We have a few development servers that implement MDM and I am trying to incorporate WatchOS Enrollment. I am having trouble connecting to our enrollment URL that is defined in the watch enrollment payload. The error I get indicates that the server certificate is invalid. I can see this error if I attempt to pair to an iPhone that has the WatchOS enrollment declaration on it and I also see if I send an iMessage with our server url and attempt to open the url using the messages app on the watch itself.
The certificate is valid, but the SAN does not define my particular domain but rather it uses a wildcard (i.e. DNS Name: *.domain.com and DNS name: domain.com).
The url opens fine on any other Apple device (iPhone, iPad, Mac, etc) as well as windows.
My question is, is there some problem with using an SSL server certificate that has a wildcard in place of a specific domain when attempting to connect using WatchOS?
watchOS trust evaluation does not behave differently on watchOS regarding the contents of the SAN. But there is one difference on watchOS which may be causing your problem: When the cert chain from leaf to root is incomplete, other Apple OSes attempt to download the missing intermediate certificates. watchOS does not do this. So make sure the server specified in the EnrollmentProfileURL
provides a complete certificate chain, not just a leaf certificate.
Also, make sure that AnchorCertificateAssetReferences
is correct. AnchorCertificateAssetReferences
is a list of pinned certificates. If AnchorCertificateAssetReferences
contains any entries, the server's certificate must chain up to one of those referenced certificates.