Can iPad SSL/TLS traffic be inspected during DEP enrollment?
I am planning for hundreds of iPad devices that should enroll into MDM using a DEP certificate setting but the network in use inspects SSL/TLS traffic using man in the middle technique in order to decide if outgoing traffic is allowed or not.
Will this inspection prevent enrollment?
Solution 1:
The DEP program as well as iOS security design out of the box will likely foil your attempts to enroll a device using networks where you need to install custom CA/certificates.
- iOS does not automate silent installation of trust certificates without being enrolled in MDM or supervised. You would be preventing this initial enrollment unless you have what amounts to an illegal cert that makes your MITM servers look like Apple owned and operated. I say illegal in the sense that comodo, symantec and others are in hot water from Apple, Google and other OS vendors for issuing certificates to entities that are not what the certificate says.
- Once you have the devices entered into your MDM, you can then push wifi profiles and your CA certs and then join the networks where you are "inspecting" SSL/TLS and other encrypted traffic between iOS and Apple or at least attempt to decrypt/re-encrypy/inspect that traffic.
- DEP runs at a point in the OS setup that users can't even accept a custom certificate - this runs before the home screen is initially presented to users as part of the setup script / out of box experience.
This is documented at https://www.apple.com/business/dep/ and https://ssl.apple.com/business/docs/DEP_Guide.pdf and I would reach out to your Apple contact that established your "sold to" account for assistance in this.
- https://help.apple.com/deployment/programs/#/
I wouldn't want to surprise Apple with what you're doing and risk them shutting down your DEP. Also they have engineers that can guide you if other large customers have the same "inspection" needs that you do and there are either undocumented ways to get around the design or otherwise clear only the initial traffic to Apple and then inspect things once the devices are enrolled.
You will have detailed legal agreements with Apple when you sign up for DEP, so you'll want to read through them as well since Apple vets organizations quite thoroughly, you can probably get excellent help directly from Apple if you've already jumped through all the hoops to be qualified for DEP in the first place.