Solved

Can not remove SSL certificate on iPhone 6 - iOS10.2

Posted on 2016-10-19
12
81 Views
Last Modified: 2016-10-31
Only one iPhone is having this issue.
We manage access to our email and internal site via SSL certificates.
These are installed through Airwatch MDM profiles.

Usually, if I remove an iPhone from Airwatch, it will delete all certificates and profiles on that device.
However, for this phone, it appears that all certificates are removed (Settings -> General -> Profiles does not exist) but the phone can still access the internal site.

If I clear out Safari's history and website data and I then try to access the site, it will prompt for the certificate by name (user@domain.com) and selecting it opens the site.

List of what I've tried to remove this certificate:
Go to Settings -> General -> Profiles (this option does not exist)
Clear out History and Website Data for Safari
Reset Network Settings
Reset All Settings

An annoyance caused by this, is that when I install the Email profile which contains the certificate from Airwatch, the device now has two of the same certificate. So whenever the user attempts accessing the site, he is prompted to select which of the two he wants.
This prompt also appears if the site has been unused for about 5 - 10 minutes.

Any ideas on how I could either:
1. Remove the duplicate certificate stored on the device or
2. Force Safari to use one of the certificates without prompting the user
0
Comment
Question by:SeeDk
12 Comments
 
LVL 3

Expert Comment

by:Steven Wallace
Comment Utility
What iOS version is the iPhone?
0
 

Author Comment

by:SeeDk
Comment Utility
It is version 10.0.2
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
I would guess that the phone has had the certificate deployed by some other means.

I would probably wipe the phone and re provision from scratch, not restoring a backup, this would however dump text messages etc, which may not be desired.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
The certificate should gone if the profiles going with is removed. I am suspecting if the ssl certificate is tied to no profile hence removal of profile will not work in such cases. So I am thinking if this manual removal is as follows

-Delete the SSL certificate by going to Settings → General → Reset → Network Settings.

But for profile based removal, the manual mean is below on top of the MDM command.

-On your iPhone, click on the "Settings" icon in the main menu screen. Select "General" from the list of options that appear in the drop-down menu.

-Select "Profiles" from the list of options that appear and a list of all the certificate on your iPhone will appear on screen.

-Scroll through the list of certificates until you come to the one you would like to remove from your iPhone and click the "Remove" button on the screen. The certificate will then be removed. Repeat the process for any other certificates you would like to remove.

Another check is maybe try SSL detective to see all the certificate and confirm if there are indeed duplicates

https://twocanoes.com/products/ios/ssl-detective
0
 

Author Comment

by:SeeDk
Comment Utility
@ArneLovius
Not sure what other means it could be unless someone tampered with his phone. Yeah, I considered deleting everything as a last resort. This is very undesirable though, since even restoring from a backup can't be done.

@btan
It is definitely tied to a profile. I can see the profile and attached certificate in the Airwatch admin console.
I also see it in Settings -> General -> Profiles when the profile is installed on the phone.
However, when the profile is removed, Settings-> General -> Profiles does not exist anymore.
It was also not showing in SSL detective when the profile is removed. The device can still access the internal site though.
On a different iPhone with the same iOS, when I remove the profile, the internal site is no longer accessible because the certificate is completely removed as expected.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
It looks like the device has some caching at the network. I suggested in last post on below. But note that this also resets the rest of your network settings. Maybe better to move forward in this and if it still recur then better to take the last resort to reset device.

Delete the SSL certificate by going to Settings → General → Reset → Network Settings.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:SeeDk
Comment Utility
I already tried both
Reset Network Settings
Reset All Settings

and the certificate still remains...somewhere.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Suggest to revoke existing certificate and push down another new certificate instead. If the login is still possible (given some time for revoke cert to be published) then attempt to delete will not make any difference.
0
 

Author Comment

by:SeeDk
Comment Utility
When I revoke the certificate, it only breaks access to the email (since the email profile uses the same certificate as the site).
But the cached certificate still exists, since the phone can still access the site.

It seems I've completely lost access to the cached certificate from Airwatch.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
If another new profile (for another user) is created for this device, and re-established the email connection and remove the profile,  will the connection be disallowed as desired? If it is the same, I do suggest rebuild this device instead since even AirWatch unenroll of the device did not remove the certificate as expected.
0
 

Author Comment

by:SeeDk
Comment Utility
It is the same. Fortunately, the user will be getting a new phone soon so we will just wipe the device after that if no other solution is found.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Thanks for sharing, seems like the time to find root cause is not worthwhile and rebuild may be still the way eventually if the device is going to be reuse.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Are you looking to clear some space on your phone for the latest iOS 8 update? Did you switch to Spotify so you no longer need to keep music native on your phone? Run out of space for taking photos while in the middle of vacation? Sometimes the quic…
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Users will learn how resize a batch of photos from a single command in Photoshop via Photoshop's Image Processor. Open up an Image you'd like to resize in Adobe Photoshop: Adjust the image size according to your preferences. Image > Adjustments > …
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now