Justin Borthwick
Lurker
I've got a head scratcher for you all to noodle on and hopefully provide some ideas.
I've got an environment with handsets running Lollipop 5.1.1 software where we've installed a self-signed server certificate onto the devices to facilitate secure communication with a configuration management system on the network. This certificate is loaded onto the phones at the time of initial setup and is confirmed to be present and working before a handset is deployed.
What we're encountering is that after some unknown period, the certificate disappears from the device which breaks the communication path with the configuration management system. The devices are locked down to prevent users from accessing the security pages to remove certificates. We've seen this happen with a device that has been in the field for weeks and some that were programmed, put in a box and later powered up for deployment and missing the certificate. In every case, the phone has been in communication with the network prior to the certificate disappearing.
Some key details about the network:
I've done copious amounts of investigation online to no avail, which is why I'm opening this thread. I'm at a loss to explain how this certificate could suddenly disappear from the device. I'm suspicious that there may be something in the network causing this but in all my years I've never encountered a network resource capable of remove a certificate from a device without having some type of direct interaction, like Group Policy in AD. Our best guess is that this is AirWatch still but the fact that we've seen phones lose the certificate outside of AirWatch installation makes that hard to swallow.
I've got an environment with handsets running Lollipop 5.1.1 software where we've installed a self-signed server certificate onto the devices to facilitate secure communication with a configuration management system on the network. This certificate is loaded onto the phones at the time of initial setup and is confirmed to be present and working before a handset is deployed.
What we're encountering is that after some unknown period, the certificate disappears from the device which breaks the communication path with the configuration management system. The devices are locked down to prevent users from accessing the security pages to remove certificates. We've seen this happen with a device that has been in the field for weeks and some that were programmed, put in a box and later powered up for deployment and missing the certificate. In every case, the phone has been in communication with the network prior to the certificate disappearing.
Some key details about the network:
- It's a Cisco environment running Cisco infrastructure routers and switches with Cisco WLAN and Cisco ISE.
- Site uses AirWatch - I'll note here that we've seen the certificate disappear on phones that were never associated to AirWatch.
- Network environment is complex with SSID devices connect to not having internet access.
- Complex here means highly secure. There are MAC based ACLs installed throughout the network along with firewalls and routing partitions to segment traffic deemed insecure.
I've done copious amounts of investigation online to no avail, which is why I'm opening this thread. I'm at a loss to explain how this certificate could suddenly disappear from the device. I'm suspicious that there may be something in the network causing this but in all my years I've never encountered a network resource capable of remove a certificate from a device without having some type of direct interaction, like Group Policy in AD. Our best guess is that this is AirWatch still but the fact that we've seen phones lose the certificate outside of AirWatch installation makes that hard to swallow.
