@tcandela Does this answer? https://www.jamf.com/jamf-nation/articles/765/renewing-jamf-pro-jss-built-in-certificate-authority-ca

@rstasel i'll check it out, thanks. Hopefully don't have to re-enroll 94 macs to get this done

Hi @tcandela

Provided the device identity certificate in the MDM profile has not expired you can also renew the MDM profile using one of the following methods
- For a single device using the Renew MDM Profile button from the management tab of the device.
- For one or more devices using a mass action from a smart group or advanced search

@drhoten can you show me a screen shot of your options you suggested?
Id like to try option 1 but then your second option afterwards.

@tcandela the instructions are in the linked KB article above, and also in the release notes:
https://docs.jamf.com/10.23.0/jamf-pro/release-notes/What's_New.html

Once you renew the CA, devices will automatically receive the updated MDM profile and related signing certificates on next check-in. You can also force renewal on a particular computer/device under the management tab for that device. You won't see any of these options until you upgrade to 10.23.0.

Hi @tcandela

For the two options, both assume you've already upgraded to Jamf Pro 10.23.

1) Find the computer and then select it followed by clicking on the management tab. If the "Renew MDM Profile" button is not visible then it may mean Jamf Pro does not consider that computer as being MDM capable or enrolled.

2) From the Smart Group or Advanced Search, click the action button in the lower right and select the option for "Send Remote Commands". From there click on the next button and select option for "Renew MDM Profile".

@tcandela how did it go? I have to upgrade my JSS to get this going but I have about 30 unverified machines that I can't push out PPPC profiles to and now I am in need of doing that ASAP.

@rgranholm im still waiting to get upgraded to 10.23.0

Make sure you exclude pre 10.13 Macs from renewing the MDM Profile. They anyhow will not do it, but attempting to do so appears to make the jamfdemon go crazy (100% CPU) after a while :(

@rgranholm @mschroder I haven't been able to figure out how to renew these MDM profiles that are now showing 'unverified'.

I click the 'renew mdm profile' in the management tab and nothing happens (i'm sure you must be on the same LAN or something).

have you gotten your macs profiles verified?

@tcandela I had about 600 machines in an unverified stated. Running a renew on all of them resulted in about 500 of those coming back to verified. I now have about nearly 100 that enrolled via user initiated enrollment that are still unverified and I can't get to verify despite trying various solutions. A few were fixed via pushing a policy that was just "jamf trustjss"

The real issue is I have half a dozen machines that were enrolled via ADE/DEP that are in unverified status, and won't get the renew MDM command (it just sits in pending). My thought on these is they had migration assistant run on them after enrollment and someone forgot to uncheck everything but the user account, so MDM has been hosed on them for a while. =/ Which means I get to fix them manually... =( Apple needs to give us some way to fix systems in this state without disabling SIP. =/

@rstasel what did you setup to get 500 of those 600 renewed?

I just tried sudo jamf trustjss and it said 'downloading required CA certificate(s)...' but MDM profile is still 'unverified'.

What was your smartgroup configuration that showed you which macs were unverified?

when i look at a macs inventory information in the GENERAL section, I have a mac with MDM Profile Expiration Date: 03/20/2024 at 3:48 PM and MDM Profile Verification State: Not Verified

I don't understand these 2 results. Under profiles in system preferences i clearly see the MDM Profile Unverified

@tcandela So I'm using the EA here: https://www.jamf.com/jamf-nation/third-party-products/files/830/mdm-profile-verification-state
I just have a smart group that looks for "Unverified" for that EA.

The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.

That EA only updates on inventory, so I just waited and watched the number drop. After a couple weeks it was down to where I'm at now.

The issue is according to Jamf, I'm likely going to have to re-enroll all the machines that didn't renew. Either via User Initiated for the ones not in ADE, or for the ones enrolled via ADE I get to do the whole disable SIP, rip out profile, reenable SIP, reenroll BS. Unless I can find a better way. The issue is once it's super wedged, the "Remove MDM" command doesn't work anymore...

@rstasel yes i have that EA setup and see all the macs that are unverified. So i have all them in a smart group.

now i'm kinda lost on your second paragraph. Is this a policy you setup?

did you setup a policy to do; The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.

sorry, it's not a policy. You don't even need a smart group if you're not running the "jamf trustjss" policy. This is all just a search. Once you show the results of a search, there's "Action" down in bottom right, where you can cancel pending/failed management commands (so get the pending ones out of the way), then you can do the Action again, and Send Remote Command, Renew MDM.

Here ya go. (not in right order)

@rstasel i kinda see now.

yup.

@rstasel how long after you ran the 2 commands did you see results? ( i see, you had to just daily or whatever see the numbers drop as computers ran inventory)

my search I only did the first line.

another issue i have is a handful of these macs have totally dropped off from even doing the routine checkin and inventory updates, so probably those macs won't be affected by this.

If the MDM command succeeds, the next inventory they should report as Verified. So I started seeing results pretty quick. If you want to speed it up, make a new smart group and scope an inventory to that.

And yes, that command will just sit waiting for machines until they come online again. the profile being unverified should have nothing to do with them not checking in, that just means they're off, or somehow Jamf is broken on them (Jamf Binary and MDM stuff aren't tied together).

If you don't have any 10.13 machines, then that's fine. If you DO have 10.13 machines, or older, you want to exclude them from this. They won't successfully renew the MDM profile, and instead just spin up the CPU for a while before failing silently and continuing to be unverified.

@rstasel we have nothing older than 10.13.

so far i see 5 macs that have run inventory since i did those 'actions', and checking the inventory information on one of them i see no change to the Not Verified state.
Also i see in the macs management tab a handful of pending commands, along with the Renew MDM Profile command. Date of last push 13 minutes ago!!!! what is preventing these commands from executing??

Hi @tcandela

What OS? If 10.14, is someone logged in? If not, someone needs to login.

There are a lot of variables, and yes, the 100 or so I have left are all in this state. Which means having to re-enroll them.

@rstasel here is a couple sample results from two of the computers the renew profile command was sent to. Someone has been logged in. also the search is still at 86 computers, so the commands did not effect even 1 computer

So that top one looks suspicious. I'm not positive, but that looks like the MDM push cert was renewed with a different appleid than originally (so when you renew the APN profile with Apple, it warns you in the Jamf pro server if the apple ID is different than originally). Does that sound right? If that's the case, any machine in that state will need to be re-enrolled.

The bottom one looks like the ones I have left... just for whatever reason they're aren't accepting the new MDM. I'm unclear why.

What OS is on each of these? Do you have one in your possession or are they all out in the field?

@tcandela When you renewed your push certificate I assume you used the same Apple ID you used the previous year(s)?