AD-Certificate can't renew in Big Sur

I havent seen cert renewal issues yet per se, but I have noticed that Big Sur isnt trusting my internal root AD cert at deployment time.

All my managed Macs get both a root and an intermediate cert via packages/scripts (not profiles) at enrollment time. I have torn the package open and there is nothing wrong that I can find.

However, all my Mojave and Catalina Macs trust both my root and intermediate certs with no issues.

macOS 11.2 will be out relatively soon (in public beta now).

Update - my initial issue is resolved. Replacing packages with profiles allows my Big Sur test Macs to trust the root cert automatically.

@Gonzalo we see the same behaviour on our machines. Renewal works fine on Catalina machines but not on Big Sur :(

@Gonzalo This is probably an Apple bug. Have you opened a ticket with Apple?

@dstranathan Big Sur no longer allows trusting of root CA's without a user entering their password. So using packages/scripts to install certs to the System keychain no longer works unless you do it with a logged in user and that user enters their password. The supported method is to use certificates, but as we all know, that doesn't fully trust those certs which is why you were probably using a script.

@patgmac I have not opened a ticket with Apple yet, but will probably do it now :)
I just saw the following in the latest release notes from Jamf Pro Beta 10.27, so maybe Jamf is on it?

We are now releasing Jamf Pro 10.27.0 beta 2! This release contains some new enhancements to Computer Device Certificate Renewal

Not sure, I would post in the beta board to get confirmation.

@patgmac Do you know where I can open a case with Apple? Is it through the Feedback Assistance?

@svenke Any updates on your side?

@Gonzalo We pay $17k a year for the privilege of opening tickets with Apple. 🥴

@Gonzalo Feedback Assistance is one option, getting the expensive support that @patgmac mentions is another one. But have you tried whether 11.2 fixes this? I think it removes some of the excessive restrictions of Bif Sur.

But have you tried whether 11.2 fixes this? I think it removes some of the excessive restrictions of Bif Sur.

@mschroder Still broken in 11.2 :/

@user-TWQHooQpVh I'm confused why you're advising disabling SIP in this instance. How does that fix certificate renewal?

My enterprise support rep also reminds me to use AppleSeed too (https://appleseed.apple.com/sp/help/faq)

@Gonzalo have you had any updates on this issue?
I'm still seeing it, too. Jamf also still lists it as known issue PI-009786

Just started to see this issue myself. However one of the devices is on Catalina. What method of updating are people using given auto renew is not working? I can use our ADCS Connector if all else fails, which was setup as a POC, but this only helps get on out vpn, I never got the connector to work for internal Wi-Fi.

Was there ever a resolution to this issue? I have many clients not renewing AD certificates, and I see no evidence in the ManagedClient.log that they ever try to renew. I can see the initial certificate enrollment just fine.

Confirmed this is still an issue and an open PI yet.

PI103872 - PI-009786: Computers with macOS 11 fail to renew the certificate when Enable Automatic Renewal is selected in the AD Certificate payload of a computer configuration profile.

Our Jamf support contact said there is no workaround and directed us to engage Apple support. We did simply invoke a 're-push' the Config Profile manually and verified devices were receiving a new cert with an updated date/timestamp.

Yeah we started a case with Apple and they said it's a known issue, but didn't provide any further detail. For now we have moved authentication to a predefined username and password while we explore replacements for NPS.