Mobile Device Management (MDM) for iOS devices requires an enrollment operation which establishes trust between the device and the Windows Intune service. Trust is established by installing a profile, referred to as an MDM profile. The MDM profile installed on the device is signed by a certificate acceptable to the device as well as the Windows Intune service. It is a standard practice to change these signing certificates periodically for security reasons.
Issue
iOS devices renew their MDM profile once a year. If the device is running a version older than iOS 7.0, the renewal operation will fail if the new profile is signed with a different certificate than the previous.
Steps to identify affected devices
If you are using Windows Intune to manage iOS devices it is important to determine which devices are still running a version of iOS less than 7.0 and upgrade those devices. If the device does not support iOS 7.0 or higher or is not upgraded then manual action must be taken in order to continue managing the device. For either implementation Windows Intune Cloud Only or Windows Intune integrated with System Center 2012 R2 Configuration Manager, the remediation goal is the same but the steps are different.
For Windows Intune only –
- Identify properties for managed devices
- Navigate to “All Devices”
- Review the Device Type and Operating System field
![]()
- Determine the deadline for management renewal
- Highlight a device running an operating system less than iOS 7.0, select “View properties”
- If the enrollment date is almost one year ago, then this device is at risk
For Windows Intune integrated with System Center 2012 R2 Configuration Manager -
- Identify properties for managed devices:
- Navigate to Assets and Compliance -> Overview -> Devices
- In details all column for “Operating System”
- Review Device Type and Operating System fields
![]()
- Determine the deadline for management renewal
- Right click the Device. Navigate to Start - > Resource Explorer. It will pop up a dialog
- Navigate to Device -> Hardware -> Device Information
- Based on CertExpiry you can decide if the device cert is about to expire
![]()
- For all iPhone 3gs and iPad 1 devices
- Manually remove the device from management.
- Perform a new enrollment. Instructions can be found here.
- For all other iOS devices: Update the device to iOS 7.0 or higher before the management renewal deadline
Additional information
- What happens if the Management profile expires? Answer– The device will stop contacting the service and fall out of management. The device will need to be manually enrolled again.
- How often will Microsoft revise certificates for signing? Answer - For security reasons, Microsoft uses signing certificates issued with a two-year expiration. However, we may revise signing certificates as needed for security or architectural reasons.