Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: toddatkuapay
toddatkuapay Author
User level: Level 1
0 points

Code Signing Certificate Renewal for Profile Manager

Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year. In one month our Code Signing Certificate will expire on ALL of those devices. I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.


How do I update all of the devices in the field with the new certificate? It is not possible for every one of those devices to be re-enrolled. These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager. Apple - this wasn't well thought out...

OS X Mountain Lion (10.8.2)

Posted on Sep 20, 2013 9:41 AM

Reply
4 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,205 points

Sep 20, 2013 11:46 AM in response to toddatkuapay

After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.


Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already.


Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap. (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)


If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.


{FWIW, this is a user forum and the folks from Apple may or may not see your report. If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

Reply
User profile for user: Patrick Fist
Patrick Fist
User level: Level 1
51 points

Nov 19, 2013 2:48 PM in response to toddatkuapay

Hello Everybody,


the code signing certificate is valid for one year if you use the default code signing certificate issued by the local OD.

To sign/encrypt your profiles is import until you have secret information in your profiles like a shared-secret in a VPN configuration profile. When the profile is valid signed at the time of loading into a client this is enaugh.

The configurations wont be lost or dropped by the client.

Apple expect that you put your clients into client groups and that you change profile settings from time to time. In this case it would be enaugh to renew the certifcate 2 month before expiring and change any Profile information on Group basis ... and the clients will be deployed with a new fresh signed profile.


If one year is not enaugh for your needs, feel free to issue a longer valid vertificate from a 3rd party vendor.



I hope my story helped you, understanding the crazy ideas of a apple developer (sure it was a intern when developing the profile service 😉)

Reply

Code Signing Certificate Renewal for Profile Manager

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up