When enrolling Symantec Mobile Encryption for iOS to Symantec Encryption Management Server, the server's TLS certificate is not trusted by the app, even though Encryption Management Server is using a TLS certificate issued by a well-known Certificate Authority.

An error similar to the following appears at enrollment:

Cannot Verify Server Identity

Server keys.example.com presented a TLS certificate that was issued by an unknown Certificate Authority

The details of the certificate issuer are also displayed.

Please note that Mobile Encryption for iOS reaches EOS (End of Service) on 31 December 2020 and EOL (End of Life) on 31 March 2021.

• Mobile Encryption for iOS 2.1.0 and below.
• Encryption Management Server 3.3 and above.

First, upgrade to Mobile Encryption for iOS 2.1.1 or above because release 2.1.1 contains an important resolution to this issue.

If upgrading to Mobile Encryption for iOS 2.1.1 or above does not resolve the issue, check that the iOS device trusts the TLS certificate being used by Encryption Management Server.

Assuming that Mobile Encryption for iOS enrolls to keys.example.com then the easiest way to check that the iOS device trusts the Encryption Management Server certificate is to connect to https://keys.example.com using the Apple Safari browser. If you see a lock icon on the left of the Safari address bar it means that the device trusts the certificate. If Safari displays the error Cannot Verify Server Identity then the device does not trust the certificate.

iOS trusts certain root certificates by default. The following articles list the certificates that are trusted:

• iOS 10
• iOS 11
• iOS 12

If the issuer of the Encryption Management Server TLS certificate is not listed in the above articles then Mobile Encryption for iOS will not necessarily trust it and the relevant certificate will need to be deployed to the iOS device. Apple recommends deploying certificates via Apple Configurator or Mobile Device Management (MDM).