MDM Profile Unverified - Signing Certificate Expired

tomgluver
New Contributor III

Hi all,

Our JSS Signing Certificate expired last month, and I have been unable to find how to either update it, or redeploy our MDM Profile. It's not our JSS Certificate Authority, but the Signing Certificate. Is there any documentation I should be looking for, or am I missing something obvious?

We are running 9.101.4, and it doesn't seem to have anything to do regarding user approved MDM (although that's its own can of worms).

Thanks

57 REPLIES 57

bryan_hengels
New Contributor II

Hey @tomgluver, I want to clarify a few things. You referenced user approved MDM, I take it you are seeing this on Macs. And I'm guessing you are seeing the red "Not Verified" message on profiles. Are you seeing this on the MDM profile, Configuration Profiles, or both? Do newly enrolled machines, or newly deployed profiles also show the warning, or is it only older ones?

Thanks

tomgluver
New Contributor III

Bryan, I'm seeing the user-approved MDM message when we've re-enrolled 10.13.5 machines, or upgraded machines to 10.13. Not too big of an issue.

I am seeing the Unverified on MDM profiles, as well as as any profiles that were deployed before the signing certificate expired. However, on newly enrolled/managed machines, everything is fine. Also, with configuration profiles that showed Unverified, re-pushing them resolved that as well. I'm just baffled as to how to re-ploy the MDM profile (if possible). We have our prestage enrollment set to prevent MDM profile removal, which makes the cycle of

jamf removemdmprofile
jamf mdm

Thanks @bryan.hengels

niklas_blomdale
New Contributor II

Seems like Jamf Pro forgets to renew signing certificates of all clients MDM profiles. Jamf support just told me to reinstall 2000 mdm profiles. Well thanks for that. For other people searching for this issue and finds this thread, this EA will help in locating how many ("Not Verified") clients that need a remove & install mdm profile again.
https://www.jamf.com/jamf-nation/third-party-products/files/830/mdm-profile-verification-state

nnewport
New Contributor III

We are in the same boat. With our DEP enrollment settings, there isn't really a good way to remove the MDM profile and reinstall. This is also becoming very annoying at times since on some computers, the instructions to "Verify" the profile pop up everytime they go into Self Service, but they don't have an option to verify it.

jason_bracy
Contributor III

Just started seeing this today. Any Mac enrolled or Profile pushed before today shows as "Unverified" any profiles pushed today are verified. Is there any fix beyond re-enrolling? And if not how do I re-enroll a DEP device? (I'm on JAMF-Pro 10.8 BTW)

guidotti
Contributor II

We are seeing this now, also.
Have a March expiration for the JSS Signing cert.
Other than the MDM profile, all are unverified now on config profiles issued before a certain point (I guess whenever that signing cert auto-renewed?)

One of our guys is opening a ticket with Jamf Support; did they really give guidance to reissue thousands of config profiles to the fleet?

Thanks,
Bruce

mradams
Contributor

Looks like we are in the same boat now. Just noticed all of my profiles show Unverified. I pushed out all profiles by editing and saving again which resulted in them all being Verified except for two. PPPC and MDM EnrollMent. Manual enrollment using terminal does not resolve the issue and it changes the Enrollment method to User-Initiated removing DEP Prestages as the method, this resulted in borking smart groups that were based on Enrollment Method.

Waiting for JAMF to come up with a solution.

boberito
Valued Contributor

Is it the Love boat or the Titanic were on? Are they serving drinks on the deck yet? Cause we're on it too and we're all going to need some drinks unless Jamf has a solution.

larry_barrett
Valued Contributor

Our response from JAMF was as follows.

