Posted on 07-17-2018 10:26 AM
Our JSS Signing Certificate expired last month, and I have been unable to find how to either update it, or redeploy our MDM Profile. It's not our JSS Certificate Authority, but the Signing Certificate. Is there any documentation I should be looking for, or am I missing something obvious?
We are running 9.101.4, and it doesn't seem to have anything to do regarding user approved MDM (although that's its own can of worms).
Posted on 07-19-2018 01:38 PM
Hey @tomgluver, I want to clarify a few things. You referenced user approved MDM, I take it you are seeing this on Macs. And I'm guessing you are seeing the red "Not Verified" message on profiles. Are you seeing this on the MDM profile, Configuration Profiles, or both? Do newly enrolled machines, or newly deployed profiles also show the warning, or is it only older ones?
Posted on 07-19-2018 01:44 PM
Bryan, I'm seeing the user-approved MDM message when we've re-enrolled 10.13.5 machines, or upgraded machines to 10.13. Not too big of an issue.
I am seeing the Unverified on MDM profiles, as well as as any profiles that were deployed before the signing certificate expired. However, on newly enrolled/managed machines, everything is fine. Also, with configuration profiles that showed Unverified, re-pushing them resolved that as well. I'm just baffled as to how to re-ploy the MDM profile (if possible). We have our prestage enrollment set to prevent MDM profile removal, which makes the cycle of
Posted on 02-18-2019 12:48 AM
Seems like Jamf Pro forgets to renew signing certificates of all clients MDM profiles. Jamf support just told me to reinstall 2000 mdm profiles. Well thanks for that. For other people searching for this issue and finds this thread, this EA will help in locating how many ("Not Verified") clients that need a remove & install mdm profile again.
Posted on 02-28-2019 08:50 AM
We are in the same boat. With our DEP enrollment settings, there isn't really a good way to remove the MDM profile and reinstall. This is also becoming very annoying at times since on some computers, the instructions to "Verify" the profile pop up everytime they go into Self Service, but they don't have an option to verify it.
Posted on 04-03-2019 01:03 PM
Just started seeing this today. Any Mac enrolled or Profile pushed before today shows as "Unverified" any profiles pushed today are verified. Is there any fix beyond re-enrolling? And if not how do I re-enroll a DEP device? (I'm on JAMF-Pro 10.8 BTW)
Posted on 06-06-2019 08:46 AM
We are seeing this now, also.
Have a March expiration for the JSS Signing cert.
Other than the MDM profile, all are unverified now on config profiles issued before a certain point (I guess whenever that signing cert auto-renewed?)
One of our guys is opening a ticket with Jamf Support; did they really give guidance to reissue thousands of config profiles to the fleet?
Posted on 08-14-2019 04:23 AM
Looks like we are in the same boat now. Just noticed all of my profiles show Unverified. I pushed out all profiles by editing and saving again which resulted in them all being Verified except for two. PPPC and MDM EnrollMent. Manual enrollment using terminal does not resolve the issue and it changes the Enrollment method to User-Initiated removing DEP Prestages as the method, this resulted in borking smart groups that were based on Enrollment Method.
Waiting for JAMF to come up with a solution.
Posted on 09-04-2019 12:19 PM
Is it the Love boat or the Titanic were on? Are they serving drinks on the deck yet? Cause we're on it too and we're all going to need some drinks unless Jamf has a solution.
Posted on 09-04-2019 12:25 PM
Our response from JAMF was as follows.
*As far as getting a new CA goes to a Mac, it will just need to be re-enrolled as you've found out. However, there isn't a need to remove the framework or start the Setup Assistant again. It is also worthing nothing that the CA being expired willy only result in the profiles becoming unverified. Unverified profiles only matter if your environment deals with PPPC or KEXT. (Every computer in my organization uses PPPC or KEXT, thanks for nothing)
If these Macs are enrolled through DEP, we would have to send a "Remove MDM Profile" command to them. Once that MDM profile is removed, it can be re-enrolled through Terminal with: sudo profiles renew -type enrollment.*
Here's the kick in the pants. Removing the MDM Profile takes off all the profiles (including WIFI). sudo profiles renew -type enrollment kicks out a 403 error. Not only did they NOT fix the problem, they borked a teachers machine.
