Sunday, December 12, 2021

Automatically renew certificates delivered via a configuration profile - Apple Support

Automatically renew certificates delivered via a configuration profile

Beginning with macOS Sierra 10.12.4, administrators can set a system preference that enables automatic renewal of eligible certificates when the certificates are delivered as part of a device profile. 

See which certificates are eligible for automatic renewal

Only ADCertificates delivered as part of a device profile are eligible for automatic renewal.

The following certificates are not eligible and must be renewed manually:

  • ADCertificate payloads delivered as part of a user profile
  • Certificates delivered as part of an SCEP payload of any kind
  • Certificates delivered as part of a profile that contains a mobile device management (MDM) payload
  • Certificates delivered as part of an over-the-air (OTA) enrollment profile

Enable or disable automatic renewal of eligible certificates

In macOS High Sierra 10.13.4 or later, eligible certificates renew automatically. If you don't want the certificate in a payload to renew automatically, you can add an "EnableAutoRenewal" key (boolean), with a value of FALSE.

Or, to disable automatic certificate renewal for all payloads, enter this command in Terminal on your Mac:

  sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool NO  

To enable automatic downloads in macOS Sierra 10.12.4 through macOS High Sierra 10.13.3, enter this command in Terminal:

  sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES  

Learn more

Certificates that automatically renew can't be renewed manually, including in Profiles preferences or using the profiles -W command. Automatic renewal occurs on the same schedule that determines when to show the Update button in Profiles preferences, or when to send the user a notification that the certificate is expiring. If renewal fails, retries occur on this fixed schedule:

  • If renewal fails because the server couldn't be contacted, retries occur once per hour or whenever there is a network transition.
  • If renewal fails after contacting the server, retries occur once every 24 hours, ensuring that multiple unsuccessful attempts don't cause a user's account to become locked. Restarting the Mac does not affect this schedule.
Published Date: 
Helpful?
Character limit: 250
Maximum character limit is 250.
Thanks for your feedback.

Start a discussion in Apple Support Communities

See all questions on this article

No comments:

Post a Comment

Search This Blog

Check for spelling errors in Access [MS]

Check for spelling errors in Access Access for Microsoft 365 Access 2021 ...