Help

Long Shot: Fixing a macOS Push Cert Issue

chadlawson
Contributor
Contributor

Posted on ‎09-20-2023 09:12 AM

I recently took a full-time position with a company for whom I used to consult on their Jamf instance. It had been a little over a year since I was on the system and in the meantime there had been a few other people with their hands inside it though it was mostly perceived as stable and left alone.

But I recently discovered that in the intervening year, the APNS cert had expired. A new certificate was created (with a different AppleID) and the handful of iOS devices were re-enrolled. Since the Macs were still checking in, it was assumed that nothing needed to be done.

I managed to find the original AppleID and found the cert under that login had been renewed at the same time. But it was the cert with the new login was uploaded to Jamf instead.

I have both certs downloaded and I created an extension attribute to determine which computers have which cert topic. Of the computers that have reported in, it's almost 50/50!

So I have a large number of computers that are still checking in but not taking MDM commands. 

Is there ANY way that I can fix this remotely?

Labels:
0 Kudos
1 REPLY 1

jtrant
Valued Contributor

‎09-21-2023 11:39 AM - edited ‎09-21-2023 11:41 AM

You will need to decide on which certificate to keep moving forward, and re-enroll devices under the other certificate. There is no way to do this remotely or silently.

If the Macs are DEP-enrolled, the end-user can run the following command which should trigger re-enrollment:

 

sudo profiles renew --type enrollment

 

 

From there, they need to accept the "Remote Management" prompt and authenticate if you have this enabled in your PreStage.

If it has been more than a year since the Mac was last enrolled, the following file will need to be deleted, then the device restarted before re-enrollment can be successful:

 

/Library/Keychains/apsd.keychain

 

0 Kudos