Posted on 09-04-2019 12:37 PM
@larry_barrett The 403 error in most cases can be cured by deleting the apsd.keychain file in the /Library/Keychains directory. Delete that, reboot and try again.
Posted on 09-04-2019 12:39 PM
I've read that. Main problem with all of this nonsense is putting hands on hundreds of devices because "reasons". It would literally take less time to setup a new MDM than to "fix" this problem.
Posted on 09-19-2019 06:00 AM
I'm seeing this issue as well. System enrolled 9/11/14.
Posted on 09-30-2019 08:36 AM
Following this thread. Would really like JAMF to fix this. I got told the same thing. I was pretty much horrified that this is even a thing. DEP devices essentially have to be manually dis-enrolled and re-enrolled. Tell me why I should be pushing DEP again?
Posted on 09-30-2019 11:19 AM
This sounds scary to say the least, and it seems that it will happen to every Jamf installation eventually. Looks like right now it's older customers that have used the solution for quite a while, so I'm wondering if Jamf will implement a renewal mechanism in a future release.
Just so I'm clear on what to look for, is it the expiration of the "JSS Built-in Certificate Authority" or "SCEP Enrollment" token (issued by the Jamf CA) that causes this? I can't see a way to find the expiration date for the "JSS Built-in Signing Certificate".
Edit: In KeyChain Access the "JSS Built-in Signing Certificate" shows a date in 2021 for us. I've emailed Jamf Support to feedback and I'll update here when I hear back.
Posted on 10-01-2019 06:38 AM
@acaveny And the craptacular thing about it with regards to DEP. Once you re-enroll through a self enrollment vs DEP. You lose all the DEP features, which become MORE important in Catalina.
Posted on 10-02-2019 08:16 AM
This is a known Product Issue - PI-000489. I'd recommend raising this with your Customer Success Specialist (as I did). The more people that raise the issue, the better the likelihood of a resolution.
Posted on 12-04-2019 01:27 AM
+1 on this.
The suggested re-enrolling all devices doesn't seem like a feasible option.
Posted on 03-09-2020 08:14 AM
do any of you know if having the MDM Profile 'unverified' have an effect on whether SELF SERVICE works or not? or what kinds of implications come about with MDM Profile 'unverifiied'?
i have more than half of the macs i manage (manage about 200) showing up as MDM Profile 'unverified'
Posted on 04-29-2020 09:07 AM
Release notes for Jamf Pro 10.21.0 reference a new feature: "Expiring Jamf Pro JSS Built-In Certificate Authority (CA) Notification".
Does anyone know if this provides a mechanism to renew the CA, or just the warning that it's going to expire? I have reached out to Jamf and will update here once I receive a reply.
Edit: I confirmed with Jamf Pro that 10.21.0 does not resolve this PI.
Posted on 07-29-2020 02:26 PM
This appears to be addressed in 10.23... there's now functionality to renew MDM profiles.
Posted on 07-29-2020 06:32 PM
Yes, in Jamf Pro 10.23 there is now the ability to renew both the built-in CA certificate and MDM profiles.
Posted on 07-31-2020 08:32 AM
Posted on 07-31-2020 10:22 AM
Posted on 08-17-2020 01:09 PM
Posted on 08-17-2020 01:35 PM
Ive got like 94 computers with MDM Profile unverified out of approx 170.
Posted on 08-17-2020 01:37 PM
@tcandela Does this answer? https://www.jamf.com/jamf-nation/articles/765/renewing-jamf-pro-jss-built-in-certificate-authority-ca
Posted on 08-17-2020 01:52 PM
Posted on 08-17-2020 02:29 PM
Provided the device identity certificate in the MDM profile has not expired you can also renew the MDM profile using one of the following methods
- For a single device using the Renew MDM Profile button from the management tab of the device.
