Link to home
Start Free TrialLog in
Avatar of SeeDk
SeeDk

asked on

Can not remove SSL certificate on iPhone 6 - iOS10.2

Only one iPhone is having this issue.
We manage access to our email and internal site via SSL certificates.
These are installed through Airwatch MDM profiles.

Usually, if I remove an iPhone from Airwatch, it will delete all certificates and profiles on that device.
However, for this phone, it appears that all certificates are removed (Settings -> General -> Profiles does not exist) but the phone can still access the internal site.

If I clear out Safari's history and website data and I then try to access the site, it will prompt for the certificate by name (user@domain.com) and selecting it opens the site.

List of what I've tried to remove this certificate:
Go to Settings -> General -> Profiles (this option does not exist)
Clear out History and Website Data for Safari
Reset Network Settings
Reset All Settings

An annoyance caused by this, is that when I install the Email profile which contains the certificate from Airwatch, the device now has two of the same certificate. So whenever the user attempts accessing the site, he is prompted to select which of the two he wants.
This prompt also appears if the site has been unused for about 5 - 10 minutes.

Any ideas on how I could either:
1. Remove the duplicate certificate stored on the device or
2. Force Safari to use one of the certificates without prompting the user
Avatar of Steven Wallace
Steven Wallace
Flag of Australia image

What iOS version is the iPhone?
Avatar of SeeDk
SeeDk

ASKER

It is version 10.0.2
Avatar of ArneLovius
I would guess that the phone has had the certificate deployed by some other means.

I would probably wipe the phone and re provision from scratch, not restoring a backup, this would however dump text messages etc, which may not be desired.
The certificate should gone if the profiles going with is removed. I am suspecting if the ssl certificate is tied to no profile hence removal of profile will not work in such cases. So I am thinking if this manual removal is as follows

-Delete the SSL certificate by going to Settings → General → Reset → Network Settings.

But for profile based removal, the manual mean is below on top of the MDM command.

-On your iPhone, click on the "Settings" icon in the main menu screen. Select "General" from the list of options that appear in the drop-down menu.

-Select "Profiles" from the list of options that appear and a list of all the certificate on your iPhone will appear on screen.

-Scroll through the list of certificates until you come to the one you would like to remove from your iPhone and click the "Remove" button on the screen. The certificate will then be removed. Repeat the process for any other certificates you would like to remove.

Another check is maybe try SSL detective to see all the certificate and confirm if there are indeed duplicates

https://twocanoes.com/products/ios/ssl-detective
Avatar of SeeDk

ASKER

@ArneLovius
Not sure what other means it could be unless someone tampered with his phone. Yeah, I considered deleting everything as a last resort. This is very undesirable though, since even restoring from a backup can't be done.

@btan
It is definitely tied to a profile. I can see the profile and attached certificate in the Airwatch admin console.
I also see it in Settings -> General -> Profiles when the profile is installed on the phone.
However, when the profile is removed, Settings-> General -> Profiles does not exist anymore.
It was also not showing in SSL detective when the profile is removed. The device can still access the internal site though.
On a different iPhone with the same iOS, when I remove the profile, the internal site is no longer accessible because the certificate is completely removed as expected.
It looks like the device has some caching at the network. I suggested in last post on below. But note that this also resets the rest of your network settings. Maybe better to move forward in this and if it still recur then better to take the last resort to reset device.

Delete the SSL certificate by going to Settings → General → Reset → Network Settings.
Avatar of SeeDk

ASKER

I already tried both
Reset Network Settings
Reset All Settings

and the certificate still remains...somewhere.
Suggest to revoke existing certificate and push down another new certificate instead. If the login is still possible (given some time for revoke cert to be published) then attempt to delete will not make any difference.
Avatar of SeeDk

ASKER

When I revoke the certificate, it only breaks access to the email (since the email profile uses the same certificate as the site).
But the cached certificate still exists, since the phone can still access the site.

It seems I've completely lost access to the cached certificate from Airwatch.
If another new profile (for another user) is created for this device, and re-established the email connection and remove the profile,  will the connection be disallowed as desired? If it is the same, I do suggest rebuild this device instead since even AirWatch unenroll of the device did not remove the certificate as expected.
Avatar of SeeDk

ASKER

It is the same. Fortunately, the user will be getting a new phone soon so we will just wipe the device after that if no other solution is found.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial