DigiCert's End of Sale Notice for Symantec Enterprise Mobile Code Signing Certificate Impacts Windows Phones 8.1 and 10 Management

We’d like to let you know about some changes occurring for Windows Phone and Windows Mobile devices. If you have these devices enrolled into your MaaS360 portal, you may need to take some considerations into account. Both IBM MaaS360 and Symantec/DigiCert have alerted customers who have a Symantec Enterprise Mobile Code-Signing Certificate (also called the Symantec Company Hub Certificate). You can find the alert sent by IBM Support here.

In this blog, we will provide more detail to help you understand what it means to continue to manage Windows Phone 8.1 and Windows 10 Mobile devices.

Also, please join us in an upcoming webinar, Feb. 21, 2019 11:00 a.m. ET: MaaS360: Beyond Windows Phone/Mobile. Register here.

Windows Phone 8.1 End of Life

Microsoft have already announced an end of support for this platform. If you contacted Microsoft Support you wouldn’t be able to get bug fixes or other resolutions from them meaning that it would be better to upgrade the existing devices to Windows 10 if at all possible.

Windows 10 Mobile

Microsoft Support for Windows 10 Mobile will end on Dec. 10, 2019. Again it may be difficult to get software upgrades given that this is an end-of-life product.

Symantec Company Hub Certificate

In order to perform certain management actions on Windows Phone and Windows Mobile devices, using any MDM/EMM provider, it is necessary to have a Symantec Company Hub certificate. This certificate is showing on your MaaS360 portal under the Setup > Services menu, under Mobile Device Management, as in the screen capture below:

PLEASE NOTE: Symantec has announced an end date to the ability to renew this certificate. After this deadline you cannot renew the certificate, and if it expires you cannot use it any more.

The cut-off date announced is Feb. 28, 2019, after which it will not be possible to renew the certificate. Customers are being asked to renew the certificate if required, for either 1 year or for 3 years (only options). So the final date for the certificate expiry will either be the current expiry date, or the renewed expiry date.

FAQs

What does the Symantec certificate / Company Hub do?

The certificate validates the administrator’s right to push data, settings and apps to Windows Phones (including Windows 10 Mobile devices).

Windows Phone devices already enrolled with MaaS360 will continue to work as long as the existing Symantec Enterprise Mobile Code Signing Certificate uploaded to MaaS360 remains valid. 

If you fail to renew the Symantec Enterprise Mobile Code Signing Certificate by Feb 28, 2019, and upload to MaaS360 portal before the current certificate expiry date of your certificate, the following services will not work on Windows Phones already enrolled with MaaS360 or new Windows Phones that will be enrolled after the expiry date:

1. MaaS360 App for Windows Phone including Messages and App Catalog.
2. MaaS360 User Identity Certificate distribution for the purpose of email access, VPN access or Wi-Fi access as per  MDM policy configuration.
3. Distribution and Installation of Enterprise (.xap) Silverlight apps compiled on Windows Phone 8.1 SDK via MaaS360 App Catalog.
4. MaaS360 Email for Windows phone (Store app).
5. MaaS360 Browser for Windows phone  (Store app).
6. MaaS360 Docs for Windows phone  (Store app).

Services that will remain unaffected:

1. Limited MDM capabilities which do not require the Symantec Mobile Code Signing Certificate will still be available. 
2. There will not be any impact on the management of Windows desktops, laptops or tablets.

What does this mean for me as a Windows Phone / Windows Mobile customer?

If you wish to continue managing Windows Phone and Windows Mobile devices, as you have done before, you would need to renew the Symantec Company Hub certificate as described above.

In addition given that the platform is reaching end-of-life, you may wish to consider what you will do in terms of fleet renewal – whether to purchase new devices of a different type.

Do I need this certificate in order to manage Windows desktop computers and laptops?

No.

We haven’t provided Windows Phone / Mobile devices as corporate devices, so why does this concern me?

You might have Windows Phone/Mobile test devices, or they might belong to individual users. In either case you might need to contact individual users and review platform choice and device type.

We want to stop allowing enrollment of Windows Phone or Windows Mobile devices. How can we do this?

You can switch off the possibility to enroll these devices, by disabling the setting that controls this. To do this please log into your IBM MaaS360 portal, go to Setup > Settings > Device Enrollment Settings > Advanced > Device platforms allowed to enroll, and modify as appropriate. Note that all changes in this Settings page must be saved so please remember to click Save and enter your password as required.

What do I do next?

Please consider the following:

• The expiry date of the Symantec Company Hub (see details on where to get this above)
• The potential need to replace Windows Phone and Windows Mobile devices with other platforms

Based on these requirements and deadlines you may wish to discuss with your IBM MaaS360 account representative, commercial contact or client executive.

How can IBM help me as a customer?

What can IBM do to help me?