- For one or more devices using a mass action from a smart group or advanced search
Posted on 08-17-2020 02:50 PM
@drhoten can you show me a screen shot of your options you suggested?
Id like to try option 1 but then your second option afterwards.
Posted on 08-18-2020 10:32 AM
@tcandela the instructions are in the linked KB article above, and also in the release notes:
Once you renew the CA, devices will automatically receive the updated MDM profile and related signing certificates on next check-in. You can also force renewal on a particular computer/device under the management tab for that device. You won't see any of these options until you upgrade to 10.23.0.
Posted on 08-18-2020 03:06 PM
For the two options, both assume you've already upgraded to Jamf Pro 10.23.
1) Find the computer and then select it followed by clicking on the management tab. If the "Renew MDM Profile" button is not visible then it may mean Jamf Pro does not consider that computer as being MDM capable or enrolled.
2) From the Smart Group or Advanced Search, click the action button in the lower right and select the option for "Send Remote Commands". From there click on the next button and select option for "Renew MDM Profile".
Posted on 09-10-2020 06:22 PM
@tcandela how did it go? I have to upgrade my JSS to get this going but I have about 30 unverified machines that I can't push out PPPC profiles to and now I am in need of doing that ASAP.
Posted on 09-10-2020 06:29 PM
Posted on 09-11-2020 06:16 AM
Make sure you exclude pre 10.13 Macs from renewing the MDM Profile. They anyhow will not do it, but attempting to do so appears to make the jamfdemon go crazy (100% CPU) after a while :(
Posted on 12-07-2020 07:44 AM
@rgranholm @mschroder I haven't been able to figure out how to renew these MDM profiles that are now showing 'unverified'.
I click the 'renew mdm profile' in the management tab and nothing happens (i'm sure you must be on the same LAN or something).
have you gotten your macs profiles verified?
Posted on 12-07-2020 08:20 AM
@tcandela I had about 600 machines in an unverified stated. Running a renew on all of them resulted in about 500 of those coming back to verified. I now have about nearly 100 that enrolled via user initiated enrollment that are still unverified and I can't get to verify despite trying various solutions. A few were fixed via pushing a policy that was just "jamf trustjss"
The real issue is I have half a dozen machines that were enrolled via ADE/DEP that are in unverified status, and won't get the renew MDM command (it just sits in pending). My thought on these is they had migration assistant run on them after enrollment and someone forgot to uncheck everything but the user account, so MDM has been hosed on them for a while. =/ Which means I get to fix them manually... =( Apple needs to give us some way to fix systems in this state without disabling SIP. =/
Posted on 12-07-2020 08:59 AM
@rstasel what did you setup to get 500 of those 600 renewed?
I just tried sudo jamf trustjss and it said 'downloading required CA certificate(s)...' but MDM profile is still 'unverified'.
What was your smartgroup configuration that showed you which macs were unverified?
when i look at a macs inventory information in the GENERAL section, I have a mac with MDM Profile Expiration Date: 03/20/2024 at 3:48 PM and MDM Profile Verification State: Not Verified
I don't understand these 2 results. Under profiles in system preferences i clearly see the MDM Profile Unverified
Posted on 12-07-2020 09:16 AM
So I'm using the EA here: https://www.jamf.com/jamf-nation/third-party-products/files/830/mdm-profile-verification-state
I just have a smart group that looks for "Unverified" for that EA.
The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.
That EA only updates on inventory, so I just waited and watched the number drop. After a couple weeks it was down to where I'm at now.
The issue is according to Jamf, I'm likely going to have to re-enroll all the machines that didn't renew. Either via User Initiated for the ones not in ADE, or for the ones enrolled via ADE I get to do the whole disable SIP, rip out profile, reenable SIP, reenroll BS. Unless I can find a better way. The issue is once it's super wedged, the "Remove MDM" command doesn't work anymore...
Posted on 12-07-2020 09:44 AM
@rstasel yes i have that EA setup and see all the macs that are unverified. So i have all them in a smart group.
now i'm kinda lost on your second paragraph. Is this a policy you setup?
did you setup a policy to do; The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.