KB43871 - How to repush iOS profiles using MobileIron where iOS apps that authenticate with certificates stop working after upgrading to Pulse mobile for iOS 7.0

This article provides steps to re-push VPN profiles using MobileIron to iOS devices that were upgraded to Pulse mobile for iOS 7.0 and affected by the issue detailed in KB43813.

After upgrading to Pulse Mobile for iOS 7.0, native iOS applications that used the same certificate as the certificate used for Pulse client authentication, stop working due to missing or invalid certificate error.

Example of Web based connection to PCS device using Safari where cert auth fails due to missing or invalid certificate:




When viewing the configuration profile from iOS, the affected certificates are greyed out and show the following message:
 

Issued by: Certificate details are password protected until installed.  No Expiration Date Provided.

(Screenshot of affected certificates from iOS configuration profile.)

This issue is detailed in KB43813 - Certificate authentication fails with error "Missing or Invalid Certificate" or other applications that rely on certificate authentication may fail after upgrading to the Pulse Mobile 7.0.0 for iOS.

This issue is caused by the migration of Pulse client certificates by the Apple iOS that occurs when upgrading to Pulse mobile for iOS 7.0 that causes certificates used by the Pulse client and shared by other iOS applications, to be moved to the Pulse shared keychain instead of being copied to the Pulse shared keychain.  

Pulse Secure has reported this issue to Apple as a bug and it is currently under investigation by Apple. 

 

Workaround:

Follow the steps below to re-push profiles to iOS devices so that the shared certificate moved to the Pulse shared keychain get reinstalled to the system keychain for use by native iOS applications:

1. Login to MobileIron console.
2. Go to Policies and Configs.
3. Select the existing profile with the certificate used for Pulse VPN authentication.
4. Confirm that the identity certificate assigned to the profile is the one that needs to be fixed.

5. Edit the profile by changing the name of the profile.  For example, if the profile name is VOD, rename it to VOD1.

6. Click Save.
7. Click Yes when prompted to repush the profile.

8. To immediately push the profile to the device(s), go to Devices and Users and select the profile with the new name and click Push Profile.

9. From the iOS device, confirm that the profile is updated with the new name and there are no greyed out certificates.