System Certificates disappearing after enrollment

New Contributor III

We are seeing an increase in the number of machines that have System Certificates disappear after enrollment. Sometimes even on machines that have been active and enrolled for quite awhile. No discernible pattern. We are using our own JDS.

Certificates being lost are
InCommon RSA Server CA
USERTrust RSA Certificate Authority
JSS Built-In Signing Certficate
<Institution> JSS Built-in Certificate

Specific scenario just ran into was 26 machines all run through a PreStage enrollment and then software installed through a DEP workflow. All software installed fine during DEP workflow. A new piece of software was to be installed today and 1/26 was completed successfully. The other 25 all failed with:

"The network connection was interrupted while downloading the package from https://<server>/<package>.pkg. Attempting to reconnect..."

followed by:

"<package>.pkg is not available on the HTTP server."

As I mentioned, we have seen this in small numbers before so I checked one of the machines and sure enough, some or all of the certs were missing.

This ONLY affected packages downloading from the JDS. Policies that only run scripts or execute commands work without issue.

Re-enrollment works and the certs are re-downloaded but this will presumably break any Smart Groups that would rely on machines being enrolled via that particular PreStage.

Has anyone else seen this? Does anyone have any ideas what may be causing it? Does anyone have a valid work around (unable to deploy any packages through JDS since the machine is being denied access due to missing certs)?