Has anyone had to renew the built-in CA in Jamf Pro before and if so, mind sharing your experience with it? I'm primarily curious how many devices ended up having to unenroll and re-enroll as a result of MDM profiles failing to renew. With over 11,000 Macs in my environment, the suggestion shared by Jamf support by disabling automatic MDM profile renewals before renewing the built-in CA, then issue MDM renewal commands manually to no more than 100 devices at a time isn't realistic in my environment, especially when both the smart and the static computer groups aren't designed to group devices strictly by quantity into groups of 100 that easily.
Question
Renewing the Built-in CA in Jamf Pro
+12
+8Finishing up this process now with our environment having 6000+ computers and 15000+ mobile devices. Has not been fun at all. We've been creating a list and updating static groups through MUT Classic and sending batches of 150 devices three times a day.
By now we have sent the command to every device and we still have roughly 700 computers not renewed and 1100 mobile devices not renewed. The most of these they have just simply not checked in for quiet some time, while the ones that have checked in we are getting stumped with how to troubleshoot as there's so many different circumstances. It's also hard for our large environment to have a device on-hand to troubleshoot. I'm going to be very happy to be over with this soon.
+12In my production environment, I occasionally push updated configuration profiles to more than 8,000+ computers all at once without noticeable issues. Hopefully, pushing Renew MDM Profiles commands isn't really more demanding on MDM server resources than pushing my configuration profiles.
Not sure if I'm comparing apples to oranges but using my sandbox environment, I renewed the built-in CA and issued the MDM Renewal Command and let that sit for more than 24 hours before turning it back on. It went through successfully. In earlier tests, it looks like the option to automatically renew MDM profiles when the built-in CA is renewed will only kick in when the device checks in to Jamf Pro and I tested that to be accurate on 2 Macs. It even says so in https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/MDM_Profile_Settings.html
The MDM profile will automatically renew after the next MDM command is issued or after the next time the computer or mobile device checks in to Jamf Pro via MDM. Devices may not check in immediately. Therefore, MDM profiles may not instantaneously renew after a renewal is triggered.
So with my boss' blessing, I'm planning to keep "When the built-in certificate authority is renewed" and "days before the MDM profile expires" both checked and hope for the best.
+12Finishing up this process now with our environment having 6000+ computers and 15000+ mobile devices. Has not been fun at all. We've been creating a list and updating static groups through MUT Classic and sending batches of 150 devices three times a day.
By now we have sent the command to every device and we still have roughly 700 computers not renewed and 1100 mobile devices not renewed. The most of these they have just simply not checked in for quiet some time, while the ones that have checked in we are getting stumped with how to troubleshoot as there's so many different circumstances. It's also hard for our large environment to have a device on-hand to troubleshoot. I'm going to be very happy to be over with this soon.
Hi @afnpw,
Thank you for sharing your experience here.
+36@afnpw considering the risk, would you say the experience was, in rock crawling parlance, a pucker moment? :)
All jokes aside, we always create a backup before updating the Jamf Pro server, and also before making any major changes.
I have a ticket open with Jamf to find out of we can restore a Jamf Pro backup, in case something goes wrong, the concern being the Jamf Built-in Certificate Authority would be "Renewed" which we assume would make the backup not restorable since renewed certs are no longer valid.
We aren't sure, since this is a built in CA, hope to get an answer today. Will post once we find out.
+11We are getting the same answer on how to fix it from Jamf as original poster. It has been very tedious and we are seeing that some complete, but when you look at individual Macs, it shows that there was an update to the MDM profile, but the expiration date is still this year and not 10 years from now. We cannot trust that it is working correctly. We feel like this is something Jamf does not have a 100% solution to fix and we are their trial and error testers. Not fun AT ALL.
+11I should add that another solution to fix this was to collect all devices and re-enroll or erase/enroll. This is not part of our yearly process (we have students keep the same device for all 4 years of high school), and pushing this on the schools & tech team so close to the end of the school year will result in a huge disaster. We’d love to hear some other solutions!
+26
You don’t need to worry about the expiration date shown on the MDM profile. macOS only validates the MDM profile’s certificate chain at install time, if it was trusted when installed, the device will continue to accept and process MDM commands even after the profile’s listed expiration date. The real indicator is whether management commands are succeeding.
That said, this thread is two years old and the original issue was resolved. You’ll get better visibility (and more accurate help) by starting a new thread and linking back to this one if needed.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.