Our JSS Signing Certificate expired last month, and I have been unable to find how to either update it, or redeploy our MDM Profile. It's not our JSS Certificate Authority, but the Signing Certificate. Is there any documentation I should be looking for, or am I missing something obvious?
We are running 9.101.4, and it doesn't seem to have anything to do regarding user approved MDM (although that's its own can of worms).
Hey @tomgluver, I want to clarify a few things. You referenced user approved MDM, I take it you are seeing this on Macs. And I'm guessing you are seeing the red "Not Verified" message on profiles. Are you seeing this on the MDM profile, Configuration Profiles, or both? Do newly enrolled machines, or newly deployed profiles also show the warning, or is it only older ones?
Bryan, I'm seeing the user-approved MDM message when we've re-enrolled 10.13.5 machines, or upgraded machines to 10.13. Not too big of an issue.
I am seeing the Unverified on MDM profiles, as well as as any profiles that were deployed before the signing certificate expired. However, on newly enrolled/managed machines, everything is fine. Also, with configuration profiles that showed Unverified, re-pushing them resolved that as well. I'm just baffled as to how to re-ploy the MDM profile (if possible). We have our prestage enrollment set to prevent MDM profile removal, which makes the cycle of
Seems like Jamf Pro forgets to renew signing certificates of all clients MDM profiles. Jamf support just told me to reinstall 2000 mdm profiles. Well thanks for that. For other people searching for this issue and finds this thread, this EA will help in locating how many ("Not Verified") clients that need a remove & install mdm profile again.
We are in the same boat. With our DEP enrollment settings, there isn't really a good way to remove the MDM profile and reinstall. This is also becoming very annoying at times since on some computers, the instructions to "Verify" the profile pop up everytime they go into Self Service, but they don't have an option to verify it.
We are seeing this now, also.
Have a March expiration for the JSS Signing cert.
Other than the MDM profile, all are unverified now on config profiles issued before a certain point (I guess whenever that signing cert auto-renewed?)
One of our guys is opening a ticket with Jamf Support; did they really give guidance to reissue thousands of config profiles to the fleet?
Looks like we are in the same boat now. Just noticed all of my profiles show Unverified. I pushed out all profiles by editing and saving again which resulted in them all being Verified except for two. PPPC and MDM EnrollMent. Manual enrollment using terminal does not resolve the issue and it changes the Enrollment method to User-Initiated removing DEP Prestages as the method, this resulted in borking smart groups that were based on Enrollment Method.
Waiting for JAMF to come up with a solution.
Our response from JAMF was as follows.
*As far as getting a new CA goes to a Mac, it will just need to be re-enrolled as you've found out. However, there isn't a need to remove the framework or start the Setup Assistant again. It is also worthing nothing that the CA being expired willy only result in the profiles becoming unverified. Unverified profiles only matter if your environment deals with PPPC or KEXT. (Every computer in my organization uses PPPC or KEXT, thanks for nothing)
If these Macs are enrolled through DEP, we would have to send a "Remove MDM Profile" command to them. Once that MDM profile is removed, it can be re-enrolled through Terminal with: sudo profiles renew -type enrollment.*
Here's the kick in the pants. Removing the MDM Profile takes off all the profiles (including WIFI). sudo profiles renew -type enrollment kicks out a 403 error. Not only did they NOT fix the problem, they borked a teachers machine.
This sounds scary to say the least, and it seems that it will happen to every Jamf installation eventually. Looks like right now it's older customers that have used the solution for quite a while, so I'm wondering if Jamf will implement a renewal mechanism in a future release.
Just so I'm clear on what to look for, is it the expiration of the "JSS Built-in Certificate Authority" or "SCEP Enrollment" token (issued by the Jamf CA) that causes this? I can't see a way to find the expiration date for the "JSS Built-in Signing Certificate".
Edit: In KeyChain Access the "JSS Built-in Signing Certificate" shows a date in 2021 for us. I've emailed Jamf Support to feedback and I'll update here when I hear back.
Release notes for Jamf Pro 10.21.0 reference a new feature: "Expiring Jamf Pro JSS Built-In Certificate Authority (CA) Notification".
Does anyone know if this provides a mechanism to renew the CA, or just the warning that it's going to expire? I have reached out to Jamf and will update here once I receive a reply.
Edit: I confirmed with Jamf Pro that 10.21.0 does not resolve this PI.
Provided the device identity certificate in the MDM profile has not expired you can also renew the MDM profile using one of the following methods
- For a single device using the Renew MDM Profile button from the management tab of the device.
- For one or more devices using a mass action from a smart group or advanced search
@tcandela the instructions are in the linked KB article above, and also in the release notes:
Once you renew the CA, devices will automatically receive the updated MDM profile and related signing certificates on next check-in. You can also force renewal on a particular computer/device under the management tab for that device. You won't see any of these options until you upgrade to 10.23.0.
For the two options, both assume you've already upgraded to Jamf Pro 10.23.
1) Find the computer and then select it followed by clicking on the management tab. If the "Renew MDM Profile" button is not visible then it may mean Jamf Pro does not consider that computer as being MDM capable or enrolled.
2) From the Smart Group or Advanced Search, click the action button in the lower right and select the option for "Send Remote Commands". From there click on the next button and select option for "Renew MDM Profile".
@tcandela I had about 600 machines in an unverified stated. Running a renew on all of them resulted in about 500 of those coming back to verified. I now have about nearly 100 that enrolled via user initiated enrollment that are still unverified and I can't get to verify despite trying various solutions. A few were fixed via pushing a policy that was just "jamf trustjss"
The real issue is I have half a dozen machines that were enrolled via ADE/DEP that are in unverified status, and won't get the renew MDM command (it just sits in pending). My thought on these is they had migration assistant run on them after enrollment and someone forgot to uncheck everything but the user account, so MDM has been hosed on them for a while. =/ Which means I get to fix them manually... =( Apple needs to give us some way to fix systems in this state without disabling SIP. =/
@rstasel what did you setup to get 500 of those 600 renewed?
I just tried sudo jamf trustjss and it said 'downloading required CA certificate(s)...' but MDM profile is still 'unverified'.
What was your smartgroup configuration that showed you which macs were unverified?
when i look at a macs inventory information in the GENERAL section, I have a mac with MDM Profile Expiration Date: 03/20/2024 at 3:48 PM and MDM Profile Verification State: Not Verified
I don't understand these 2 results. Under profiles in system preferences i clearly see the MDM Profile Unverified
So I'm using the EA here: https://www.jamf.com/jamf-nation/third-party-products/files/830/mdm-profile-verification-state
I just have a smart group that looks for "Unverified" for that EA.
The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.
That EA only updates on inventory, so I just waited and watched the number drop. After a couple weeks it was down to where I'm at now.
The issue is according to Jamf, I'm likely going to have to re-enroll all the machines that didn't renew. Either via User Initiated for the ones not in ADE, or for the ones enrolled via ADE I get to do the whole disable SIP, rip out profile, reenable SIP, reenroll BS. Unless I can find a better way. The issue is once it's super wedged, the "Remove MDM" command doesn't work anymore...
@rstasel yes i have that EA setup and see all the macs that are unverified. So i have all them in a smart group.
now i'm kinda lost on your second paragraph. Is this a policy you setup?
did you setup a policy to do; The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.