Automatically renew certificates delivered via a configuration profile

Beginning with macOS Sierra 10.12.4, administrators can use a Terminal command to enable automatic renewal of certain certificates delivered as part of a device profile. 

Which certificates are eligible for automatic renewal?

Only ADCertificates delivered as part of a device profile are eligible for automatic renewal.

The following certificates are not eligible and must be renewed manually:

  • ADCertificate payloads delivered as part of a user profile
  • Certificates delivered as part of an SCEP payload of any kind
  • Certificates delivered as part of a profile that contains a mobile device management (MDM) payload
  • Certificates delivered as part of an over-the-air (OTA) enrollment profile

How to enable automatic renewal of eligible certificates

Enter this command in Terminal on your Mac:

sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES

To disable automatic renewal, change YES to NO in this command. To enable automatice renewal of eligible certificates using a configuration profile, use a device profile that sets AutoRenewCertificatesEnabled to True in the com.apple.mdmclient domain.

Learn more

Certificates that automatically renew can't be renewed manually, including in Profiles preferences or using the profiles -W command. Automatic renewal occurs on the same schedule that determines when to show the Update button in Profiles preferences, or when to send the user a notification that the certificate is expiring. If renewal fails, retries occur on this fixed schedule:

  • If renewal fails because the server couldn't be contacted, retries occur once per hour or whenever there is a network transition.
  • If renewal fails after contacting the server, retries occur once every 24 hours, ensuring that multiple unsuccessful attempts don't cause a user's account to become locked. Restarting the Mac does not affect this schedule.
Published Date: