KB43813 - Certificate authentication fails with error "Missing or Invalid Certificate" or other applications that rely on certificate authentication may fail after upgrading to the Pulse Mobile 7.0.0 for iOS

This article describes an issue where after upgrading to Pulse Mobile 7.0.0 for iOS, end users may experience one of the following symptoms:

1. Certificate authentication failures with the Pulse Mobile app
2. Authentication related issues with other applications that rely on certificate authentication. This scenario only applies where the same client certificate was configured for both the Pulse Secure app and the other applications (for example e-mail that uses the same client certificate for signing and/or encryption).

Which use-cases are impacted?

This issue is isolated to Pulse Mobile for iOS client and only impacts deployments that leverage client certificate-based authentication with Pulse Mobile for iOS. The solution section of this article has a table covering various deployment scenarios, the impact, workarounds and other related details.


What errors or issues will end users experience?

There are two types of issues end-users may experience:

1. End-user Issue #1: Certificate authentication errors when users try to use Pulse Mobile client 7.0.0 with the following error message

Missing or Invalid Certificate

2. End-user Issue #2: Other applications, such as email, that use the same client certificate as the one used by Pulse Mobile client will not have access to the client certificate after upgrading the Pulse Mobile 7.0.0. The result will be  applications may fail and report errors.  Additionally, certificate references in the MDM profile will state:

Issued by: Certificate details are password protected until installed.

End-user issue #1 (cert auth failures within Pulse Mobile 7.0.0) occurs in deployments where there is no MDM/EMM profile on the iOS device (unmanaged end-user devices).  

The root cause for this issue is that Pulse Mobile for iOS 7.0.0 leverages a new framework (Network Extension framework) and there were no options within iOS that Pulse Secure could leverage to migrate the certificate to the new location as required by the new framework. This issue is not specific to Pulse Secure and impacts any vendor that migrates to the new framework, which is a requirement for iOS 12.  More details on this topic are available at KB43801 - FAQ on NetworkExtension API Framework being used in Pulse iOS Client 7.0.0

 

End-User Issue #2 (i.e. Failures in other applications after upgrading to Pulse Secure Mobile client 7.0.0) occurs in deployments where the iOS device is managed using a MDM/EMM type product such as Mobile Iron, AirWatch, Pulse workspace, etc.

The root cause for this issue is that when Pulse Mobile for iOS 7.0.0 is installed, the underlying iOS components performs migration of certificates to the new locations. However, Pulse Secure have found that after Apple iOS performs this migration the client certificates are available for the Pulse Secure app to use, but they are no longer available to other applications that were previously using the certificate along with the Pulse Secure Mobile VPN app. This issue has been reported to Apple and Pulse Secure is working with Apple to find a resolution for this issue that manifests after upgrading the Pulse Secure App.

The impact of the issue, workaround and solutions are highly dependent on the deployment. Please review the table below and select the row that is closest to your deployment 
 

Deployment Scenario   (Pulse Mobile iOS app version 7.0.0 used along with client certificate authentication method )	Impact to Pulse Secure VPN App after upgrading to version 7.0.0	Impact to other apps that share the same client certificate as Pulse Secure VPN app after upgrading to version 7.0.0	Workaround	Current Status	Permanent Solution
No MDM/EMM profile installed (Unmanaged device)	Yes, impacted. Certificate authentication errors as described in ‘End-user issue #1’ in the problem section of the article	No impact to any other app	Not Applicable	As the issue is due to migration to the new framework and the lack of any OS level options to migrate the client  certificate, impacted users have to follow the solution tabled in the Permanent solution column	Manually re-import the client certificate into the Pulse Secure Application. For detailed step by step instructions, please refer KB43862.
MDM/EMM pushed a VPN profile AND the client certificate defined in the VPN profile is shared by other apps	No impact. Cert auth and VPN functionality within Pulse Secure App will continue to function.	Yes, Impacted. Apps that share the client certificate may fail as they don’t have access to the client certificate after upgrading to Pulse Secure app 7.0.0	1. For devices that have already upgraded to 7.0.0 re-push all profiles for all apps that are not longer working. KB43871  2. For devices running on 6.8.0 and not yet impacted, please refer to KB43870  (implementing a workaround by pushing 2 VPN profiles).	Pulse Secure has reported this issue and working with Apple to understand why iOS is not migrating the client certificates in a way that all application have access to the client certificates.	Pulse Secure working with Apple for find a permanent solution.
MDM/EMM pushed a VPN profile AND the client certificate defined in the VPN profile is not shared/used by any other app	No impact immediately, however when users upgrade iOS version VPN will be impacted. Cert auth and VPN functionality within Pulse Secure App will continue to function. However if the end-users upgrades their iOS (example upgrade to iOS 12) software version that the VPN will stop working	No impact to other apps as the client certificate is not shared	1. For devices that have already upgraded to 7.0.0 re-push all profiles for all apps that are not longer working. KB43871  2. For devices running on 6.8.0 and not yet impacted, please refer to KB43870  (implementing a workaround by pushing 2 VPN profiles) This will help avoid the issue when users upgrade to Pulse v 7.0.0 and/or upgrade to iOS 12	Pulse Secure has reported this issue to Apple and is working with Apple	Pulse Secure working with Apple for find a permanent solution.