*As far as getting a new CA goes to a Mac, it will just need to be re-enrolled as you've found out. However, there isn't a need to remove the framework or start the Setup Assistant again. It is also worthing nothing that the CA being expired willy only result in the profiles becoming unverified. Unverified profiles only matter if your environment deals with PPPC or KEXT. (Every computer in my organization uses PPPC or KEXT, thanks for nothing)

If these Macs are enrolled through DEP, we would have to send a "Remove MDM Profile" command to them. Once that MDM profile is removed, it can be re-enrolled through Terminal with: sudo profiles renew -type enrollment.*

Here's the kick in the pants. Removing the MDM Profile takes off all the profiles (including WIFI). sudo profiles renew -type enrollment kicks out a 403 error. Not only did they NOT fix the problem, they borked a teachers machine.

mainelysteve
Valued Contributor

@larry_barrett The 403 error in most cases can be cured by deleting the apsd.keychain file in the /Library/Keychains directory. Delete that, reboot and try again.

larry_barrett
Valued Contributor

I've read that. Main problem with all of this nonsense is putting hands on hundreds of devices because "reasons". It would literally take less time to setup a new MDM than to "fix" this problem.

denmoff
Contributor III

I'm seeing this issue as well. System enrolled 9/11/14.

acaveny
New Contributor III

Following this thread. Would really like JAMF to fix this. I got told the same thing. I was pretty much horrified that this is even a thing. DEP devices essentially have to be manually dis-enrolled and re-enrolled. Tell me why I should be pushing DEP again?

jtrant
Contributor III

This sounds scary to say the least, and it seems that it will happen to every Jamf installation eventually. Looks like right now it's older customers that have used the solution for quite a while, so I'm wondering if Jamf will implement a renewal mechanism in a future release.

Just so I'm clear on what to look for, is it the expiration of the "JSS Built-in Certificate Authority" or "SCEP Enrollment" token (issued by the Jamf CA) that causes this? I can't see a way to find the expiration date for the "JSS Built-in Signing Certificate".

Edit: In KeyChain Access the "JSS Built-in Signing Certificate" shows a date in 2021 for us. I've emailed Jamf Support to feedback and I'll update here when I hear back.

Thanks.

boberito
Valued Contributor

@acaveny And the craptacular thing about it with regards to DEP. Once you re-enroll through a self enrollment vs DEP. You lose all the DEP features, which become MORE important in Catalina.

jtrant
Contributor III

This is a known Product Issue - PI-000489. I'd recommend raising this with your Customer Success Specialist (as I did). The more people that raise the issue, the better the likelihood of a resolution.

emilh
New Contributor III

+1 on this.
The suggested re-enrolling all devices doesn't seem like a feasible option.

tcandela
Valued Contributor

do any of you know if having the MDM Profile 'unverified' have an effect on whether SELF SERVICE works or not? or what kinds of implications come about with MDM Profile 'unverifiied'?

i have more than half of the macs i manage (manage about 200) showing up as MDM Profile 'unverified'

jtrant
Contributor III

Release notes for Jamf Pro 10.21.0 reference a new feature: "Expiring Jamf Pro JSS Built-In Certificate Authority (CA) Notification".

Does anyone know if this provides a mechanism to renew the CA, or just the warning that it's going to expire? I have reached out to Jamf and will update here once I receive a reply.

Edit: I confirmed with Jamf Pro that 10.21.0 does not resolve this PI.

rstasel
Contributor III

This appears to be addressed in 10.23... there's now functionality to renew MDM profiles.

drhoten
Contributor II

Yes, in Jamf Pro 10.23 there is now the ability to renew both the built-in CA certificate and MDM profiles.

tcandela
Valued Contributor

@rstasel @drhoten so a new version of the JAMF Pro suite of tools is available 10.23.0?

rhooper
Contributor III

Yes, @boberito Isaac is serving drinks on the Lido deck...

tcandela
Valued Contributor

@drhoten @rhooper where do i find this Jamf Pro 10.23 there is now the ability to renew both the built-in CA certificate and MDM profile setting?

tcandela
Valued Contributor

Ive got like 94 computers with MDM Profile unverified out of approx 170.

rstasel
Contributor III

@tcandela Does this answer? https://www.jamf.com/jamf-nation/articles/765/renewing-jamf-pro-jss-built-in-certificate-authority-ca

tcandela
Valued Contributor

@rstasel i'll check it out, thanks. Hopefully don't have to re-enroll 94 macs to get this done

drhoten
Contributor II

Hi @tcandela

Provided the device identity certificate in the MDM profile has not expired you can also renew the MDM profile using one of the following methods
- For a single device using the Renew MDM Profile button from the management tab of the device.
- For one or more devices using a mass action from a smart group or advanced search

tcandela
Valued Contributor

@drhoten can you show me a screen shot of your options you suggested?
Id like to try option 1 but then your second option afterwards.

jtrant
Contributor III

@tcandela the instructions are in the linked KB article above, and also in the release notes:
https://docs.jamf.com/10.23.0/jamf-pro/release-notes/What's_New.html

Once you renew the CA, devices will automatically receive the updated MDM profile and related signing certificates on next check-in. You can also force renewal on a particular computer/device under the management tab for that device. You won't see any of these options until you upgrade to 10.23.0.

drhoten
Contributor II

Hi @tcandela

For the two options, both assume you've already upgraded to Jamf Pro 10.23.

