Skip to content

Use Sophos Mobile to install the root CA on mobile devices

You can add the Certificate Authority (CA) you configure for web or email protection to users' mobile devices remotely.

This prevents untrusted certificate errors that occur when you apply a signing CA to SSL/TLS inspection and HTTPS decryption, and email TLS configurations.

You can add the CA to users' endpoints remotely using Active Directory or a Mobile Device Management (MDM) solution.

Apple recommends using an MDM solution or Apple Configurator to install the CA. If you do this, the CA is automatically trusted. If you use Apple Configurator, you must create a configuration profile on MacOS. You can then connect one or more iOS devices and install the CA on them.

Using Sophos Mobile, our MDM solution, you can install certificates and CAs on groups of Android and iOS mobile devices. This example shows how to install the CA in iOS mobile devices enrolled with Sophos Mobile.

See root certificate configuration for Android or iOS device policies in Sophos Mobile administrator help.

Install the root CA in mobile devices using Sophos Mobile

In Sophos Mobile, add the root CA to the policy that you've assigned to your mobile devices.

This example shows how to add the root CA to an iOS and iPadOS device policy. Similarly, you can add the root certificate to an Android policy.

  1. In Sophos Mobile, go to Policies > iOS & iPadOS.

    iOS and iPadOS in the Policies menu

  2. Click the policy that you've assigned to the devices on which you want to install the root CA.

  3. On the Edit policy page, click Add > Root certificate.

    Root certificate option in the list of policy configurations

  4. On the Root certificate page, click Upload a file and select the certificate file.

    Upload a file option

  5. Click Apply to save the configuration.

  6. Click Save to save the policy.

    Save button

  7. In the policy list, click the Down arrow next to the policy and click Update devices.

    If the policy has no Update devices option, devices update automatically the next time they sync with Sophos Mobile.

    Update devices option for a policy

Confirm the root CA's added to a mobile device

To confirm that the root CA is added to a registered mobile device, do as follows:

  • On an iOS device, do as follows:

    1. Go to Settings > General > About > Certificate Trust Settings.
    2. Under Enable full trust for root certificates, turn on trust for the certificate if it isn't already on.
  • On an Android device, go to Settings > Security > Advanced > Encryption & credentials > User credentials.

    The list contains the certificate.