Casper Configuration Profiles Auto Renewal

If you are using AD certificates inside a configuration profile, here is the easiest way to make it auto renewal:

sudo defaults write /Library/Preferences/ AutoRenewCertificatesEnabled -bool YES

I have setup an extension attribute to check the Macs need this remediation:

#! /bin/bash
status=$(sudo defaults read /Library/Preferences/ AutoRenewCertificatesEnabled)
echo “<result>$status</result>”


Any Macs without the result 1 will get remediated 🙂

Here is the link from Apple, it works for Sierra and up.


By default, the auto renewal time is 14 days before expiring.

Links to read:


To find expired certificates:

expired=$(security find-identity | grep EXPIRED | awk ‘{print $2}')


To delete a certificate:

security find-certificate -c “certificatename” -a -Z | \
sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}'

Leave a Comment