As an IBM MaaS360 customer you can ask for Support if you need help with technical questions, commercial assistance from your account representative, and you also have access to a series of resources including training, documentation, knowledge bases and so on. For more information please log into your MaaS360 portal and click on What’s New at the bottom of the page, or on the ‘question mark’ icon at the top right.

What does IBM propose that I do?

With the intention of letting our customers know proactively – and facilitating the planning process, we are engaging in communication with our customers. This is intended to ensure that for customers who currently have Windows Phone or Windows Mobile devices enrolled into their portals, that they can plan for their next action with enough time to facilitate continuity, as well as a seamless transition to other device types and mobile platforms.

What should I be planning for?

Ideally if you propose to end the support for Windows Phone or Windows Mobile devices in your organisation, you can get the list of enrolled devices from your portal (Reports > Hardware Inventory > Details > Filter by platform). Using this list, you can proactively contact the device owners or users to let them know and discuss device replacement options.

If you propose to continue supporting these devices for some time, then it may be appropriate to renew the Symantec Company Hub certificate as described above.

Symantec

What are my choices regarding renewal of the Symantec Company Hub certificate?

Symantec have provided the certificate up to now; however they have announced that it will not be possible to renew the certificate after 28^th February 2019. In this case you could:

• Wait for the expiry date of your certificate, or
• Renew the certificate for either 1 year or 3 years before that date

If you do not have a high dependency on the devices you could consider migrating to newer devices before the expiry date, and allow the certificate to expire naturally. However, if you think it may take longer to replace your mobile fleet then you might need to consider renewing the certificate.

If I want to renew the Symantec Company Hub certificate, how do I do this?

Please log into your IBM MaaS360 portal, go to the Watson Advisor (lower section) on home page, and follow the instructions under the section “DigiCert’s EOS notice…” Alternatively see link to Symantec page at the bottom of this document.

My Symantec Company Hub certificate is already expired, what can I do now?

Please contact IBM MaaS360 Support for options.

Communication

When did IBM tell me about this?

If you log in to your MaaS360 portal, go to My Advisor on the home page (lower section), you will see the following notification which has been there for some time. Clicking “Learn More” will give you additional information, and there is a link at the end of the page where Symantec give more information again.

When did Symantec tell me?

We understand that the administrator email address which was used for the creation of the certificate would have been notified some time ago.

Supporting documentation

IBM

Setting up the Symantec Company Hub for MaaS360

https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/pag_source/concepts/pag_setup_upload_winphone_certificate.htm

Managing Windows devices with MaaS360 UEM

https://www.ibm.com/security/mobile/maas360/windows-management

Blog on Windows Device Management with MaaS360

https://securityintelligence.com/windows-device-management-from-xp-to-10-and-everything-in-between/

Training course on IBM Security Learning Academy: Windows 10 UEM enrollment

https://www.securitylearningacademy.com/course/view.php?id=698

Understanding platform messages (notification of certificates about to expire)

https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/concepts/pag_platform_messages.htm

Uploading the Windows Phone Company Hub certificate

https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/concepts/pag_setup_upload_winphone_certificate.htm

Locating the services page in MaaS360 portal to manage certificates

https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/tasks/pag_setup_services.htm

Enroll Windows devices in MaaS360

https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/concepts/mc_winphone_container.htm

Windows

Microsoft End-of-life for Windows Phone 8.1

https://support.microsoft.com/en-nz/help/4036480/windows-phone-8-1-end-of-support-faq

Microsoft End-of-life for Windows Mobile 10

https://support.microsoft.com/en-us/help/4316957/products-reaching-end-of-support-for-2019

Full version table for all ‘flavours’ or editions of Windows 10

https://www.microsoft.com/en-us/windowsforbusiness/compare

Windows 10 Mobile Specifications and Systems Requirements

https://www.microsoft.com/en-ie/windows/windows-10-mobile-specifications#primaryR3

Microsoft Windows 10 Mobile upgrades

https://www.microsoft.com/en-ie/windows/windows-10-mobile-upgrade

Microsoft policy on platform life-cycles

https://support.microsoft.com/en-us/help/18403/lifecycle-faq-device-operating-systems

Company Hub / Symantec Certificate

Discussion around whether the Company Hub / Symantec Certificate is required

https://social.msdn.microsoft.com/Forums/en-US/f8864317-231c-4c5d-abcf-e962265d4cd7/company-hub-symantec-certificate-the-only-option?forum=wpsubmit

Microsoft document on FAQ’s relating to Windows Phone Company Hub apps

https://blogs.msdn.microsoft.com/wsdevsol/2014/04/21/frequently-asked-questions-about-windows-phone-company-hub-apps/

Symantec

Website for renewal of Symantec Company Hub certificate

https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do

CONTENT FROM WEBINAR DELIVERED 21st February 2019
Recording / MP4
Presentation-PDF