Take advantage of new Certificate Trust Settings in iOS 10.3 #294
Comments
|
The installed certificate is untrusted by default on 10.3.1 |
|
Confirmed! It is. I didn't even notice. That's great news. I guess we can close this then? Are there any new settings in the Profile that we can use to lock this setting down? |
Looks like no. I couldn't find any new options |
|
Personally, when installing the generated mobileconfig on iOS, I was confused when it said something like "full trust for websites won't be enabled until turned on in the settings", because I wasn't sure what that meant. I thought I had to go and enable it, although I did check that it works regardless. I think it would be helpful to add a note in the docs that this setting should not be enabled. |
https://twitter.com/noir/status/846773500127850496
iOS 10.3 introduced new Certificate Trust Settings that allow you to turn on and off "full trust for root certificates." Algo root certificates show up in this list and turning them off has no impact on VPN functionality. Turning them off might prevent a scenario where websites are signed with a stolen Algo root CA.
We should looking into whether this setting can be made via the Profiles we build and, if not, include directions in the documentation to disable "full trust."
Note: At first glance, it does not appear that the Profile configuration reference docs were updated with instructions for configuring this setting: https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/RevHist_Index/RevisionHistory.html#//apple_ref/doc/uid/TP40010206-CH99-SW1
The text was updated successfully, but these errors were encountered: