User profile for user: birkaskolan
birkaskolan Author
User level: Level 1
5 points

Profile Manager Device Identity CA

Hi

I'm new and found this site just some minutes ago. Happy for that


I have Ipads and MacBooks enrolled in Profile Manager and today I found nothing works.


My Profile Manager Device Identity CA-certificate expired a few days ago and I knew it in time, but never realized how to renew it. I really tried. I heard from "someone" that the only certificate I need for MDM to work is APN.

We have never used a certificate vendor as far as I remember, and that's what I been asked for.


My APN is not expired and I know how to renew it, so I let the Profile Manager Device Identity CA expire.


Can someone tell me what to do?


Kind regards

Margareta

Birkaskolan

Mac mini, macOS High Sierra (10.13.6), Server 5.6.3 (Build 17S2123)

Posted on Oct 17, 2018 7:30 AM

Reply
Question marked as Top-ranking reply
User profile for user: mscott_mdm
mscott_mdm
User level: Level 2
459 points

Posted on Oct 21, 2018 11:26 AM

Are you sure your CA expired? I thought that was added only 2 or 3 years ago (when Apple changed how it does SCEP) and it should have at least a 5 year life. The identities issued by this CA typically are only valid for a year from the time a device enrolls. If it's just the device identities on individual devices that have expired, you just need to re-enroll them with Profile Manager. If the CA is truly expired, Server should have renewed it.


There is a bug I've seen with Profile Manager where it doesn't automatically re-enroll devices as their device identities approach expiration. It appears to have been fixed in Server 5.7.1, but it's definitely a problem in 5.6.3 and earlier. I use this command every month to workaround the problem:


sudo -u _devicemgr psql -U _devicemgr -d devicemgr_v2m0 -h /Library/Server/ProfileManager/Config/var/PostgreSQL -c "update devices set hp_singleton_tasks = hp_singleton_tasks | (1 << 20) where last_mdm_refresh_ttl_days < 90"


This won't fix those devices with already-expired device identities, but it will help prevent other devices from letting their device identities expire.

View in context

Similar questions

1 reply
Question marked as Top-ranking reply
User profile for user: mscott_mdm
mscott_mdm
User level: Level 2
459 points

Oct 21, 2018 11:26 AM in response to birkaskolan

Are you sure your CA expired? I thought that was added only 2 or 3 years ago (when Apple changed how it does SCEP) and it should have at least a 5 year life. The identities issued by this CA typically are only valid for a year from the time a device enrolls. If it's just the device identities on individual devices that have expired, you just need to re-enroll them with Profile Manager. If the CA is truly expired, Server should have renewed it.


There is a bug I've seen with Profile Manager where it doesn't automatically re-enroll devices as their device identities approach expiration. It appears to have been fixed in Server 5.7.1, but it's definitely a problem in 5.6.3 and earlier. I use this command every month to workaround the problem:


sudo -u _devicemgr psql -U _devicemgr -d devicemgr_v2m0 -h /Library/Server/ProfileManager/Config/var/PostgreSQL -c "update devices set hp_singleton_tasks = hp_singleton_tasks | (1 << 20) where last_mdm_refresh_ttl_days < 90"


This won't fix those devices with already-expired device identities, but it will help prevent other devices from letting their device identities expire.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Profile Manager Device Identity CA

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up