This article explains how to use the Apple Multiple Certificate Root Policy in Swif to deploy one or more root certificates to Apple devices.

This policy supports multiple certificate payloads per policy while still enforcing Swif’s standard “one policy per type per device” rule.

What this policy does

Use the Apple Multiple Certificate Root Policy to:

Install one or more root CA certificates on:
- macOS 10.7+
- iOS 4.0+
- iPadOS 4.0+
Manage these root certificates centrally via Swif:
- Add new certificates
- Update or replace existing ones
- Remove certificates by unassigning or deleting the policy

This is typically used to:

Trust your organization’s internal PKI
Allow devices to trust internal services (VPN, Wi‑Fi, web apps, etc.)
Meet compliance requirements that require specific trusted roots

Prerequisites

Devices must be enrolled in Swif MDM.
You must have:
- Admin access to the Swif Admin Console.
- One or more root certificates in a standard format (e.g., .cer, .crt, or .pem) that you can convert to Base64.
Confirm with your security / PKI team which certificates should be trusted on end‑user devices.

Creating an Apple Multiple Certificate Root Policy

Open the Swif Admin Console.
Go to Device Management → Policy.
Select Create New Policy.
In the policy catalog, choose Apple Multiple Certificate Root Policy.

You’ll land on the Basic Configurations step.

Basic configurations

In the Basic Configurations section:

Policy Name
Give the policy a clear, descriptive name, for example:
Corp Root CAs – Production or VPN & Wi‑Fi Root Certificates.
Policy Description
Describe what the policy is used for and which certificates it contains, for example:
“Installs internal corporate root CA and VPN gateway root CA on all managed Macs.”
Requirements
The UI shows the supported platforms (macOS 10.7+, iOS 4.0+, iPadOS 4.0+). This policy will only apply to supported Apple devices.

Click Continue when you have finished the basic fields, or scroll down to configure the certificate payloads.

Adding multiple certificate payloads

In the Settings panel you’ll see Multiple Certificate Root Payload Content.

Each entry in this section represents one root certificate payload that will be installed on the target devices.

For each certificate you want to deploy:

Click Add.
Fill in:
- Payload Certificate File Name
  The file name of the enclosed certificate (no path required).
  Examples:
  - corp-root-ca.cer
  - vpn-gateway-root.crt
  This name is used for identification and may appear in logs and on the device.
- Payload Content (base64)
  Paste the Base64‑encoded contents of the certificate.
  This is the binary representation of the certificate, encoded as Base64 text.
  Typical steps:
  - Export or obtain the certificate from your PKI / certificate authority.
  - Convert it to Base64 if needed (your security / infra team can provide this).
  - Paste the Base64 string into this field.
Repeat the Add step for every additional root certificate you want to distribute with this policy.

You can:

Add multiple payloads.
Edit an existing payload to change its file name or Base64 content.
Remove a payload from the list if it should no longer be installed.

When you’re done, click Continue.

Selecting devices and device groups

After configuring the payloads, follow the standard policy assignment steps:

Select devices
Choose individual Apple devices to which the policy should be applied.
Select device groups
Optionally select device groups (for example, “All MacBooks”, “Engineering Macs”, “iOS Corporate”).
Review
On the review step, confirm:
- The policy name and description.
- The list of certificate payloads.
- The devices / groups that will receive the policy.
Click Create (or Save & Apply) to publish the policy.

Once assigned, Swif will push the policy to the targeted Apple devices and install each of the configured root certificates.

Updating an existing Apple Multiple Certificate Root Policy

To change certificates without creating a new policy:

Go to Device Management → Policy.
Find your Apple Multiple Certificate Root Policy and open it.
Edit the Settings → Multiple Certificate Root Payload Content section:
- To add a certificate: click Add and define a new payload.
- To replace a certificate: update the Payload Content (base64) for the existing payload (and optionally adjust the file name).
- To remove a certificate: delete the corresponding payload entry from the list.
Save and re‑apply the policy if prompted.

Swif will reconcile changes on the devices:

Newly added root certificates will be installed.
Removed root certificates will be removed according to the platform’s configuration profile behavior.

Deleting or unassigning the policy

You can remove the effect of the policy in two ways:

Unassign from devices / groups
Edit assignments so devices no longer receive this policy.
Delete the policy
If the policy is no longer needed at all.

Swif will clean up the underlying configuration profiles in line with how Apple handles profile removal. Root certificates provided solely by this policy will be removed when the corresponding profile is removed.

Behavior and compatibility notes

One policy per type per device
Swif enforces that each device has at most one APPLE MULTIPLE CERTIFICATE ROOT POLICY assigned.
To change which root certificates are installed, edit the existing policy instead of creating another policy of the same type targeting the same devices.
Multiple payload support
Each policy can contain one or many certificate payloads. Use multiple payloads when you need several trusted roots installed together (for example, multiple internal CAs).
Backward compatibility
The backend implementation keeps compatibility with previous single‑payload behavior. Existing profiles based on earlier Apple root certificate policies continue to work; this new policy adds the ability to manage multiple certificates per policy in a customer‑visible way.

Apple Multiple Certificate Root Policy