802.1x RADIUS cert renewal. (clearpass with JamfPro)

I put the new 802.1x cert into my existing profile ahead of when the networking team uploads the cert on their end and keep the existing cert in the profile as well.  Then when networking does their thing, the Macs will already have the new cert and they reconnect.  Just have to go back in a week or so and remove the expired cert from your profile

Thank all of you. Until now, I was under the impression that edited profiles would be remove-redeployed so I was thinking too complicated. I have been using JamfPro for over 8 years but somehow, I never understood this properly.

Three months ago, we updated our RADIUS certificate. During this process, we chose not to push the RADIUS certificate through Jamf because our WPA Enterprise setup uses Active Directory account credentials (rather than static accounts) for authentication.

With this setup, each user logs into Wi-Fi individually. After the RADIUS certificate change, Mac users encountered a pop-up upon connecting to Wi-Fi,

prompting them to continue and enter their MacBook login password to reconnect to the internet. However, users connecting via LAN cable were unaffected and did not see any pop-up.
then after that you can schedule to delete the expired cppm cert manually in Keychain Access.

Note:
We inform via email what to do after changing the cert, so that users know the steps to take.
300+ User Mac
300+ User iPad

Thank you for your input. Yes, I have to do this as well, as most of our users are Gr.6 to Gr 12 students, and they are BYOD. So we have no control over them whatsoever. We will send an email to all of them, and the teachers. I figure a fair number of them will read and forget or not read the mail. But that's part of the business.

Sorry to reopen this, but did this end up working out for you? I'm currently running into the same issue where I'm going to need to update my Cisco ISE radius certs that are in my device WiFi configuration profiles for Macs and iPads and am looking for the best way to do so. 

@jules1987 did you end up just updating the profile and then deploying it back out to everyone to update it?

Hey, @ferriterj1  

yes it worked by just updating for me. I just added the new cert to the existing mobile device conf profile, and deployed it to all (rather than to newly assigned only) It effectively updated the profile with the new setting.

Thank you so much! It's not every day that you find someone to have the same issue and then an easy solution to it. This takes a load of my mind haha! 

I just came across this post and now I'm getting excited to hear there's possibly an easy solution! 🙌
Whenever we renew our wifi cert, we always went through a process of creating a new config profile for the new cert and doing a shuffle between the old to the new with different smart groups. So what I'm understanding is that we can just add the cert to the current profile and re-apply, and it will not disconnect all our users and cause them issues re-connecting? 
Does this work when it applies per device not per user? 

Thank you for this comment! Super helpful to clarify a question I've always worried about. Like editing a name in a config profile or removing something from the scope.

A related question: I have been trying to clean up some old wifi configuration profiles, but I was worried that editing and removing from scope would cause an issue with the newer wifi config profiles and cause them all to disconnect. 
For example, I have a few straggling devices in my old 2024 wifi profile which is scoped to "All Managed Clients". But they also have the 2025 wifi profile and have been happily connected. 
If I remove "All Managed Clients" from the 2024 profile, it should not disconnect them from wifi because they won't get confused between the profiles if one is removed, correct? 

@miniberry I would _hope_ that's the case, but I have never tried installing multiple Configuration Profiles with Wi-Fi configurations. You'll need to try un-scoping a test machine to observe the behavior.

To follow up on this, I'm curious. So did you upload the new wifi cert in the existing wifi profile that had the old cert, and then applied the profile to all, and they connected fine?

Thank you! I will test and see.

Yes, I went ahead and exported the cert from my Cisco ISE server and uploaded it to the profile. Since we had about three weeks before the old cert expired, I left the "about to expire" certs in the profile. Then, I saved the config and did the unthinkable of "apply to all". 

I wanted to get the new certs out to as many devices as possible before I had to switch Cisco ISE to the new certificate. But, they needed to stay connected so for now, so that's the reason for leaving the old certs.

I will say that 99.9% of devices stayed connected and the profile just updated. There were a couple of hiccups on a handful of devices, but since our device pool is around 7000, I'd take that any day!

When it came time to swap ISE to the new cert, I went ahead and removed the old certs from the profile and just did a "apply to newly assigned". I didn't want to press my luck with two "apply to all" even though I'm sure it would have worked fine. The old expired certs don't harm anything anyway.

Long story short, yes, upload your new radius certificate to your existing WiFi configuration profile and apply it to all devices when saving. No need to create a new configuration profile from my experience!

Oh.my.goodness! Thank you so much for the response! I think we may try this method and see if it works for us too. I have a much smaller environment (~700 Macs) but our process was different and this seems a lot more seamless.

Hi @jules1987 this is a really painful way of doing it as you have to replace the Radius cert every year.  Yes, we too were doing it that way and I would add the new cert in about 4 weeks before the other one expired so that clients would fail over when the cert was replaced on the Radius Server but there were always people who missed getting the new cert.  In addition there was pain trying to get people to give us the cert earlier each year.

Then we realised that if we put the Root CA for Radius cert in the configuration profile and trust that cert on wireless and ethernet interfaces, new certs from the Radius server are automatically trusted.  The Root CA cert has a much longer expiry so we don't have to do that annual dance.  There will still be a date when we have to insert a new Root CA cert but hopefully it can be done ahead of the other one expiring

Such good info, thank you for pitching in! Will connect with our network admin to see if this is feasible for us to try and that would be great if we don't need to do this annually.