Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

When device certificates signed “Apple iPhone Device CA” are evaluated their validity dates should be ignored.

For some time we've been dealing with this particular issue:
https://www.jamf.com/jamf-nation/discussions/29413/device-enrollment-installation-failed-the-mdm-server-for-your-organization-returned-an-unexpected-status-403

By chance someone was also dealing with the problem but a lot more persistent n finding out the cause. Here is the blog post on that:

https://breardon.home.blog/2019/04/05/dep-nag-jamf-pro-and-unexpected-status-403/

My feature request to Jamf is a simple one, please follow Apple's recommendation when evaluating the device certificate for DEP enrollment:

WARNING: When device certificates signed “Apple iPhone Device CA” are evaluated their validity dates should be ignored.

Source: https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/profile-service/profile-service.html#//apple_ref/doc/uid/TP40009505-CH2-SW4

Other MDM vendors do not suffer from this. It's quite frustrating when I hear from other Mac admins who are able to do DEP enrollment through the command line without a problem with their commercial tools but I can't because Jamf isn't following Apple's guidance on the matter.

The workflow this would allow is to deal with 1) devices that that are added to DEP post-purchase before an organization takes advantage of DEP or 2) devices that need to get re-enrolled through DEP without a wipe/reinstall of the OS.

I'm hoping that Jamf can make this change. Because I'm not sure whether Jamf considers this a bug or a potential feature request I'm submitting it here but also going to re-open my ticket on this matter.

Posted: by mike.paul

As of Jamf Pro 10.15 we no longer check for the validity date of the “Apple iPhone Device CA” certificates.

Comment
Order by:

Posted: by bartreardon

I have a support case open for this issue as well - I think it's a FR since logically the right thing to do is verify the correctness in the signing certificate. This is a bug/issue with Apple (who I've also filed a radar with) but given the fact this affects apns, and potentially all icloud sync services as well I can't see them doing anything about it if the behaviour is ingrained. I don't see any option other than jamf code to cater to Apple's (right or wrong) guidance on how to handle it.

Too bad this didn't come up the other week when I was at the Jamf roadshow in Sydney @michael.devins - would have made a good talking point to bring up at the breakfast (came to a head about a month too late :/ )

Like

Posted: by grahamrpugh

This is pretty serious. I've had a ticket open about this for months with no resolution, supposedly Jamf and Apple were talking with each other as I cross-referenced the support tickets. But I didn't get any information that it could be related to an expired certificate. As it stands, the implication is that any Mac with an OS that has been running for over a year may not be able to enroll to MDM. Now, I know that isn't the case with User-Initiated Enrollment, but I believe it may be the case with attempts at DEP enrollment using sudo profiles -N or sudo profiles renew -type enrollment.

I raised this issue with AppleCare Enterprise Support, and they specifically said that the MDM vendor should ignore the cert expiry:

[this] is known, and this is when the cert is expired instead (for machine over 1 year trying to enroll). This will prevent the machine to enrol to MDM and is not specific to DEP enrolment. According to MDM OTA profile delivery document, (https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/profile-service/profile-service.html#//apple_ref/doc/uid/TP40009505-CH2-SW4) the expiry should be ignored. "WARNING: When device certificates signed “Apple iPhone Device CA” are evaluated their validity dates should be ignored.”

I'm waiting for Jamf to give me a PI on this bug.

Like

Posted: by bpavlov

@grahamrpugh here is the product issue I got: PI-006932

Like

Posted: by lyonheart14

With Supervision in Catalina, this issue just became a lot more important for us.

Like

Posted: by patgmac

I agree, this should be fixed by Jamf. But I was able to work around it when we migrated from on-prem to Cloud. Here is how I handled this (this is from a larger script, so forgive me if I included a variable or two that aren't specified):

if [[ -e /Library/Keychains/apsd.keychain ]]; then
    ExpDate=$(/usr/bin/security find-certificate -a -p -Z /Library/Keychains/apsd.keychain | /usr/bin/openssl x509 -noout -enddate| cut -f2 -d=)
    EpochOne=$(date -j -f '%b %d %T %Y %Z' "$ExpDate" '+%s')
    EpochTwo=$(date +%s)
    MathOne=$(($EpochOne - $EpochTwo))
    MathTwo=$(($MathOne / 86400))
    #days=$(echo ${MathTwo//-})
    /usr/bin/logger -s "Enrollment Cert expires on $ExpDate which is $MathTwo days away"
    if [[ $MathTwo == *"-"* ]]; then
      DEPcert=$(/usr/bin/security find-certificate -a -Z /Library/Keychains/apsd.keychain | grep SHA-1 | awk '{print $3}')
      /usr/bin/logger -s "Cert is $MathTwo days old, deleting cert" 
      /usr/bin/security delete-certificate -Z "$DEPcert" /Library/Keychains/apsd.keychain
    else
      /usr/bin/logger -s "Cert is less than a year old"
    fi
fi
Like

Posted: by cpresnall

This change to 10.15 is a huge win for those of us with devices enrolled for multiple years who are now moving to DEP.

Like