When you enroll a Mac with Jamf Pro, the first profile the Mac receives is named MDM Profile.
It is valid for two years.
After two years, the MDM profile is supposed to automatically renew but sometimes this renewal process is either not triggered or is triggered and does not succeed.
On Jamf Pro, there’s a couple of ways you can manually trigger the MDM renewal to occur. The first is a manual process which uses the Jamf Pro admin console. The second uses both of Jamf Pro’s APIs and can be automated via a Jamf Pro policy. For more details, please see below the jump.
Manually triggering MDM profile renewal using the Jamf Pro admin console
To manually trigger MDM profile renewal using the admin console, please use the procedure shown below.
1. Run a search for the computers you want to renew the MDM profile on.
2. Once you have the desired list, click the Action button.
3. Select Send Remote Commands and click the Next button.
4. Select Renew MDM profile and click the Next button.
5. Once the MDM command has been sent, click the Done button.
Manually triggering MDM profile renewal using Jamf Pro’s APIs
You can also use Jamf Pro’s APIs to script an MDM profile renewal at whatever interval is desired. My approach is the following:
1. Write a script designed to run via a Jamf Pro policy on individual Macs to perform the following tasks:
- Get the Jamf Pro UDID number of the Mac the script is running on.
- Use the UDID to send a “Renew MDM profile” MDM command via the API.
Note: This approach uses both the Jamf Pro Classic API and the Jamf Pro API, as the command I’m using to get the Jamf Pro UDID number is using the Classic API and the command used to trigger the MDM profile renewal MDM command is using the Jamf Pro API.
For those who haven’t used the Jamf Pro APIs before, you will need to provide a username and password to the script. This is a security risk, so my recommendation is to carefully evaluate if the risk is worth it for your environment. If it’s not, don’t use this approach.
One way to mitigate this risk is to set up a dedicated account with the least privileges necessary. This method does not eliminate the risk, but it may reduce it to one acceptable in your environment. In my testing, the least privileges are the following:
In Jamf Pro Server Objects:
Computers: Read
In Jamf Pro Server Actions:
Send Command to Renew MDM Profile
2. Create a smart group with the following criteria:
- Name: MDM Certificate Expiration in Five Days or Less
- Criteria: MDM Profile Expiration Date
- Operator: in less than X days
- Value: 5
Note: You may choose different criteria, but in this example I want to run the script on Macs whose MDM profile expiration dates are five days or less.
3. Set up a Jamf Pro computer policy with the following components:
- Script: The script to trigger MDM profile renewal
- Trigger: Recurring Check-In
- Execution Frequency: Once every day
- Scoped to: the MDM Certificate Expiration in Five Days or Less smart group.
Note: Execution Frequency can be set as desired for a longer interval, like Once every week or Once every month.
The script is available from following address on GitHub:
Using either method (admin console triggered renewal or API triggered renewal), the expected behavior is that the MDM profile for Jamf Pro is renewed and shows an install date of when the MDM renewal was triggered.