1) Find the computer and then select it followed by clicking on the management tab. If the "Renew MDM Profile" button is not visible then it may mean Jamf Pro does not consider that computer as being MDM capable or enrolled.

9e6f108fd7a84ce9966493ec4b3ce827

2) From the Smart Group or Advanced Search, click the action button in the lower right and select the option for "Send Remote Commands". From there click on the next button and select option for "Renew MDM Profile".

rgranholm
Contributor

@tcandela how did it go? I have to upgrade my JSS to get this going but I have about 30 unverified machines that I can't push out PPPC profiles to and now I am in need of doing that ASAP.

tcandela
Valued Contributor

@rgranholm im still waiting to get upgraded to 10.23.0

mschroder
Valued Contributor

Make sure you exclude pre 10.13 Macs from renewing the MDM Profile. They anyhow will not do it, but attempting to do so appears to make the jamfdemon go crazy (100% CPU) after a while 😞

tcandela
Valued Contributor

@rgranholm @mschroder I haven't been able to figure out how to renew these MDM profiles that are now showing 'unverified'.

I click the 'renew mdm profile' in the management tab and nothing happens (i'm sure you must be on the same LAN or something).

have you gotten your macs profiles verified?

rstasel
Contributor III

@tcandela I had about 600 machines in an unverified stated. Running a renew on all of them resulted in about 500 of those coming back to verified. I now have about nearly 100 that enrolled via user initiated enrollment that are still unverified and I can't get to verify despite trying various solutions. A few were fixed via pushing a policy that was just "jamf trustjss"

The real issue is I have half a dozen machines that were enrolled via ADE/DEP that are in unverified status, and won't get the renew MDM command (it just sits in pending). My thought on these is they had migration assistant run on them after enrollment and someone forgot to uncheck everything but the user account, so MDM has been hosed on them for a while. =/ Which means I get to fix them manually... =( Apple needs to give us some way to fix systems in this state without disabling SIP. =/

tcandela
Valued Contributor

@rstasel what did you setup to get 500 of those 600 renewed?

I just tried sudo jamf trustjss and it said 'downloading required CA certificate(s)...' but MDM profile is still 'unverified'.

What was your smartgroup configuration that showed you which macs were unverified?

when i look at a macs inventory information in the GENERAL section, I have a mac with MDM Profile Expiration Date: 03/20/2024 at 3:48 PM and MDM Profile Verification State: Not Verified

I don't understand these 2 results. Under profiles in system preferences i clearly see the MDM Profile Unverified

rstasel
Contributor III

@tcandela So I'm using the EA here: https://www.jamf.com/jamf-nation/third-party-products/files/830/mdm-profile-verification-state
I just have a smart group that looks for "Unverified" for that EA.

The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.

That EA only updates on inventory, so I just waited and watched the number drop. After a couple weeks it was down to where I'm at now.

The issue is according to Jamf, I'm likely going to have to re-enroll all the machines that didn't renew. Either via User Initiated for the ones not in ADE, or for the ones enrolled via ADE I get to do the whole disable SIP, rip out profile, reenable SIP, reenroll BS. Unless I can find a better way. The issue is once it's super wedged, the "Remove MDM" command doesn't work anymore...

tcandela
Valued Contributor

@rstasel yes i have that EA setup and see all the macs that are unverified. So i have all them in a smart group.

now i'm kinda lost on your second paragraph. Is this a policy you setup?

did you setup a policy to do; The renew command runs as a standard MDM command. So I just did a search for every computer in an unverified state, then did Action, Cancel Management Commands, and canceled all pending/failed commands. Then did the search again, and did Action, Send Remote Command, Renew MDM Profile.