Casper Configuration Profiles Auto Renewal

If you are using AD certificates inside a configuration profile, here is the easiest way to make it auto renewal:

sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES

I have setup an extension attribute to check the Macs need this remediation:

#! /bin/bash
status=$(sudo defaults read /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled)
echo “<result>$status</result>”

 

Any Macs without the result 1 will get remediated 🙂

Here is the link from Apple, it works for Sierra and up.

 

By default, the auto renewal time is 14 days before expiring.

Links to read:

https://support.apple.com/en-us/HT204836

https://support.apple.com/en-us/HT204446

 

To find expired certificates:

expired=$(security find-identity | grep EXPIRED | awk ‘{print $2}')

 

To delete a certificate:

security find-certificate -c “certificatename” -a -Z | \
sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}'

Leave a Comment