Jamf Cloud - Certificates - iPad - Pending Revoke

New Contributor II

Hi all,

We have Jamf ADCS Connector setup and everything is working fine. Certificates can be delegated and no issue there but..

We have recently realised under PKI Certificates -> And under the Certificate Authority then under Active there is a lot more issued certs and a lot on "Pending Revoke" than there is devices. And so far we have only seen iPads on status "Pending Revoke".

So we have a iPad and we tested this out - we added the iPad on the profile that delegates WiFi and the Certificates and the iPad is on and connected to a WiFi so it has internet but it is in locked screen. What we see is that Jamf asks the ADCS Connector for a cert while the iPad is on locked screen -> the Connector does its job and asks the CA for a cert and retrieves it -> and then i assume it ships it back to Jamf and then when Jamf tries to deliver the cert it cant because the iPad is on locked screen. It then waits and waits for the iPad to be unlocked but if it takes too long eventually the certificate deliver gets a status of "Pending Revoke". Now we are wondering if anyone in the community has experience with this and can answer if this is basically just by design or have we done something wrong?

We are aware of the new ADCS Connector version 1.1.0 that now can automatically revoke AD CS certificates from computers or mobile devices. We haven't installed this version yet but we were thinking since so many iPads are appearing as "Pending Revoke" then we would end up seeing a lot of certificates under "Revoked Certificates" on the CA server and wanted first to make sure that this is just how it is or is it something else.


So to summarise: it seems that Jamf cant deliver the profile on the iPad until you unlock the screen and the certificates has a limited time to be delivered and if the iPad is locked for too long eventually it will revoke the certificate and then just try again later with a new certificate. And just keep doing so until it is able to deliver it. The issue here is that after we install the ability for automatic revoke then a lot of certificates would end up in Revoked Certificates on the CA Server. Question is, is it supposed to be like this? Or have we missed something :)


Thanks in advance for any insight on this!