Unable to download in house agent on iOS 7.1 device


Article ID: 159054


Updated On:


Mobile Management


Downloading agent from a landing page within enterprise is not working.

Devices prior to iOS7.1 are able to download the agent with no errors.

 Error on the device:

Cannot install applications because the certificate for <server name> is not valid.

Error in the device logs:

Mar 13 10:48:42 iphone itunesstored[103] <Warning>: [ERROR]: Cannot load non-https manifest URL: http://server-name/agent.plist

Mar 13 10:48:42 iphone itunesstored[103] <Warning>: Could not load download manifest with underlying error: Error Domain=SSErrorDomain Code=128 "Cannot connect" UserInfo=0x1111111 {NSLocalizedDescription=Cannot connect}



This error is caused by new change in Apple iOS7.1. The link for the manifest.plist needs to be over https protocol.


Changing the URL to HTTPS resoves the problem.

The link in the download page should be altered from:

<a href="itms-services://?action=download-manifest&url=http://linktoplist/Agent.plist"> 

to: <a href="itms-services://?action=download-manifest&url=https://linktoplist/Agent.plist">

 There is no need to alter any links within the .plist file itself.


For full guide of how to build and publish In-House Agent for SMM please follow


Appendix 1. Sample HTML file



<h1>Agent Download</h1>

<a href="itms-services://?action=download-manifest&url=https://linktoplist/Agent.plist">

<img align=middle src="icon.png" /></a>

<font size=+2>Install  In-House Agent</font>




Appendix 2.

If you are using an in-house agent this may cause additional issues with trying to use a CA that is not trusted by Apple.


Before iOS 7.1 there was a workaround to use a non-secure link to begin enrollment, then to install the CA as part of the agent for those who use SSL. See: How to enroll an iOS device to a Mobile Management Server when the SSL Certificate is not from a trusted root certificate authority: http://www.symantec.com/docs/HOWTO64245


Unfortunately with Apple’s new requirement it is no longer possible to access the new device to download the CA. The only way to enroll iOS 7.1 and later devices is to have a cert that Apple already trusts.

Here is the list of Apple's list of trusted certs from their site: http://support.apple.com/kb/ht5012

Applies To

SMM for SMP all versions

iOS 7.1 and higher