Certificate Pinning Behind Enterprise Proxies

Certificate pinning secures mobile application communications by verifying that the server presenting a certificate is the expected server — but standard pinning approaches fail in enterprise network environments where TLS introspection systems and proxies replace the server's certificate with their own. This forces SaaS providers into an uncomfortable choice: ship applications that break in enterprise environments, disable certificate pinning for enterprise customers, or maintain two separate builds.

This paper presents a third path: administrator-managed certificate pinning that works in enterprise environments without compromising security. Building on CN pinning — established in the first paper in this series — the approach delivers enterprise-specific pinning expressions through the application's existing authentication process, signed by the SaaS provider and validated against a public key embedded in the application. The enterprise administrator provides their network's certificate information to the SaaS provider; the SaaS provider signs and distributes it; the application composes it with its base pinning policy.

The result is a three-mode operational model — logging in, logged in, logging out — that maps directly to the authentication lifecycle enterprise applications already implement. CNPinning 1.2.0 provides the client-side implementation for both iOS and Android, including a bidirectional JWT reference implementation for server-side implementors. MAM and MDM deployment constraints are addressed directly, including the honest acknowledgment that MAM environments have fundamental limitations that pinning alone cannot resolve.