Hey @tomgluver, I want to clarify a few things. You referenced user approved MDM, I take it you are seeing this on Macs. And I'm guessing you are seeing the red "Not Verified" message on profiles. Are you seeing this on the MDM profile, Configuration Profiles, or both? Do newly enrolled machines, or newly deployed profiles also show the warning, or is it only older ones?

Thanks

Bryan, I'm seeing the user-approved MDM message when we've re-enrolled 10.13.5 machines, or upgraded machines to 10.13. Not too big of an issue.

I am seeing the Unverified on MDM profiles, as well as as any profiles that were deployed before the signing certificate expired. However, on newly enrolled/managed machines, everything is fine. Also, with configuration profiles that showed Unverified, re-pushing them resolved that as well. I'm just baffled as to how to re-ploy the MDM profile (if possible). We have our prestage enrollment set to prevent MDM profile removal, which makes the cycle of

jamf removemdmprofile
jamf mdm

Thanks @bryan.hengels

Seems like Jamf Pro forgets to renew signing certificates of all clients MDM profiles. Jamf support just told me to reinstall 2000 mdm profiles. Well thanks for that. For other people searching for this issue and finds this thread, this EA will help in locating how many ("Not Verified") clients that need a remove & install mdm profile again.
https://www.jamf.com/jamf-nation/third-party-products/files/830/mdm-profile-verification-state

We are in the same boat. With our DEP enrollment settings, there isn't really a good way to remove the MDM profile and reinstall. This is also becoming very annoying at times since on some computers, the instructions to "Verify" the profile pop up everytime they go into Self Service, but they don't have an option to verify it.

Just started seeing this today. Any Mac enrolled or Profile pushed before today shows as "Unverified" any profiles pushed today are verified. Is there any fix beyond re-enrolling? And if not how do I re-enroll a DEP device? (I'm on JAMF-Pro 10.8 BTW)

We are seeing this now, also.
Have a March expiration for the JSS Signing cert.
Other than the MDM profile, all are unverified now on config profiles issued before a certain point (I guess whenever that signing cert auto-renewed?)

One of our guys is opening a ticket with Jamf Support; did they really give guidance to reissue thousands of config profiles to the fleet?

Thanks,
Bruce

Looks like we are in the same boat now. Just noticed all of my profiles show Unverified. I pushed out all profiles by editing and saving again which resulted in them all being Verified except for two. PPPC and MDM EnrollMent. Manual enrollment using terminal does not resolve the issue and it changes the Enrollment method to User-Initiated removing DEP Prestages as the method, this resulted in borking smart groups that were based on Enrollment Method.

Waiting for JAMF to come up with a solution.

Is it the Love boat or the Titanic were on? Are they serving drinks on the deck yet? Cause we're on it too and we're all going to need some drinks unless Jamf has a solution.

Our response from JAMF was as follows.

*As far as getting a new CA goes to a Mac, it will just need to be re-enrolled as you've found out. However, there isn't a need to remove the framework or start the Setup Assistant again. It is also worthing nothing that the CA being expired willy only result in the profiles becoming unverified. Unverified profiles only matter if your environment deals with PPPC or KEXT. (Every computer in my organization uses PPPC or KEXT, thanks for nothing)

If these Macs are enrolled through DEP, we would have to send a "Remove MDM Profile" command to them. Once that MDM profile is removed, it can be re-enrolled through Terminal with: sudo profiles renew -type enrollment.*

Here's the kick in the pants. Removing the MDM Profile takes off all the profiles (including WIFI). sudo profiles renew -type enrollment kicks out a 403 error. Not only did they NOT fix the problem, they borked a teachers machine.

@larry_barrett The 403 error in most cases can be cured by deleting the apsd.keychain file in the /Library/Keychains directory. Delete that, reboot and try again.

I've read that. Main problem with all of this nonsense is putting hands on hundreds of devices because "reasons". It would literally take less time to setup a new MDM than to "fix" this problem.

I'm seeing this issue as well. System enrolled 9/11/14.

Following this thread. Would really like JAMF to fix this. I got told the same thing. I was pretty much horrified that this is even a thing. DEP devices essentially have to be manually dis-enrolled and re-enrolled. Tell me why I should be pushing DEP again?

This sounds scary to say the least, and it seems that it will happen to every Jamf installation eventually. Looks like right now it's older customers that have used the solution for quite a while, so I'm wondering if Jamf will implement a renewal mechanism in a future release.

Just so I'm clear on what to look for, is it the expiration of the "JSS Built-in Certificate Authority" or "SCEP Enrollment" token (issued by the Jamf CA) that causes this? I can't see a way to find the expiration date for the "JSS Built-in Signing Certificate".

Edit: In KeyChain Access the "JSS Built-in Signing Certificate" shows a date in 2021 for us. I've emailed Jamf Support to feedback and I'll update here when I hear back.

Thanks.

@acaveny And the craptacular thing about it with regards to DEP. Once you re-enroll through a self enrollment vs DEP. You lose all the DEP features, which become MORE important in Catalina.

This is a known Product Issue - PI-000489. I'd recommend raising this with your Customer Success Specialist (as I did). The more people that raise the issue, the better the likelihood of a resolution.

+1 on this.
The suggested re-enrolling all devices doesn't seem like a feasible option.

do any of you know if having the MDM Profile 'unverified' have an effect on whether SELF SERVICE works or not? or what kinds of implications come about with MDM Profile 'unverifiied'?

i have more than half of the macs i manage (manage about 200) showing up as MDM Profile 'unverified'

Release notes for Jamf Pro 10.21.0 reference a new feature: "Expiring Jamf Pro JSS Built-In Certificate Authority (CA) Notification".

Does anyone know if this provides a mechanism to renew the CA, or just the warning that it's going to expire? I have reached out to Jamf and will update here once I receive a reply.

Edit: I confirmed with Jamf Pro that 10.21.0 does not resolve this PI.

This appears to be addressed in 10.23... there's now functionality to renew MDM profiles.

Yes, in Jamf Pro 10.23 there is now the ability to renew both the built-in CA certificate and MDM profiles.

@rstasel @drhoten so a new version of the JAMF Pro suite of tools is available 10.23.0?

Yes, @boberito Isaac is serving drinks on the Lido deck...

@drhoten @rhooper where do i find this Jamf Pro 10.23 there is now the ability to renew both the built-in CA certificate and MDM profile setting?

Ive got like 94 computers with MDM Profile unverified out of approx 170.