Which certificates are eligible for automatic renewal?
Only ADCertificates delivered as part of a device profile are eligible for automatic renewal.
The following certificates are not eligible and must be renewed manually:
- ADCertificate payloads delivered as part of a user profile
- Certificates delivered as part of an SCEP payload of any kind
- Certificates delivered as part of a profile that contains a mobile device management (MDM) payload
- Certificates delivered as part of an over-the-air (OTA) enrollment profile
How to enable automatic renewal of eligible certificates
Enter this command in Terminal on your Mac:
sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES
To disable automatic renewal, change
NO in this command. To enable automatice renewal of eligible certificates using a configuration profile, use a device profile that sets
True in the com.apple.mdmclient domain.
Certificates that automatically renew can't be renewed manually, including in Profiles preferences or using the
profiles -W command. Automatic renewal occurs on the same schedule that determines when to show the Update button in Profiles preferences, or when to send the user a notification that the certificate is expiring. If renewal fails, retries occur on this fixed schedule:
- If renewal fails because the server couldn't be contacted, retries occur once per hour or whenever there is a network transition.
- If renewal fails after contacting the server, retries occur once every 24 hours, ensuring that multiple unsuccessful attempts don't cause a user's account to become locked. Restarting the Mac does not affect this schedule.