Distribute certificates to Apple devices
You can manually distribute certificates to iPhone, iPad and Apple Vision Pro devices. When users receive a certificate, they tap to review the contents, then tap to add the certificate to the device. When an identity certificate is installed, users are asked for the password that protects it. If a certificate’s authenticity can’t be verified, it’s shown as untrusted, and the user can decide whether to add it to the device.
You can manually distribute certificates to Mac computers. When users receive a certificate, they double-click it to open Keychain Access and review the contents. If the certificate matches expectations, users select the desired keychain and click the Add button. Most user certificates need to be installed in the login keychain. When an identity certificate is installed, users are asked for the password that protects it. If a certificate’s authenticity can’t be verified, it’s shown as untrusted, and the user can decide whether to add it to the Mac.
Some certificate identities can be automatically renewed on Mac computers.
Certificate deployment methods using MDM payloads
The following table shows the different payloads for deploying certificates using configuration profiles. These include the Active Directory Certificate payload, the Certificate payload (for a PKCS #12 identity certificate), the Automated Certificate Management Environment (ACME) payload and the Simple Certificate Enrolment Protocol (SCEP) payload.
Payload | Supported operating systems and channels | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Active Directory Certificate payload | macOS device macOS user | By configuring the Active Directory Certificate payload, macOS places a certificate signing request directly with an Active Directory Certificate Services server issuing CA using a remote procedure call. You can enrol machine identities using the credentials of the Mac computer’s object in Active Directory. Users can supply their credentials as part of the enrolment process to provision individual identities. Using this payload, administrators have additional control of private key usage and the certificate template for enrolment. As with SCEP, the private key remains on device. | |||||||||
ACME payload | iOS iPadOS Shared iPad device macOS device macOS user tvOS watchOS 10 visionOS 1.1 | The device obtains certificates from a CA for Apple devices enrolled in an MDM solution. With this technique, the private key remains only on the device and can optionally be hardware bound to the device. | |||||||||
Certificates payload (for PKCS #12 identity certificate) | iOS iPadOS Shared iPad device macOS device macOS user tvOS watchOS 10 visionOS 1.1 | If the identity is being provisioned off the device on behalf of the user or device, it can be packed into a PKCS #12 file (.p12 or .pfx) and protected with a password. If the payload contains the password, the identity can be installed without prompting the user for it. | |||||||||
SCEP payload | iOS iPadOS Shared iPad device macOS device macOS user tvOS watchOS 10 visionOS 1.1 | The device places the certificate signing request directly to an enrolment server. With this technique, the private key remains only on the device. | |||||||||
To associate services with a particular identity, configure an ACME, SCEP or certificate payload, then configure the desired service in the same configuration profile. For example, an SCEP payload can be configured to provision an identity for the device, and in the same configuration profile, a Wi-Fi payload can be configured for WPA2 Enterprise/EAP-TLS using the device certificate resulting from the SCEP enrolment for authentication.
To associate services with a particular identity in macOS, configure an Active Directory Certificate, ACME, SCEP or certificate payload, then configure the desired service in the same configuration profile. For example, you can configure an Active Directory Certificate payload to provision an identity for the device, and in the same configuration profile, a Wi-Fi payload can be configured for WPA2 Enterprise EAP-TLS using the device certificate that results from the Active Directory Certificate enrolment for authentication.
Renew certificates installed by configuration profiles
To ensure ongoing service access, certificates deployed using an MDM solution should be renewed before they expire. To do so, MDM solutions can query the installed certificates, inspect the expiration date, and issue a new profile or configuration ahead of time.
For Active Directory certificates, when the certificate identities are deployed as part of a device profile, the default behaviour is automatic renewal in macOS 13 or later. Administrators can set a system preference to modify this behaviour. For more information see the Apple Support article Automatically renew certificates delivered via a configuration profile.
Install certificates using Mail or Safari
You can send a certificate as an attachment to a mail message or host a certificate on a secure website where users download the certificate on their Apple devices.
Remove and revoke certificates
An MDM solution can view all certificates on a device and remove any certificates it has installed.
Additionally, the Online Certificate Status Protocol (OCSP) is supported to check the status of certificates. When an OCSP-enabled certificate is used, iOS, iPadOS, macOS and visionOS periodically validate it to make sure it hasn’t been revoked.
To revoke certificates using a configuration profile, see Certificate Revocation MDM payload settings.
To manually remove an installed certificate in iOS, iPadOS and visionOS 1.1 or later, go to Settings > General > Device Management, select a profile, tap More Details, then tap the certificate to remove it. If you remove a certificate that’s required for accessing an account or network, the iPhone, iPad or Apple Vision Pro can no longer connect to those services.
To manually remove an installed certificate in macOS, launch the Keychain Access app, then search for the certificate. Select it, then delete it from the keychain. If you remove a certificate that’s required for accessing an account or network, the Mac can no longer connect to those services.