Skip to main content
Solved

Any ETA on fixes for PI-1152 and PI-1153 in Jamf Pro 11.26.1?

  • April 13, 2026
  • 6 replies
  • 321 views
M
Forum|alt.badge.img+4

PI-1152 involves the MDM Device Identity Certificate not being trusted on new enrollments after updating to version 11.26.

PI-1153 concerns Device Identity Certificates being marked as untrusted in Keychain Access during enrollment in version 11.26.1.

Best answer by mrinaldi

I have an open support ticket with Jamf on this issue, this is the current status they reported to me as of April 14, 2026 @ 7:06PM EDT

 

What We Know

We have identified a known product issue (PI-1152) affecting Jamf Pro version 11.26.x, where MDM Device Identity Certificates issued by Jamf Pro's Built-In CA are marked as "not trusted" by macOS following new enrollments. This occurs even when the Certificate Authority itself is properly trusted.

 

  • Scope: This affects new enrollments only (via Automated Device Enrollment or User-Initiated Enrollment using the Built-In CA). Devices that were already enrolled prior to the upgrade to 11.26.x are not affected.
  • Root Cause: This was introduced in version 11.26.0 due to a change in how Distinguished Name encoding is handled internally.

 

Current Status

Our engineering team has identified the root cause and a fix has been developed and is currently under review for inclusion in an upcoming release.

 

Available Workarounds

While we work toward a permanent fix, the following workarounds may help in the interim:

  1. Manually trust the certificate on each affected device via Keychain Access — this is not scalable but may be suitable for high-priority devices.
  2. Configure an External CA — this bypasses the affected code path entirely and may be a more practical option depending on your environment.

    6 replies

    M
    Forum|alt.badge.img+2
    • mrinaldi
    • New Contributor
    • Answer
    • April 15, 2026

    I have an open support ticket with Jamf on this issue, this is the current status they reported to me as of April 14, 2026 @ 7:06PM EDT

     

    What We Know

    We have identified a known product issue (PI-1152) affecting Jamf Pro version 11.26.x, where MDM Device Identity Certificates issued by Jamf Pro's Built-In CA are marked as "not trusted" by macOS following new enrollments. This occurs even when the Certificate Authority itself is properly trusted.

     

    • Scope: This affects new enrollments only (via Automated Device Enrollment or User-Initiated Enrollment using the Built-In CA). Devices that were already enrolled prior to the upgrade to 11.26.x are not affected.
    • Root Cause: This was introduced in version 11.26.0 due to a change in how Distinguished Name encoding is handled internally.

     

    Current Status

    Our engineering team has identified the root cause and a fix has been developed and is currently under review for inclusion in an upcoming release.

     

    Available Workarounds

    While we work toward a permanent fix, the following workarounds may help in the interim:

    1. Manually trust the certificate on each affected device via Keychain Access — this is not scalable but may be suitable for high-priority devices.
    2. Configure an External CA — this bypasses the affected code path entirely and may be a more practical option depending on your environment.
      Daniel666
      Forum|alt.badge.img+2
      • Daniel666
      • New Contributor
      • April 16, 2026

      Hello, 

      do you also see the problem that the devices are marked as NOT MANAGED and the device ends up as broken enrollment? 

      M
      Forum|alt.badge.img+4
      • MoJo
      • Author
      • Contributor
      • April 16, 2026

      Hello, 

      do you also see the problem that the devices are marked as NOT MANAGED and the device ends up as broken enrollment? 

      No, I haven’t seen that issue. The only problem we’re currently dealing with is that Jamf Pro’s built-in CA is being marked as “not trusted.”

      M
      Forum|alt.badge.img+4
      • MoJo
      • Author
      • Contributor
      • April 16, 2026

      I have an open support ticket with Jamf on this issue, this is the current status they reported to me as of April 14, 2026 @ 7:06PM EDT

       

      What We Know

      We have identified a known product issue (PI-1152) affecting Jamf Pro version 11.26.x, where MDM Device Identity Certificates issued by Jamf Pro's Built-In CA are marked as "not trusted" by macOS following new enrollments. This occurs even when the Certificate Authority itself is properly trusted.

       

      • Scope: This affects new enrollments only (via Automated Device Enrollment or User-Initiated Enrollment using the Built-In CA). Devices that were already enrolled prior to the upgrade to 11.26.x are not affected.
      • Root Cause: This was introduced in version 11.26.0 due to a change in how Distinguished Name encoding is handled internally.

       

      Current Status

      Our engineering team has identified the root cause and a fix has been developed and is currently under review for inclusion in an upcoming release.

       

      Available Workarounds

      While we work toward a permanent fix, the following workarounds may help in the interim:

      1. Manually trust the certificate on each affected device via Keychain Access — this is not scalable but may be suitable for high-priority devices.
      2. Configure an External CA — this bypasses the affected code path entirely and may be a more practical option depending on your environment.

      Thanks for sharing — we received the same response as well.

      Daniel666
      Forum|alt.badge.img+2
      • Daniel666
      • New Contributor
      • April 17, 2026

      Hi,

      to give you an upodate about what happened to us. We did NOT saw the same issue which you had, with the “not trusted” information.

      But in our environment, all new enrollments were interrupted and broke, the outcome was that the device was marked as “NOT MANAGED”, what means the device is lost. 

      Toogether with Jamf support we fixed the issue. 

      Here are the notes 

      ----------------------------

      Today we confirmed we were encountering a know product issue PI-1145 where macOS MDM enrollments fail after the enrollment signing certificate is auto renewed. We went through the following workaround to resolve this issue.

      1. Navigate to Settings > Global > MDM Profile Settings
      2. Uncheck "When the built-in certificate authority is renewed" for computers and mobile devices
      3. Navigate to Settings > Global > PKI Certificates
      4. Click the number under All to the right of the built-in CA
      5. Click the top most certificate (CN=xxxxxxxxxxxxxxxxxx JSS Built-in Certificate Authority)
      6. Click "Renew" in the bottom right corner

      Once this is renewed we were able to confirm that the enrollment completed and installed the binary.

       

      Lastly we would recommend leaving "When the built-in certificate authority is renewed" for computers and mobile devices unchecked until all devices are on macOS 26.4, since this version prevents un-enrollment if the MDM profile renewal fails.

      https://support.apple.com/en-us/124963
      If a new identity certificate fails to install during device management enrollment renewal, the original certificate is retained to prevent unenrollment.

        jguz
        Forum|alt.badge.img+4
        • jguz
        • Contributor
        • May 1, 2026

        any updates on this? very reticent to renew the global pki certificate.

        Terms & ConditionsAccessibility statement