Managing MDM While Upgrading SHA1 Certs to SHA2


Managing an MDM environment in the middle of a corporate-wide certificate upgrade can get a little complicated. As an MDM admin, you not only have to make sure that MDM certificates are upgraded, but the certificates of other departments as well. An MDM environment may only consist of a few important certificates: the push certificates, SSL certificates, and possibly SSO certificates. Managed devices, however, will utilize certificates from other departments. An application department may require mobile devices to have root CA certificates installed. A network department may require mobile devices to have wifi or vpn certificates installed. All of these non-MDM departments will be responsible for setting up the upgraded certificates on the backend, but who’s going to be responsible for making sure end users can actually use them? Well, that responsibility will fall on the MDM team. Only an MDM admin will have the full visibility of enrolled devices to troubleshoot, upgrade, and action mobile device certificate upgrades.


Teamwork is key. Here is an example of some of the collaboration that must be done for a corporate-wide SHA1 to SHA2 upgrade (in regards to MDM):

  • While a security team can be tasked to stand up a new CA server and publish CRLs, the MDM team must work with them to validated network connections, CRL revocation checks, and SCEP pulls. Only MDM administrators will know how devices will connect to the CAs to obtain and renew certificates.
  • While a network team can be tasked to set up SHA2 connections on a Wifi or VPN environment, the MDM team must work with them to test device connections, device certificate installs, and plan out device certificate upgrades.
  • While an application team can be tasked to set up web application certificate upgrades, the MDM team must work with them to validate certificate chain trust evaluation.

In a way, a corporate-wide certificate upgrade puts the MDM department at the center of everything. Nothing can be done without verification from the MDM team, and users will not be upgraded without the actions of the MDM team. You can’t even validate or test without having the MDM team involved.


If you or your IT department ever decides to embark on a similar project, here is some advice: create a public timeline. You can use an Excel sheet, a project management application, whatever. Just put it up somewhere public, like a Sharepoint, so that everybody is on the same page. Log all of the required actions, dates, owners, statuses, impacts, and verification steps so that nobody loses track of what is going on. This will make the entire project move along a lot smoother, and prevent people from panicking!

Leave a Reply

Your email address will not be published. Required fields are marked *