Which certificates are eligible for automatic renewal?
Only ADCertificates delivered as part of a device profile are eligible for automatic renewal.
The following certificates are not eligible and must be renewed manually:
- ADCertificate payloads delivered as part of a user profile
- Certificates delivered as part of an SCEP payload of any kind
- Certificates delivered as part of a profile that contains a mobile device management (MDM) payload
- Certificates delivered as part of an over-the-air (OTA) enrollment profile
How to enable automatic renewal of eligible certificates
Enter this command in Terminal on your Mac:
sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES
To disable automatic renewal, change
NO in this command. To enable automatice renewal of eligible certificates using a configuration profile, use a device profile that sets
True in the com.apple.mdmclient domain.*
On macOS 10.13.4 systems, add the "EnableAutoRenewal" key (a boolean) to the active directory certificate payload to specify whether the certificate should be auto-renewed.
* If the
AutoRenewCertificatesEnabled key exists and is set to
FALSE, no automatic renewal will take place regardless of the EnableAutoRenewal key in the certificate payload.
Certificates that automatically renew can't be renewed manually, including in Profiles preferences or using the
profiles -W command. Automatic renewal occurs on the same schedule that determines when to show the Update button in Profiles preferences, or when to send the user a notification that the certificate is expiring. If renewal fails, retries occur on this fixed schedule:
- If renewal fails because the server couldn't be contacted, retries occur once per hour or whenever there is a network transition.
- If renewal fails after contacting the server, retries occur once every 24 hours, ensuring that multiple unsuccessful attempts don't cause a user's account to become locked. Restarting the Mac does not affect this schedule.