I just noticed that my certificate inventory for the login keychain seems to be out of date. I'm curious if something changed (potentially with Catalina) where Jamf can no longer inventory certificates in the login keychain.
Can anyone confirm whether or not they are seeing the same thing? Is there a privacy preference option that can be put in place to allow this?
I recently spent quite some time on the deployment of a certificate through Configuration Profiles. It is a user certificate that basically gets stored in user login keychain.
From what I observed, when things are working as expected, the user level certificate gets deployed to the machine when a user logs in. When taking the machine out of the configuration profile scope and then when user logs in, the user level certificate gets removed from the machine. These are all reflected in the Inventory > Certificates section. When the certificate is added, it has that username associated with it. So for a machine with multiple user profiles, I will see multiple entries in the certificates list with the different usernames. Obviously this is the managed user certificate deployment scenario.
However, here come the problems. if the user manually removes the managed user certificate from login keychain:
1. Jamf inventory does not get updated and will still show the certificate as deployed. I can only tell the certificate is missing on the client machine either in keychain or the User Profile in the System Preferences > Profiles will show (Certificate) Error: Not found in keychain
2. The only way that I know to force the Jamf inventory to update the Certificates info reading is by running sudo jamf mdm -userLevelMdm command. But this will require the user to manually approve the MDM Profile again.
3. In order to put the user certificate back into user's login keychain, I had to add the machine into the Exclusions of the Configuration Profile scope, log off and log back in the user (the deployment completed record will disappear from the Configuration Profile log). Then remove the machine from the Exclusions, log off and log back in the user. Finally the certificate is back there. It is pity that the Configuration Profile doesn't detect the change and reverse it by automatically applying again at the user's next login. I think even the system level configuration profile doesn't do that either.
For the non-managed user certificate (users added by themselves), yes I'm seeing the similar problems. Jamf Inventory does not update the Certificates unless I run sudo jamf mdm -userLevelMdm command and get the user to approve MDM Profile again, which is obviously not ideal.
So in short, unfortunately for the user certificates, it looks to me unless they are deployed by Configuration Profiles and users don't touch it afterwards, or they are already in user login keychain before enabling mdm for local users (profile approval is required afterwards), it is not 100% reliable to tell if the user certificate is there. I had to use a script to find and confirm the certificate existence.
Not sure about the DEP enrolled machine. They may not have the need to reapprove the MDM Profile, in which case running that command to reenable the mdm for local users should be fine.
Hope this helps.
Thanks for the information. In my case, I am not talking about certificates deployed through configuration profiles.
I worked with Jamf support and we determined that inventorying user certificates used to work, but now doesn't. I was able to confirm that this worked in 10.11, but does not work in 10.20. Jamf support opened PI-008287 and I have been told that this bug should eventually be corrected in a future release.