Automatically renew certificates delivered via a configuration profile - Apple Support (original) (raw)

Only ADCertificates delivered as part of a device profile are eligible for automatic renewal.

The following certificates are not eligible and must be renewed manually:

• ADCertificate payloads delivered as part of a user profile
• Certificates delivered as part of an SCEP payload of any kind
• Certificates delivered as part of a profile that contains a mobile device management (MDM) payload
• Certificates delivered as part of an over-the-air (OTA) enrollment profile

In macOS Ventura and later, eligible certificates renew automatically. If you don't want the certificate in a payload to renew automatically, you can add an "EnableAutoRenewal" key (boolean), with a value of FALSE.

Or, to disable automatic certificate renewal for all payloads, enter this command in Terminal on your Mac:

sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool NO

Certificates that automatically renew can't be renewed manually, including in Profiles preferences or using the profiles -W command. Automatic renewal occurs on the same schedule that determines when to show the Update button in Profiles preferences, or when to send the user a notification that the certificate is expiring. If renewal fails, retries occur on this fixed schedule:

• If renewal fails because the server couldn't be contacted, retries occur once per hour or whenever there is a network transition.
• If renewal fails after contacting the server, retries occur once every 24 hours, ensuring that multiple unsuccessful attempts don't cause a user's account to become locked. Restarting the Mac does not affect this schedule.

Published Date: November 30, 2023