Skip to main content

I've raised a ticket with JAMF on this, but some Jamf Nation...clarification... would be welcome. 

On a JAMF instance there is a configuration profile setup for FileVault escrow. 

The associated certificate in the configuration profile has expired. 

JAMF support say to delete the cert and it will auto generate a new one. 

Before this is actioned, does this sound correct?

Surely the cert here is used to decrypt the PRK that exists in the jamf database. 

If you update the certificate will this not break it? 

What is the ongoing impact of deploying this config profile with the outdated cert? 

Ive seen something along these lines before and its ended up with a need to decrypt the Macs and redo FileVault.

 

 

My understanding is that an expired FileVault signing certificate won't affect anything. I avoided any potential issues by un-scoping the old profile and scoping a new one with the same configuration (but a new certificate). You must un-scope the old profile before scoping the new one, as you can only have one FileVault configuration profile. No impact on any existing configuration, PRK or anything like that.

You can't update the existing profile with a new certificate, as far as I know. Deleting a certificate from the PKI sounds interesting, but this was not a solution they suggested when I contacted Jamf Support, and it does sound like it would rip the certificate off each client which would be bad.

My understanding is that an expired FileVault signing certificate won't affect anything. I avoided any potential issues by un-scoping the old profile and scoping a new one with the same configuration (but a new certificate). You must un-scope the old profile before scoping the new one, as you can only have one FileVault configuration profile. No impact on any existing configuration, PRK or anything like that.

You can't update the existing profile with a new certificate, as far as I know. Deleting a certificate from the PKI sounds interesting, but this was not a solution they suggested when I contacted Jamf Support, and it does sound like it would rip the certificate off each client which would be bad.


Thanks for the reply.

JAMF support specifically said to bin the cert in the config profile and let it generate a new cert and then apply that. Last time I saw that implemented it opened a whole world of pain! (PRK was garbage). Even then, creating a new config profile, with new cert did not fix this and required decrypt etc, which they would like to avoid! 

Not sure how an expired cert would still be a valid key.. when its.. not? Jamfy oddness!!

 

Reply


Terms & ConditionsCookie settings