Machine certificate renewal

svenke
New Contributor III

Hi,

we can push machine certificates, we can use them to authenticate (wi-fi connection) but has someone already found a way to silently renew them?

Currently our users are getting a message that their certificate is about to expire and then they have to click the update button.

1 ACCEPTED SOLUTION

alexjdale
Valued Contributor III

Check the profiles command. It has a -W flag that the man page says will "Attempt to renew the certificates in an installed profile."

View solution in original post

7 REPLIES 7

Jmazzuca182
New Contributor III

I would love to know if there is an answer to this as well. We've been running into this in my environment and the only solution we have found is to re-enroll to get another cert pushed or add to a cloned policy to push another cert.

alexjdale
Valued Contributor III

Check the profiles command. It has a -W flag that the man page says will "Attempt to renew the certificates in an installed profile."

svenke
New Contributor III

-w is working like a charm. Thx

AVmcclint
Honored Contributor

I would love to use this! However, some questions:

1) where in the profiles man page do you see a -W switch? I've checked on both El Capitan and Sierra. There is no -W
2) I ran profiles -W just to see what happens and it says "missing profile identifier", so I ran profiles -C and this is the output:

bash-3.2# profiles -C
_computerlevel[1] attribute: profileIdentifier: 771812A7-99F9-4515-901C-FEF7CD64BC46
_computerlevel[2] attribute: profileIdentifier: DABBC6C1-F305-444F-936E-AE8D95FEB332
_computerlevel[3] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[4] attribute: profileIdentifier: C3A94E53-3563-4983-B3EB-09147D08A993
There are 4 configuration profiles installed

While it is true there are 4 profiles installed on this Mac, I can't tell what profileIdentifier goes with which profile. When I look at the Profile I have installed for 802.1x + Computer certs, I do see "Enterprise Profile ID" but that number doesn't match up with anything the -C tells me. How do I figure out what profileIdentifier goes with which profile?

perrycj
Contributor III

@AVmcclint From the profiles binary help page:

 profiles -help
profiles allows you to add or remove configuration or application provisioning profiles.   It requires one or more parameters to run:
    Use -h for this help section or use the man page.

1) These options are single command and should work on most profiles.
        COMMANDS:
            -P,  prints all configuration profiles to console
                    Note that profiles must have unique toplevel PayloadUUIDs in order for them to be distinguished as different profiles, so
                    different users with the same toplevel PayloadUUIDs will be treated as the same payload for display purposes
            -H,  returns if configuration profiles are installed
            -C,  displays all device profiles
            -D,  deletes existing configuration profiles (requires root privileges)
            -d,  deletes existing provisioning profiles (requires root privileges)
            -h,  displays this help section
            -f,  auto confirm any questions
            -v,  enable verbose mode
            -x,  display version number
            -o path, path to output XML plist file (for -P, -L, -C).  Use 'stdout' to send information to the console.
            -s,  sets the filenamepath profile as a startup profile
2) These options allow you to operate on configuration profiles:.
        eg,  'profiles -I -F /myprofiles/foo.mobileconfig'
        eg,  'profiles -R -F /myprofiles/foo.mobileconfig'
        eg,  'profiles -L -U gene'
        COMMANDS:
            -I,  sets up command to Install a profile
            -R,  sets up command to Remove a profile
            -L,  lists a user's profiles
            -W,  sets up command to renew certificates in an installed profile
            -F filenamepath,  sets up command to read in the existing profile file from the path (not used for -L) or...
            -F -,  sets up command to read in the existing profile file from stdin
            -p profile identifier (only used for removal)
            -Y   specifies the shortname of a local user that will be enrolled with MDM if the profile being installed contains a MDM payload. Will only be used if the profile is being installed as root.
            -U,  destination logged-in user name for installing or removing a configuration profile as root (or sudo)
            -S   sync up and remove user config profiles that don't belong to an existing local user
3) These options allow you to operate on application provisioning profiles:.
        eg,  'profiles -i -F /myprofiles/foo.mobileconfig'
        eg,  'profiles -r -p com.example.123 -u 00000000-0000-0000-0000-000000000000'
        COMMANDS:
            -i,  sets up command to Install a provisioning profile from a file
            -r,  sets up command to Remove a provisioning profile based on the identifier and uuid
            -c,  lists all provisioning profiles
            -d,  sets up command to Delete all provisioning profiles
            -V,  sets up command to Verify a provisioning profile from a file
            -F filenamepath,  sets up command to read in the existing profile file from the path
            -u uuid, in the canonical 36 character form
            -p profile identifier
4) Miscellaneous commands:
            -e,  prints Device Enrollment configuration, if any, for the computer. Can be combined with -o option to route output to a plist.

However, even with a profiler identifier and a -p flag, -W doesn't seem to do much and usually errors out (at least for us).

so @svenke what did you use to get the -W flag to renew the certificate?

flyboy
Contributor

@AVmcclint I can't use APNs, so I have to manually inventory config profiles that are on my systems. Here is the Extension Attribute I use to get that list:

#!/bin/bash - 

set -o nounset                              # Treat unset variables as an error

proName=""
proList=()
IFS=$'
'

for proName in `profiles -Cv | grep attribute | awk '/name/{$1=$2=$3=""; print $0}'`
do
    proList+=("${proName}")
done

IFS=","
echo "<result>${proList[*]}</result>"

NoahRJ
Contributor II

Per the initial question of this post, there's another discussion for machine cert renewals here.