Enrolled Devices Stop Communicating after 5 Years
After computers and mobile devices are enrolled for five years, the following certificates expire:
- Device identity certificate—The device identity certificate in the MDM profile expires and prevents MDM functionality from working. This can result in MDM commands in configuration profiles to not complete and remain pending.
- Device certificate—The device certificate in the JAMF.keychain that is used for the Jamf management framework expires on computers. This can result in the following error when executing a jamf binary communication command, such as
sudo jamf policy
orsudo jamf recon
:"Device Signature Error - A valid device signature is required to perform the action"
Starting with Jamf Pro 10.23.0, when devices are enrolled or renewed, the device identity certificate and device certificate will expire after two years. Jamf Pro 10.23.0 or later allows you to manually renew the MDM profile and its device identity certificate for a single device or multiple devices via a mass action. In addition, when Jamf Pro's built-in certificate authority is renewed, the device identity certificate used in the MDM profile is automatically renewed. For more information, see the Renewing Jamf Pro JSS Built-In Certificate Authority (CA) article.
Starting with Jamf Pro 10.25.0, the MDM Profile Settings feature allows you to configure renewal options for the MDM Profile containing the device identity certificate on computers and mobile devices. You can choose to renew the MDM profile when the Jamf Pro's built-in certificate authority is renewed or select the number of days before the MDM profile expires to renew it. To access this feature, in Jamf Pro navigate to .
Starting with Jamf Pro 10.27.0, computer device certificates are automatically renewed 180 days before the expiration date.
Renewing a Device Identity Certificate
Device identity certificates in the MDM profile expires five years after computers or mobile devices are enrolled in Jamf Pro 10.22.1 or earlier. To ensure computers and mobile devices retain their MDM functionality, you can re-enroll them prior to the expiration date of the device identity certificate.
Restore the connection to Jamf Pro
Re-enroll the computer or mobile device
Renewing a Device Certificate
The device certificate in the JAMF.keychain on Mac computers expires after five years. The device certificate is stored in the /Library/Application Support/JAMF/JAMF.keychain file. It is generated by Jamf Pro's built-in certificate authority and is also referenced in the PKI Certificates settings of Jamf Pro.
If the device certificate does not exist, is corrupted, does not have correct permissions, or does not match the certificate entry in the PKI Settings area of Jamf Pro, the following error message will be displayed provided that certificate-based authentication is enabled in Jamf Pro (
): "Device Signature Error - A valid device signature is required to perform the action."Re-enrolling a Computer with a User-Approved MDM Profile
The device certificate on computers continues to allow communication between Jamf Pro and the Jamf Management Framework even though the device identity certificate has expired. This means instead of re-enrolling the computer device, you can reestablish the connection between them and Jamf Pro.
An SMTP server configured in Jamf Pro
Re-enrolling Mobile Devices
To restore communication with Jamf Pro, you must manually re-enroll mobile devices with expired certificates using user-initiated enrollment. For more information, see User-Initiated Enrollment for Mobile Devices in the Jamf Pro Documentation.
When users receive the enrollment invitation, they must follow a series of guided steps to complete the enrollment process. For more information, see User-Initiated Enrollment Experience for Institutionally Owned Mobile Devices in the Jamf Pro Documentation.
Additional Information
User-Initiated Enrollment for Computers
Find out how to send computer enrollment invitations via email.
Find out how to manage policies in Jamf Pro.