
         <dict>
            <key>Algorithm</key>
            <string>sha256</string>
            <key>Hash</key>
            <data>DFTubUV7QQwESTG6kzI2g7qQSWnhuO0/Yj8EVIiKCEk=</data>
         </dict>
      </array>
      <key>DisabledForDomains</key>
      <array>
         <string>example.com</string>
         <string>.example.net</string>
      </array>
      <key>PayloadDescription</key>
      <string>Contains Certificate Transparency exceptions for domains or certs that do not use CT</string>
      <key>PayloadDisplayName</key>
      <string>Certificate Transparency</string>
      <key>PayloadIdentifier</key>
      <string>com.example.ctexceptions.A764D729-D96C-4881-80BA-3B22D08CC9E3</string>
      <key>PayloadOrganization</key>
      <string>Example Inc.</string>
      <key>PayloadType</key>
      <string>com.apple.security.certificatetransparency</string>
      <key>PayloadUUID</key>
      <string>A764D729-D96C-4881-80BA-3B22D08CXXXX</string> <!--Edit the four trailing XXXXs to a random four characters-->
      <key>PayloadVersion</key>
      <integer>1</integer>
   </dict>
</array>

 

Support Contact Information

To receive support, either submit a ticket via the My Workspace ONE  portal or call your local support line.

 

Best Regards,

The VMware Workspace ONE Team

Other Languages: 日本語

Have more questions? Submit a request

0 Comments

Article is closed for comments.