Enhancements to the Certificate pinning feature

Content

What is new in cert pinning 2.1?

In the third phase of series of enhancements, MaaS360 adds the following enhancements to the Certificate pinning feature:

• The SSL Certificate Pinning feature is now enabled by default for all customers. Administrators can turn it on/off through Setup > Settings > Device Enrollment Settings > Advanced > SSL Certificate Pinning.

• Administrators have the following Certificate Pinning configuration options:
  • Turned off - Certificate pinning is not be applied to MaaS360 cloud services.
  • All devices - Certificate pinning is applied to MaaS360 cloud services on all the devices without requiring the administrators to configure SSL Certificate pinning settings through persona policies.
  • Specific user or device groups only - Certificate pinning is applied on devices that received persona policies that have the Validate Server Certificate policy setting enabled.

Note:

• When the Certificate pinning is enforced on a device, MaaS360 secures the communications between MaaS360/MaaS360 SDK apps and MaaS360 cloud servers.
• When Certificate pinning is enabled for specific groups and devices, the server's certificate is pinned to MaaS360 apps only after persona policies reach the device.
• Administrators can use the Persona policy > WorkPlace > Security > Use SSL Inspection in Corporate Network policy setting to configure a proxy certificate. This option is now decoupled from the Validate Server Certificate policy setting.
• Administrators can configure the certificate pinning for Email, Gateway, and workplace apps through Persona policies irrespective of whether certificate pinning is turned on/off, enabled to all, or specific users and groups.

Older enhancements

• If the SDK apps detect an untrusted connection, they switch to the MaaS360 app to fetch the latest certificates.
• The MaaS360 app validates the server certificate as a part of communication to MaaS360 servers, including enrollment. If an insecure network connection or proxy is detected, MaaS360 displays the Untrusted connection error message and then terminates the enrollment process. In the previous releases, the untrusted network connection was detected only after the enrollment was completed.
  Note: Effective MaaS360 for iOS app 4.30, the enrollment/activation is terminated when an untrusted connection or proxy is detected on the device even if Certificate pinning is turned off.

  iOS	Android

macOS

Effective 10.83, MaaS360 extends the cert pinning support to macOS devices.

MaaS360 macOS app requirements:

• MaaS360 agent app version - 2.43.100
• MaaS360 App Catalog version -  1.54.000
• MaaS360 App packager version - 1.44.000

When an untrusted connection/ untrusted proxy is detected on the device, MaaS360 displays an error message and stops the application from functioning. For example, App Catalog does not load or users cannot install apps shown in the Catalog.

 Note:

• If administrators configured a proxy on their Mac's Network settings & explicitly trusted the proxy cert at the root level, MaaS360 respects the proxy settings and allows uninterrupted access to the MaaS360 agent app, MaaS360 App Catalog, and MaaS360 Packager.
  • Note that 'trusting proxy cert' can be done by pushing the cert via macOS MDM Policy or manually import the cert to keychain or use System Security commands on the terminal to trust them.
• Certificate pinning in Persona Policy (For Proxy support) - will be added in the 2021 Q4 release.

When an untrusted connection is detected, the following error messages are displayed:

MaaS360 agent:

MaaS360 App Catalog:

MaaS360 Packager: