Enrolled Devices Stop Communicating after 5 Years

Updated: 01 July 2021
Product: Jamf Pro

After computers and mobile devices are enrolled for five years, the following certificates expire:

  • Device identity certificateThe device identity certificate in the MDM profile expires and prevents MDM functionality from working. This can result in MDM commands in configuration profiles to not complete and remain pending.
  • Device certificateThe device certificate in the JAMF.keychain that is used for the Jamf management framework expires on computers. This can result in the following error when executing a jamf binary communication command, such as sudo jamf policy or sudo jamf recon:
    "Device Signature Error - A valid device signature is required to perform the action"

Starting with Jamf Pro 10.23.0, when devices are enrolled or renewed, the device identity certificate and device certificate will expire after two years. Jamf Pro 10.23.0 or later allows you to manually renew the MDM profile and its device identity certificate for a single device or multiple devices via a mass action. In addition, when Jamf Pro's built-in certificate authority is renewed, the device identity certificate used in the MDM profile is automatically renewed. For more information, see the Renewing Jamf Pro JSS Built-In Certificate Authority (CA) article.

Starting with Jamf Pro 10.25.0, the MDM Profile Settings feature allows you to configure renewal options for the MDM Profile containing the device identity certificate on computers and mobile devices. You can choose to renew the MDM profile when the Jamf Pro's built-in certificate authority is renewed or select the number of days before the MDM profile expires to renew it. To access this feature, in Jamf Pro navigate to Settings > Global Management > MDM Profile Settings.

Starting with Jamf Pro 10.27.0, computer device certificates are automatically renewed 180 days before the expiration date.

Renewing a Device Identity Certificate

Device identity certificates in the MDM profile expires five years after computers or mobile devices are enrolled in Jamf Pro 10.22.1 or earlier. To ensure computers and mobile devices retain their MDM functionality, you can re-enroll them prior to the expiration date of the device identity certificate.

If five years have passed and the device identity certificate has expired for a computer or mobile device, you can restore MDM communication between Jamf Pro and the computer or mobile device by doing one of the following:

  • Restore the connection to Jamf Pro

  • Re-enroll the computer or mobile device

Renewing a Device Certificate

The device certificate in the JAMF.keychain on Mac computers expires after five years. The device certificate is stored in the /Library/Application Support/JAMF/JAMF.keychain file. It is generated by Jamf Pro's built-in certificate authority and is also referenced in the PKI Certificates settings of Jamf Pro.

If the device certificate does not exist, is corrupted, does not have correct permissions, or does not match the certificate entry in the PKI Settings area of Jamf Pro, the following error message will be displayed provided that certificate-based authentication is enabled in Jamf Pro (Settings > Computer Management > Security > Enable certificate-based authentication): "Device Signature Error - A valid device signature is required to perform the action."

Re-enrolling a Computer with a User-Approved MDM Profile

The device certificate on computers continues to allow communication between Jamf Pro and the Jamf Management Framework even though the device identity certificate has expired. This means instead of re-enrolling the computer device, you can reestablish the connection between them and Jamf Pro.

Requirements

An SMTP server configured in Jamf Pro

  1. Log in to Jamf Pro.
  2. Navigate to Settings > Computer Management - Management Framework > Security.
  3. Edit the Security setting, deselect Enable certificate-based authentication, and click Save.
  4. Create a new computer invitation ID with multiple-use allowed.
  5. Click Enrollment Invitations.
  6. Click New.
  7. Follow the onscreen instructions to send the enrollment invitation.
    Note:

    When configuring invitation security, select the Allow multiple uses checkbox.

  8. Click Done.
  9. View the details of the newly created enrollment invitation, and then copy the Invitation ID.
  10. Click Computers at the top of the page.
  11. Click Smart Computer Groups to create a smart group with the "Last Enrollment" criteria value set to 5 years ago. For more information, see the Smart Groups section in the Jamf Pro Administrator's Guide.
  12. Create a policy that executes the following command:
    sudo jamf enroll -invitation idoftheinvitation -noRecon -noPolicy
  13. Run the policy on next check-in scoped to the smart computer group you created previously. The following message should be displayed in the policy log:

    "> output "computer was successfully enrolled to JSS with following device Certificate [ID of the certificate]"

  14. If the MDM profile was reinstalled, the MDM profile must be approved by the user since it's not MDM-first enrollment.
  15. In Jamf Pro, edit the Security settings again, re-select Enable certificate-based authentication, and click Save.

Re-enrolling Mobile Devices

To restore communication with Jamf Pro, you must manually re-enroll mobile devices with expired certificates using user-initiated enrollment. For more information, see the User-Initiated Enrollment for Mobile Devices section in the Jamf Pro Administrator's Guide.

When users receive the enrollment invitation, they must follow a series of guided steps to complete the enrollment process. For more information, see the User-Initiated Enrollment Experience for Institutionally Owned Mobile Devices section in the Jamf Pro Administrator's Guide.

Additional Information

For additional information, see the following sections in the Jamf Pro Administrator's Guide: