Expired Push Certificate and Re Enrollment

New Contributor II

Our institution's push certificate expired, a new one was created and uploaded.

My question is around getting the MDM profiles updated on our machines. Is there an easy way I can utilize JAMF (or even ARD?) to automatically update the MDM profile on all of our machines? We have ~200 Macs and I'm hoping we don't have to manually re-enroll them all.

Thank you in advance for any advice you can offer!


Valued Contributor

In my experience, you will need to re-enrol. I had it happen once, the warnings came in when I was on leave. Came back to chaos.
You might be able to get ARD to run the Jamf command line enrol command.

Usage:   jamf enroll [-prompt | -invitation] [-noRecon] [-noManage]

     -prompt         Prompts for JSS and SSH credentials.

     -invitation         Uses an invitation ID for credentials instead of a user name and password.

     -noRecon        Stops enroll from acquiring inventory.

     -noManage       Stops enroll from enforcing the management framework.

     -noPolicy       Stops enroll from checking for enrollment policies.

But getting your credentials in there will be the hard bit.

Valued Contributor II

It also depends on if they were DEP/ADE enrolled originally. If they were the MDM profile may be non-removable and require a hands on re-enrollment to rid the machine of the expired one. You'll either need to attempt to remove it with the jamf binary or inside the recovery partition.

Either way I see a pair of sneakers and running from person to person in your future.

Contributor II

oh man .. that suck but this command should do you 

sudo profiles renew -type enrollment


Does this also work for DEP Enrolled Macs?

The sudo profiles renew -type enrollment command does work on DEP enrolled Macs, not sure if it will work with an expired push cert. You have to be logged in to the Mac as an administrator to make it work as there are GUI pop ups that you have to accept.