AD-Certificate can't renew in Big Sur

Gonzalo
New Contributor III

We have a big problem with our Big Sur machines that can't renew/generate a new AD Certificate.
Big sur machines receive correctly the initial certificate from AD during enrollment, ONLY the renewal feature does not work.
We have tried both on the local network and over VPN, same result. So it's not a VPN issue.
Works fine with our Catalina machines though.

All our machines are bound to AD. We are not using ADCS Connector.
Running Jamf Pro 10.26.1 on prem on a Windows server.

The AD-Cert is valid for 365 days and it set to renew 14 days before expire date.

For troubleshooting purposes, we created a new certificate template with 7 days of validation and automatic renewal is set to 5 days before expire date.
Unfortunately, we get the same problem as before. Works only on the Catalina machines.

We have generated a sysdiagnose file from a catalina and big sur machine and sent it to the jamf support. Without any luck so far.

Someone else who has encountered the same problem with Big Sur?

9d6f288964054eb689a12ff15ed6d844

a54cc648e7dc4ba4a7d4a8873abcb01b

13 REPLIES 13

dstranathan
Valued Contributor II

I havent seen cert renewal issues yet per se, but I have noticed that Big Sur isnt trusting my internal root AD cert at deployment time.

All my managed Macs get both a root and an intermediate cert via packages/scripts (not profiles) at enrollment time. I have torn the package open and there is nothing wrong that I can find.

However, all my Mojave and Catalina Macs trust both my root and intermediate certs with no issues.

macOS 11.2 will be out relatively soon (in public beta now).

Update - my initial issue is resolved. Replacing packages with profiles allows my Big Sur test Macs to trust the root cert automatically.

svenke
New Contributor III

@Gonzalo we see the same behaviour on our machines. Renewal works fine on Catalina machines but not on Big Sur 😞

patgmac
Contributor III

@Gonzalo This is probably an Apple bug. Have you opened a ticket with Apple?

@dstranathan Big Sur no longer allows trusting of root CA's without a user entering their password. So using packages/scripts to install certs to the System keychain no longer works unless you do it with a logged in user and that user enters their password. The supported method is to use certificates, but as we all know, that doesn't fully trust those certs which is why you were probably using a script.

Gonzalo
New Contributor III

@patgmac I have not opened a ticket with Apple yet, but will probably do it now πŸ™‚
I just saw the following in the latest release notes from Jamf Pro Beta 10.27, so maybe Jamf is on it?

We are now releasing Jamf Pro 10.27.0 beta 2! This release contains some new enhancements to Computer Device Certificate Renewal

patgmac
Contributor III

Not sure, I would post in the beta board to get confirmation.

Gonzalo
New Contributor III

@patgmac Do you know where I can open a case with Apple? Is it through the Feedback Assistance?

@svenke Any updates on your side?

patgmac
Contributor III

@Gonzalo We pay $17k a year for the privilege of opening tickets with Apple. πŸ₯΄

mschroder
Valued Contributor

@Gonzalo Feedback Assistance is one option, getting the expensive support that @patgmac mentions is another one. But have you tried whether 11.2 fixes this? I think it removes some of the excessive restrictions of Bif Sur.

Gonzalo
New Contributor III
But have you tried whether 11.2 fixes this? I think it removes some of the excessive restrictions of Bif Sur.

@mschroder Still broken in 11.2 πŸ˜•

user-TWQHooQpVh
New Contributor

BigSur introduced a new csrutil with this: csrutil authenticated-root status

Boot in BigSur Recovery and type in the terminal csrutil authenticated-root disable, this is the "new BigSur SIP disabled" (from my current BigSurnormal booting terminal)

The reboot back to your desktop and type csrutil authenticated-root status and see if you et disabled. You should now to be able to change your permission.

facetime app

patgmac
Contributor III

@user-TWQHooQpVh I'm confused why you're advising disabling SIP in this instance. How does that fix certificate renewal?

dstranathan
Valued Contributor II

My enterprise support rep also reminds me to use AppleSeed too (https://appleseed.apple.com/sp/help/faq)

cingalls
New Contributor II

@Gonzalo have you had any updates on this issue?
I'm still seeing it, too. Jamf also still lists it as known issue PI-009786