Automatically renew certificates delivered via a configuration profile

Beginning with macOS Sierra 10.12.4, administrators can set a system preference that enables automatic renewal of eligible certificates when the certificates are delivered as part of a device profile. 

Which certificates are eligible for automatic renewal?

Only ADCertificates delivered as part of a device profile are eligible for automatic renewal.

The following certificates are not eligible and must be renewed manually:

  • ADCertificate payloads delivered as part of a user profile
  • Certificates delivered as part of an SCEP payload of any kind
  • Certificates delivered as part of a profile that contains a mobile device management (MDM) payload
  • Certificates delivered as part of an over-the-air (OTA) enrollment profile

How to enable automatic renewal of eligible certificates

Enter this command in Terminal on your Mac:

sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES

To disable automatic renewal, change YES to NO in this command. To enable automatice renewal of eligible certificates using a configuration profile, use a device profile that sets AutoRenewCertificatesEnabled to True in the com.apple.mdmclient domain.*

On macOS 10.13.4 systems, add the "EnableAutoRenewal" key (a boolean) to the active directory certificate payload to specify whether the certificate should be auto-renewed.

* If the AutoRenewCertificatesEnabled key exists and is set to FALSE, no automatic renewal will take place regardless of the EnableAutoRenewal key in the certificate payload.

Learn more

Certificates that automatically renew can't be renewed manually, including in Profiles preferences or using the profiles -W command. Automatic renewal occurs on the same schedule that determines when to show the Update button in Profiles preferences, or when to send the user a notification that the certificate is expiring. If renewal fails, retries occur on this fixed schedule:

  • If renewal fails because the server couldn't be contacted, retries occur once per hour or whenever there is a network transition.
  • If renewal fails after contacting the server, retries occur once every 24 hours, ensuring that multiple unsuccessful attempts don't cause a user's account to become locked. Restarting the Mac does not affect this schedule.
Published Date: