When enrolling Symantec Mobile Encryption for iOS to Symantec Encryption Management Server, the server's TLS certificate is not trusted by the app, even though Encryption Management Server is using a TLS certificate issued by a well-known Certificate Authority.
An error similar to the following appears at enrollment:
Cannot Verify Server Identity
Server keys.example.com presented a TLS certificate that was issued by an unknown Certificate Authority
The details of the certificate issuer are also displayed.
First, upgrade to Mobile Encryption for iOS 2.1.1 or above because release 2.1.1 contains an important resolution to this issue.
If upgrading to Mobile Encryption for iOS 2.1.1 or above does not resolve the issue, check that the iOS device trusts the TLS certificate being used by Encryption Management Server.
Assuming that Mobile Encryption for iOS enrolls to keys.example.com then the easiest way to check that the iOS device trusts the Encryption Management Server certificate is to connect to https://keys.example.com using the Apple Safari browser. If you see a lock icon on the left of the Safari address bar it means that the device trusts the certificate. If Safari displays the error
Cannot Verify Server Identity then the device does not trust the certificate.
iOS trusts certain root certificates by default. The following articles list the certificates that are trusted:
If the issuer of the Encryption Management Server TLS certificate is not listed in the above articles then Mobile Encryption for iOS will not necessarily trust it and the relevant certificate will need to be deployed to the iOS device. Apple recommends deploying certificates via Apple Configurator or Mobile Device Management (MDM).