Skip to main content
Matrix42 Self-Service Help Center

Troubleshoot Invalid MDM Profiles


When users receives on Apple devices the message Invalid MDM Profile after a click on the activation link, this is typically due to an SSL Certificate issue and this guide is intended to show the most common reasons and how to solve them.

Cause Option 1: Faulty Certificate Import

First of all check the Silverback Logs by pressing the Log button next to your administrative username. When you see the entry "Log Entry Keyset doesnt exist = Certificate install in wrong way" check how the SSL Certificate has been imported. The best way is to import it directly with the Silverback SSL Certificate Tool or with mmc. Please make sure not to do this via double-click from Download Folder.

Cause Option 2: Missing Network Service

Check if Network Service has access to the Private Key of the SSL Certificate by a right-click on the certificate. Select All Tasks and Manage Private Keys. Ensure the Network Service has read permissions set. 

Cause Option 3: Certificate is not selected

Login as Settings Administrator and navigate to Payload. Ensure the right certificate is selected as Profile Signing Certificate. Restart the IIS in case you need to change the Certificate. 

Cause Option 4: Signature Algorithm

In rare cases, there might be an SQL issue, which can be fixed with performing the following SQL Statement

update WebSettings set Value = 'SHA1WithRSAEncryption' where [key] = 'SignatureAlgorithm'

Cause Option 5: Certificate Convertion

If nothing is helping so far, try to convert certificate private key from the CNG to the RSA format using OpenSSL

openssl rsa -in MyCert.key -out MyCert-rsa.key
  • Was this article helpful?