If your organization has over 500 Mac computers enrolled, contact Jamf Support before renewing the built-in certificate authority.
Jamf recommends renewing the built-in CA before its expiration date. If the built-in CA is allowed to expire, some critical workflows will no longer function. For example, enrolling computers or mobile devices after the CA has expired prevents them from being managed.
A notification will display in Jamf Pro 360 days before the built-in CA is scheduled to expire. If the 360-day default setting for the expiration notification does not meet your needs, contact Jamf Support.
(On-premise environments only) Jamf recommends using a publicly trusted SSL/TLS certificate for Tomcat. If you are using a Tomcat SSL/TLS certificate issued from Jamf Pro's built-in certificate authority (CA), you must transition to a trusted certificate before renewing Jamf Pro's built-in CA, or you will lose MDM communication with enrolled iOS devices.
If you want to move from an SSL/TLS certificate issued from Jamf Pro's built-in CA to an SSL/TLS certificate issued from a third-party CA, see the Enabling SSL on Tomcat with a Public Certificate article.
If it is not possible for you to leverage a third-party external Tomcat SSL/TLS certificate in your environment, contact Jamf Support for assistance.
Jamf Pro 10.23.0 or later
After the built-in CA is renewed, its expiration date is extended by 10 years. All signing certificates issued by the built-in CA are automatically renewed.
If the built-in CA fails to renew, do not trigger the process again. If the expiration date is not extended or you notice issues with the renewed CA (e.g., Jamf Pro cannot communicate with managed computers or mobile devices), contact Jamf Support.