We have a big problem with our Big Sur machines that can't renew/generate a new AD Certificate.
Big sur machines receive correctly the initial certificate from AD during enrollment, ONLY the renewal feature does not work.
We have tried both on the local network and over VPN, same result. So it's not a VPN issue.
Works fine with our Catalina machines though.
All our machines are bound to AD. We are not using ADCS Connector.
Running Jamf Pro 10.26.1 on prem on a Windows server.
The AD-Cert is valid for 365 days and it set to renew 14 days before expire date.
For troubleshooting purposes, we created a new certificate template with 7 days of validation and automatic renewal is set to 5 days before expire date.
Unfortunately, we get the same problem as before. Works only on the Catalina machines.
We have generated a sysdiagnose file from a catalina and big sur machine and sent it to the jamf support. Without any luck so far.
Someone else who has encountered the same problem with Big Sur?
I havent seen cert renewal issues yet per se, but I have noticed that Big Sur isnt trusting my internal root AD cert at deployment time.
All my managed Macs get both a root and an intermediate cert via packages/scripts (not profiles) at enrollment time. I have torn the package open and there is nothing wrong that I can find.
However, all my Mojave and Catalina Macs trust both my root and intermediate certs with no issues.
macOS 11.2 will be out relatively soon (in public beta now).
Update - my initial issue is resolved. Replacing packages with profiles allows my Big Sur test Macs to trust the root cert automatically.
@Gonzalo This is probably an Apple bug. Have you opened a ticket with Apple?
@dstranathan Big Sur no longer allows trusting of root CA's without a user entering their password. So using packages/scripts to install certs to the System keychain no longer works unless you do it with a logged in user and that user enters their password. The supported method is to use certificates, but as we all know, that doesn't fully trust those certs which is why you were probably using a script.
@patgmac I have not opened a ticket with Apple yet, but will probably do it now 🙂
I just saw the following in the latest release notes from Jamf Pro Beta 10.27, so maybe Jamf is on it?
We are now releasing Jamf Pro 10.27.0 beta 2! This release contains some new enhancements to Computer Device Certificate Renewal
BigSur introduced a new csrutil with this: csrutil authenticated-root status
Boot in BigSur Recovery and type in the terminal csrutil authenticated-root disable, this is the "new BigSur SIP disabled" (from my current BigSurnormal booting terminal)
The reboot back to your desktop and type csrutil authenticated-root status and see if you et disabled. You should now to be able to change your permission.