Certificate Pinning

Certificate pinning is a security technique that validates SSL/TLS certificates against a pre-defined set of trusted certificates or public keys, rather than relying solely on the system’s certificate authority trust store.

What to Know

Certificate pinning defends against man-in-the-middle attacks where attackers present fraudulent certificates signed by compromised or rogue certificate authorities. In high-security environments, the standard CA trust model is insufficient because any CA in the system trust store can issue certificates for any domain. Certificate pinning narrows the trust boundary to specific, known certificates, preventing attackers from impersonating servers even with valid certificates. This is particularly critical for MDM communications, which handle sensitive device management commands and corporate data.

When implemented correctly, certificate pinning adds a significant layer of protection against sophisticated attacks. However, it requires careful certificate lifecycle management — pinned certificates that expire or rotate require profile updates, and incorrect pinning configurations can break connectivity entirely. Organizations must balance security benefits against operational complexity.

Common Scenarios

Enterprise IT: High-security enterprises in finance, healthcare, or government often require certificate pinning for MDM connections to protect against nation-state attacks or advanced persistent threats. IT must coordinate certificate rotations with MDM profile updates to avoid service disruptions. Certificate pinning is most commonly implemented for corporate apps and VPN configurations rather than the MDM enrollment profile itself.

MSP: MSPs typically do not implement certificate pinning for standard client deployments due to the operational overhead and risk of connectivity failures during certificate rotations. Clients in regulated industries may request pinning as part of security hardening, requiring MSPs to establish robust certificate management workflows and change control processes.

Education: Educational institutions rarely implement certificate pinning for MDM unless required by grant funding restrictions or state-level security mandates. The operational complexity typically outweighs the security benefit for K-12 environments, where the threat model is less sophisticated than enterprise or government environments.

In Addigy

Addigy supports certificate pinning for custom configuration profiles where organizations require enhanced security for specific applications or network connections. Administrators can configure pinning by specifying certificate payloads within custom profiles deployed to managed devices. Addigy does not enforce certificate pinning for the MDM enrollment profile itself, as this could create recovery challenges if certificates need emergency rotation.

When deploying certificate pinning through Addigy, admins should test configurations in pilot groups before broad deployment and establish procedures for coordinated certificate rotation. Addigy’s profile versioning and deployment controls enable staged rollouts that minimize risk during certificate updates.