iOS 11 - ATS enforcement for in-built MDM client


#1

Apple have introduced Apple Transport Security (ATS) in 2016 with iOS 9, over the years ATS has been enforced across various areas of the stack. At the current state iOS apps have to abide by the ATS rules and will fail to connect if the end server does not meet ATS requirements.

At the current stage iOS built in MDM client is exempt from ATS, however this will change in 2018.

You must make sure that your MDM server meets the following TLS requirements:

  • TLS 1.2 is supported

  • Following TLS ciphers are available:

      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    
  • Certificate key is either RSA 2048bit or ECC 256bit

  • Certificate is correctly chained and root trusted by the iOS device

  • Certificate hashing algorithm is SHA256 or greater

You can test the above by running a SSL server test from https://www.ssllabs.com/ssltest/

Official Apple Articles:


iOS 11 - Topic Summary
#2

The following resource can also be used to test servers ATS capability
https://apptransport.info