Config profile for certificate-based WiFi auth--can we auto-renew instead of user prompt?

stevehahn
Contributor

We deployed a configuration profile for EAP-TLS wifi authentication close to 90 days ago, so users are starting to approach the 90 day expiration for their certificates and are being prompted to update as shown in this Apple doc.

Is there a way to make the Mac renew the certificate automatically in the background, instead of prompting the user to do it?

3 REPLIES 3

bentoms
Release Candidate Programs Tester

@stevehahn i think SCEP auto renews but no AD certs.

We just redeploy the cert profile.

stevehahn
Contributor

@bentoms how are you redeploying?

I've figured out that I can remove the MDM profile and re-enroll the machine with MDM,

#!/bin/sh

jamf removeMdmProfile; sleep 10; jamf mdm

which has the end result of nuking the AD cert and grabbing a new one, but "nuking" seems like the operative word. I'm hoping for something more elegant, a bash command or script that basically says "Yeah, that AD cert that's going to expire in 14 days--go ahead and renew it." That way the user doesn't get bugged to go into SysPrefs and click the "Update" button.

bentoms
Release Candidate Programs Tester

@stevehahn whoa. We're only talking a single profile.

I'm guessing all clients certs expire at around the same time? If so we make a change to the profile & hen push it out via the JSS.