Jamf Nation Community

Hello @jtrant

In Jamf Pro 10.23 only the device identity certificate in the MDM profile is renewed. This can be done by either renewing the built-in CA or independently for a group of one or more devices using a mass action in a smart group or advanced search.

To redistribute a configuration profile, you would need to manually edit the config proile and select the option for distributing the changes to all devices once it is saved.

Thanks @drhoten, we renewed the CA this morning but only the CA itself renewed, none of the signing certificate expiration dates changed. The documentation states that all signing certificates are automatically renewed.

Does this only happen if they are set to expire within a certain time period? Ours are good until 10/2021 but we wanted to renew them well ahead of time as Jamf is not available outside of our network, and there are a number of clients that don't check in frequently.

Edit: The certs did renew based on the logs, but the UI still shows the old dates. New clients are still getting certs signed by the JSS signing cert that expires in 2021.

Hello @jtrant

After the CA is renewed, devices are marked as needing a new MDM profile. The next time the device is sent another MDM command it is also sent a Renew MDM Profile command. This is so we are not sending new MDM profiles to all devices in your fleet at the same time, so it may take a while for the new device identity certificates to appear on devices.

Are you still setting new clients being signed by the the older signing certificate?