EnterpriseCA SSL certificates are missing from MDM enrolled devices after OS update

We are experiencing issues on MDM enrolled devices where the SSL certificates are not trusted after the OS update.

We use EnterpriseCA certificate in our server and pushed to devices during enrolment. But after OS update, the CA is missing from the ‘Certificate Trust settings’ in the device, but present under MDM profile. This make the devices to stop communicating with the server.

For now we have manually installed the certificate on the devices and enabled full trust. But this involves user intervention and also end user can disable full trust anytime as the option is not greyed out, or remove the certificate from device. We would like to know if there is any other option to push the certificates without user intervention. And also the best practices to avoid this in future.

Already we have seen this https://support.apple.com/en-in/HT212962 but it talks only about the Identity certificate. We would like to understand whether SSL certificates are also included in this.

EnterpriseCA SSL certificates are missing from MDM enrolled devices after OS update
 
 
Q