Austausch des selbst erstellten Zertifikats gegen ein öffentlich signiertes

Hi Sascha 

I'd would recommend you to go through this article. You need to activate the new certificate to make it available to devices.

thank you for the information. But how/where can I check that the iPhone/android get the new certificate hash ?

rgds

Sascha

Hi Sascha Wendt 

You can check on Sophos Mobile server if it is using a self-signed certificate you can use external SSL check tools like SSL Checker. If the Sophos Mobile server recognizes that a client app is not able to establish a connection, it will send out the certificate hash to the client app in question. The Sophos Mobile Control app should automatically receive the new certificate hash using the GCM and APNS protocol.

Identifying problematic devices and possible solution

If the above is given and the warning email is still sent out, the problematic devices have to be identified.
To do this, the server.log can be searched for the following string: requested certificate hashes

As a result, a logline similar to this should be found:

WARN [com.sophos.mobilecontrol.server.clientapi.backend.app.v2.certhash.CertificateRequestCache] (default task-354) device with id 1234 has requested the certificate hashes 5 times

Using the device ID the affected device can be looked up within the Sophos Mobile web console. To do this, follow the steps below.

1. Log in to the Sophos Mobile customer which is used to manage devices
2. Go to the Devices section and click on an Android device to show the details of the device
3. Within the browser bar, change the ID to the one found in the log file
   1. If nothing is presented, repeat the procedure with an iOS device
4. As soon a device is shown, try to send a message to the device via the Actions
5. Together with the message, the device will also receive the list of the new certificate hashes.
6. Once received, the connection should work again

Let us know if you have any further concerns. 

Hi Sascha Wendt 

You can check on Sophos Mobile server if it is using a self-signed certificate you can use external SSL check tools like SSL Checker. If the Sophos Mobile server recognizes that a client app is not able to establish a connection, it will send out the certificate hash to the client app in question. The Sophos Mobile Control app should automatically receive the new certificate hash using the GCM and APNS protocol.

Identifying problematic devices and possible solution

If the above is given and the warning email is still sent out, the problematic devices have to be identified.
To do this, the server.log can be searched for the following string: requested certificate hashes

As a result, a logline similar to this should be found:

WARN [com.sophos.mobilecontrol.server.clientapi.backend.app.v2.certhash.CertificateRequestCache] (default task-354) device with id 1234 has requested the certificate hashes 5 times

Using the device ID the affected device can be looked up within the Sophos Mobile web console. To do this, follow the steps below.

1. Log in to the Sophos Mobile customer which is used to manage devices
2. Go to the Devices section and click on an Android device to show the details of the device
3. Within the browser bar, change the ID to the one found in the log file
   1. If nothing is presented, repeat the procedure with an iOS device
4. As soon a device is shown, try to send a message to the device via the Actions
5. Together with the message, the device will also receive the list of the new certificate hashes.
6. Once received, the connection should work again

Let us know if you have any further concerns.