Solved

Can not remove SSL certificate on iPhone 6 - iOS10.2

Posted on 2016-10-19
12
286 Views
Last Modified: 2016-10-31
Only one iPhone is having this issue.
We manage access to our email and internal site via SSL certificates.
These are installed through Airwatch MDM profiles.

Usually, if I remove an iPhone from Airwatch, it will delete all certificates and profiles on that device.
However, for this phone, it appears that all certificates are removed (Settings -> General -> Profiles does not exist) but the phone can still access the internal site.

If I clear out Safari's history and website data and I then try to access the site, it will prompt for the certificate by name (user@domain.com) and selecting it opens the site.

List of what I've tried to remove this certificate:
Go to Settings -> General -> Profiles (this option does not exist)
Clear out History and Website Data for Safari
Reset Network Settings
Reset All Settings

An annoyance caused by this, is that when I install the Email profile which contains the certificate from Airwatch, the device now has two of the same certificate. So whenever the user attempts accessing the site, he is prompted to select which of the two he wants.
This prompt also appears if the site has been unused for about 5 - 10 minutes.

Any ideas on how I could either:
1. Remove the duplicate certificate stored on the device or
2. Force Safari to use one of the certificates without prompting the user
0
Comment
Question by:SeeDk
12 Comments
 
LVL 3

Expert Comment

by:Steven Wallace
ID: 41851357
What iOS version is the iPhone?
0
 

Author Comment

by:SeeDk
ID: 41851901
It is version 10.0.2
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41859640
I would guess that the phone has had the certificate deployed by some other means.

I would probably wipe the phone and re provision from scratch, not restoring a backup, this would however dump text messages etc, which may not be desired.
0
 
LVL 62

Expert Comment

by:btan
ID: 41859889
The certificate should gone if the profiles going with is removed. I am suspecting if the ssl certificate is tied to no profile hence removal of profile will not work in such cases. So I am thinking if this manual removal is as follows

-Delete the SSL certificate by going to Settings → General → Reset → Network Settings.

But for profile based removal, the manual mean is below on top of the MDM command.

-On your iPhone, click on the "Settings" icon in the main menu screen. Select "General" from the list of options that appear in the drop-down menu.

-Select "Profiles" from the list of options that appear and a list of all the certificate on your iPhone will appear on screen.

-Scroll through the list of certificates until you come to the one you would like to remove from your iPhone and click the "Remove" button on the screen. The certificate will then be removed. Repeat the process for any other certificates you would like to remove.

Another check is maybe try SSL detective to see all the certificate and confirm if there are indeed duplicates

https://twocanoes.com/products/ios/ssl-detective
0
 

Author Comment

by:SeeDk
ID: 41860201
@ArneLovius
Not sure what other means it could be unless someone tampered with his phone. Yeah, I considered deleting everything as a last resort. This is very undesirable though, since even restoring from a backup can't be done.

@btan
It is definitely tied to a profile. I can see the profile and attached certificate in the Airwatch admin console.
I also see it in Settings -> General -> Profiles when the profile is installed on the phone.
However, when the profile is removed, Settings-> General -> Profiles does not exist anymore.
It was also not showing in SSL detective when the profile is removed. The device can still access the internal site though.
On a different iPhone with the same iOS, when I remove the profile, the internal site is no longer accessible because the certificate is completely removed as expected.
0
 
LVL 62

Expert Comment

by:btan
ID: 41860264
It looks like the device has some caching at the network. I suggested in last post on below. But note that this also resets the rest of your network settings. Maybe better to move forward in this and if it still recur then better to take the last resort to reset device.

Delete the SSL certificate by going to Settings → General → Reset → Network Settings.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:SeeDk
ID: 41860295
I already tried both
Reset Network Settings
Reset All Settings

and the certificate still remains...somewhere.
0
 
LVL 62

Expert Comment

by:btan
ID: 41860524
Suggest to revoke existing certificate and push down another new certificate instead. If the login is still possible (given some time for revoke cert to be published) then attempt to delete will not make any difference.
0
 

Author Comment

by:SeeDk
ID: 41860832
When I revoke the certificate, it only breaks access to the email (since the email profile uses the same certificate as the site).
But the cached certificate still exists, since the phone can still access the site.

It seems I've completely lost access to the cached certificate from Airwatch.
0
 
LVL 62

Expert Comment

by:btan
ID: 41861437
If another new profile (for another user) is created for this device, and re-established the email connection and remove the profile,  will the connection be disallowed as desired? If it is the same, I do suggest rebuild this device instead since even AirWatch unenroll of the device did not remove the certificate as expected.
0
 

Author Comment

by:SeeDk
ID: 41866965
It is the same. Fortunately, the user will be getting a new phone soon so we will just wipe the device after that if no other solution is found.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41867053
Thanks for sharing, seems like the time to find root cause is not worthwhile and rebuild may be still the way eventually if the device is going to be reuse.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of new and distinct gadgets are making their appearance every other day. The latest gadget that has wooed the attention of all gadget lovers and non gadget lovers alike is the Smartwatch. This tiny gadget is capable of offering live access to …
In this article we discuss how to recover the missing Outlook 2011 for Mac data like Emails and Contacts manually.
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now