Help

Renewing the Built-in CA in Jamf Pro

dng2000
Contributor II

Posted on ‎05-01-2023 04:33 PM

Has anyone had to renew the built-in CA in Jamf Pro before and if so, mind sharing your experience with it?  I'm primarily curious how many devices ended up having to unenroll and re-enroll as a result of MDM profiles failing to renew.  With over 11,000 Macs in my environment, the suggestion shared by Jamf support by disabling automatic MDM profile renewals before renewing the built-in CA, then issue MDM renewal commands manually to no more than 100 devices at a time isn't realistic in my environment, especially when both the smart and the static computer groups aren't designed to group devices strictly by quantity into groups of 100 that easily.

0 Kudos
4 REPLIES 4

afnpw
New Contributor III

Posted on ‎05-04-2023 08:03 AM

Finishing up this process now with our environment having 6000+ computers and 15000+ mobile devices. Has not been fun at all. We've been creating a list and updating static groups through MUT Classic and sending batches of 150 devices three times a day. 

By now we have sent the command to every device and we still have roughly 700 computers not renewed and 1100 mobile devices not renewed. The most of these they have just simply not checked in for quiet some time, while the ones that have checked in we are getting stumped with how to troubleshoot as there's so many different circumstances. It's also hard for our large environment to have a device on-hand to troubleshoot. I'm going to be very happy to be over with this soon.

dng2000
Contributor II
In response to afnpw

Posted on ‎05-08-2023 11:47 PM

Hi @afnpw,

Thank you for sharing your experience here.

0 Kudos

dng2000
Contributor II

Posted on ‎05-04-2023 11:19 AM

In my production environment, I occasionally push updated configuration profiles to more than 8,000+ computers all at once without noticeable issues.  Hopefully, pushing Renew MDM Profiles commands isn't really more demanding on MDM server resources than pushing my configuration profiles.

Not sure if I'm comparing apples to oranges but using my sandbox environment, I renewed the built-in CA and issued the MDM Renewal Command and let that sit for more than 24 hours before turning it back on.  It went through successfully.  In earlier tests, it looks like the option to automatically renew MDM profiles when the built-in CA is renewed will only kick in when the device checks in to Jamf Pro and I tested that to be accurate on 2 Macs.  It even says so in https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/MDM_Profile_Settings.html 

  • The MDM profile will automatically renew after the next MDM command is issued or after the next time the computer or mobile device checks in to Jamf Pro via MDM. Devices may not check in immediately. Therefore, MDM profiles may not instantaneously renew after a renewal is triggered.

So with my boss' blessing, I'm planning to keep "When the built-in certificate authority is renewed" and "days before the MDM profile expires" both checked and hope for the best.

donmontalvo
Esteemed Contributor III

‎01-05-2024 01:36 PM - edited ‎01-08-2024 05:32 AM

@afnpw considering the risk, would you say the experience was, in rock crawling parlance, a pucker moment? :)

All jokes aside, we always create a backup before updating the Jamf Pro server, and also before making any major changes.

I have a ticket open with Jamf to find out of we can restore a Jamf Pro backup, in case something goes wrong, the concern being the Jamf Built-in Certificate Authority would be "Renewed" which we assume would make the backup not restorable since renewed certs are no longer valid.

We aren't sure, since this is a built in CA, hope to get an answer today. Will post once we find out.

--
https://donmontalvo.com
0 Kudos