by David Perry.
Thanks for that.
I spoke to our Forefront admin earlier, and he has provided us the wildcard (*.srv.hull-college.ac.uk) certificate - we'll find a quiet time to try and make Apache work with that, to cover internal clients.
But knowing it's just a problem internally reduces the scale of the problem, and I put a notice on the 'how to setup moodle mobile' page we have on our homepage to note we are aware of the problem with access on mobile devices internally (it works fine on our PCs/Macs in the domain, which is the same domain as the Certificate-signing server).