Configuration profile with SCEP, certs, and network profile constantly redistributing

dleetideworks
New Contributor

We have JSS 9.81 and have had a fairly incident-free configuration profile that loaded up SCEP certs on our OSX devices.

This week, devices are constantly Starting and Completing the configuration profile installation... as in, every 4-6 seconds a new certificate enrollment is run and I'm getting THOUSANDS of certs showing in the system keychain. The new certs have expiry dates of May 25th 2019.

I know what you're thinking: ah! it's another expired cert on the device! but no, I've explicitly erased the expired certs and all previous private keys and certs related with the SCEP enrollment while the system was offline. Upon connection to the network and an APNS push, every 4 seconds it starts again. I also turned off the automatic redistribute setting in the general payload (set to 'never'). I do have certificate expiration notification threshold set to 14 days, but I can't see how that would matter when the cert is over 1 year away from expiring and all supporting certs are good 'til at least November.

JSS event logs show successful enrollment, device is showing enrollment, I can even connect using the certs! But it just keeps enrolling.

I've checked logs on the JSS server, Tomcat server, and console on the local machine. I cannot see WHY this profile is being redistributed after it succeeds.

4 REPLIES 4

dleetideworks
New Contributor

In case someone else runs into this because they also have a 3-year old JSS: version 9.101.0 (PI-003868) fixes an issue with expiring or expired SCEP certs being constantly redistributed.

G_M__webkfoe_
New Contributor III

@dleetideworks Just a question about how you applied the redistribution..

As fr as I can see, in order to have an automated redistribution, we need to have the $PROFILE_IDENTIFIER in the Subject field of the SCEP config. profile
My question is, can it be appended anywhere in the Subject?

What I can see is that it is appending it into the CN field (of the Subject field), but I don't want it to be there..better in the ST field instead.
Any suggestion?

druocco
New Contributor III

I'm now running into the same issue where I had the config profile renewal set to "never". Mostly because I just missed it when the initial configuration went in place. Now certs in production are now starting to expire. Re-issue obviously fixes this problem. I have updated the config profile in test and added "$PROFILE_IDENTIFIER" and deployed with success. VPN/WiFi connects successfully, but still have to test if the renewal now applies, which is tough to do because since this is a brand new cert configuration and re-deploy the update will most likely issue a new certificate and therefore update the expiration date, thus nullifying the test scenario.

G_M__webkfoe_
New Contributor III

@druocco I tested it and the automatic redistribution works like a charm, even if you move the $PROFILE_IDENTIFIER on a different position than where it gets positioned. Check the screenshot below!

322332cc85924de7b41e6208c764ecbb