This article explains how to create a signing certificate using Jamf Pro's built-in certificate authority (CA), which you can then use to sign custom configuration profiles and packages that are automatically trusted when installed on managed devices. Trust is automatically established as the root CA certificate is included within the Jamf Pro MDM profile.
Creating a signing certificate generated by the Jamf Pro built-in CA provides the following benefits:
Marks custom configuration profiles as trusted and "Verified" when end users view the profile
Allows uploading custom configuration profiles as read-only within Jamf Pro if needed
Allows custom packages to be signed with a certificate that is trusted by managed computers. This allows packages to meet trust requirements when installed by an MDM command, such as a PreStage enrollment package. For more information, see Computer PreStage Enrollments in the Jamf Pro Documentation.
When the signing certificate nears its expiration date, Jamf recommends creating a new one since the signing certificate issued by Jamf Pro's built-in CA cannot be renewed. Configuration profiles that are signed by an expired signing certificate will continue to function without interruption. PreStage Enrollment Packages that are signed by an expired signing certificate must have the PKG file signed by a new certificate for macOS to trust it during InstallEnterpriseApplication installation.
Packages deployed via a Jamf Pro policy do not need to be signed.