After renewing the SSL certificates on Netscaler as well on XenMobile, enrolled devices still shows old certificate

Note->New devices are getting enrolled successful with the new issuing and root certificates.

However already enrolled Devices --> Settings --> General --> Profile & Device Management
Shows up old information (like valid, till and issuing authority, root certificate) and  MDM Configuration (red) with an update option 

User has the option to update the Profile manually. After the user selects "update" the MDM Configuration changes the color to normal and has the new SSL, issuing and root certificates.

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

• If the SSL certificate is getting expired and as we renew the SSL cert, the new SSL certificate might be signed with a different signing authority and hence will have different intermediate and root cert. This can be done using the renewal process . 



• The SSL certificate is pushed only once on the device when it enrolls for the first time. Hence the devices that were previously enrolled will continue to show old expiry date, however this will have absolutely no impact on the functionality as the certificate has already been successfully renewed. Hence the devices will continue to work

• Once the certificate has been renewed and we enroll any device it will show the new certificate and new expiry date (Since the SSL certificate is pushed to device during enrollment).

• Earlier we didn't had the update option, this is a new feature in the latest Apple OS 10.3.3 versions where user has an UPDATE option under Settings > General > Profile & Device Management. If we click on UPDATE it updates the new information for the SSL certificate .

---

Problem Cause

Expected behavior because the devices receive the SSL certificate at the time of enrollment.

This article summarizes the behavior of what happens to already enrolled devices when the SSL certificate is renewed