Certificates disappear!

Question

I have two Configuration Profiles that deploy certificates:
- SCEP Wi-Fi Certificate (CA)
- 3 CA certificates for Forcepoint endpoint

Both have these settings:
- Distribution Method: Install Automatically
- Level: Computer Level
- Target: Specific Computers: All Managed Clients / Specific Users: none
- No Limitations
- No Exclusions

My setup involve a cluster of two JSS instances, with a limited JSS in the DMZ.

My issue is that certificates disappear intermittently.

Here's the issue I get:

Jun 1 14:55:17 katrins-air mdmclient[19039]: [Daemon:0] Processing server request: InstallProfile for: <Device>
Jun 1 14:55:17 katrins-air mdmclient[19039]: ERROR [SCEPPlugin:0] XPC request to mdmclient to remove cert trust returned: -25300 (Error Domain=NSOSStatusErrorDomain Code=-25300 "errKCItemNotFound / errSecItemNotFound: / The item cannot be found." UserInfo={CallStackSymbols=(
"0 mdmclient 0x000000010e595cfc mdmclient 31996",
"1 mdmclient 0x000000010e5b921a mdmclient 176666",
"2 mdmclient 0x000000010e5b172f mdmclient 145199",
"3 mdmclient 0x000000010e5b88ce mdmclient 174286",
"4 mdmclient 0x000000010e5b29bd mdmclient 149949",
"5 libdispatch.dylib 0x00007fff96c463c3 _dispatch_client_callout 8",
"6 libdispatch.dylib 0x00007fff96c575a3 _dispatch_sync_f_invoke 56",
"7 mdmclient 0x000000010e5b2903 mdmclient 149763",
"8 mdmclient 0x000000010e5b2d77 mdmclient 150903",
"9 libxpc.dylib 0x00007fff8f206986 _xpc_connection_call_event_handler 35",
"10 libxpc.dylib 0x00007fff8f2051ff _xpc_connection_mach_event 2198",
"11 libdispatch.dylib 0x00007fff96c4e54e _dispatch_client_callout4 9",
"12 libdispatch.dylib 0x00007fff96c4e9c0 _dispatch_mach_msg_invoke 555",
"13 libdispatch.dylib 0x00007fff96c4b1b8 _dispatch_queue_drain 1207",
"14 libdispatch.dylib 0x00007fff96c4d317 _dispatch_mach_invoke 735",
"15 libdispatch.dylib 0x00007fff96c49d0b _dispatch_root_queue_drain 538",
"16 libdispatch.dylib 0x00007fff96c49ab8 _dispatch_worker_thread3 91",
"17 libsystem_pthread.dylib 0x00007fff8e0bf4f2 _pthread_wqthread 1129",
"18 libsystem_pthread.dylib 0x00007fff8e0bd375 start_wqthread + 13"
), IsInternalError=true, InternalErrorMsg=ProcSetCertTrustSettings})
Jun 1 14:55:17 katrins-air mdmclient[19039]: [Daemon:0] Installed configuration profile: FTIFF - Websense Certificates (4BDE49E5-ADD1-4038-B422-1CDCB9ADDCB9:4BDE49E5-ADD1-4038-B422-1CDCB9ADDCB9) for <Computer> (Source: MDM)
Jun 1 14:55:17 katrins-air authd[133]: Succeeded authorizing right 'com.apple.trust-settings.admin' by client '/usr/sbin/ocspd' [18674] for authorization created by '/usr/libexec/mdmclient' [19039] (3,0)
Jun 1 14:55:19 katrins-air mdmclient[19039]: [Daemon:0] Processing server request: ProfileList for: <Device>
Jun 1 14:55:22 katrins-air mdmclient[19039]: [Daemon:0] Processing server request: CertificateList for: <Device>

it seems that for whatever reason, the profile is being pushed twice in a row. OS X seems to get confused about that. Anyone saw this?

Page 1 / 1

Hi @ftiff-amaris

There is a line near the top that looks like it tried to remove a certificate, but failed. Then it proceeded to install the Websense certificate.

The only pointer I can see in the log is the error about a trust cert, the validity of which might be changing depending on whether a device is inside or outside the network.

In speaking with @ftiff-amaris, OS X El Capitan less than 10.11.2 may be involved. If the affected computers only run OS X 10.11.0 or 10.11.1, that’s what I’d suspect.

The OS X 10.11.2 release notes have this gem:

“Resolves an issue where reinstalling a configuration profile containing a certificate payload causes the certificates to be removed instead of updated”

In practice, this can result in certificates being removed — and not re-imported — on OS X 10.11 and 10.11.1. If your management and other systems depend upon certificates with a trust chain added by configuration profile(s), this can result in failed TLS connections to those systems. If that’s your JSS, that could mean you have less ability to remediate the problem.

For remediation, I think you’d need to update OS X 10.11.2 or later and re-apply the necessary certificates profiles.

Because OS X 10.11.3 resolves a separate issue with pkg receipts being removed — and that removal can have other implications — I would probably jump to 10.11.3 as a minimum on any managed El Cap workstation.

Thank you very much @jaharmi !

jaharmi · Accepted Answer

In speaking with @ftiff-amaris, OS X El Capitan less than 10.11.2 may be involved. If the affected computers only run OS X 10.11.0 or 10.11.1, that’s what I’d suspect.

The OS X 10.11.2 release notes have this gem:

“Resolves an issue where reinstalling a configuration profile containing a certificate payload causes the certificates to be removed instead of updated”

In practice, this can result in certificates being removed — and not re-imported — on OS X 10.11 and 10.11.1. If your management and other systems depend upon certificates with a trust chain added by configuration profile(s), this can result in failed TLS connections to those systems. If that’s your JSS, that could mean you have less ability to remediate the problem.

For remediation, I think you’d need to update OS X 10.11.2 or later and re-apply the necessary certificates profiles.

Because OS X 10.11.3 resolves a separate issue with pkg receipts being removed — and that removal can have other implications — I would probably jump to 10.11.3 as a minimum on any managed El Cap workstation.

davidacland · Answer

Hi @ftiff-amaris

There is a line near the top that looks like it tried to remove a certificate, but failed. Then it proceeded to install the Websense certificate.

The only pointer I can see in the log is the error about a trust cert, the validity of which might be changing depending on whether a device is inside or outside the network.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded