The Kandji Team

Profile Code Signing Certificate Renewal

AUTHOR: The Kandji Team

As of today, Kandji has switched the certificate used to sign MDM configuration profiles deployed to your devices. No action is needed from customers.

We have moved from our previous DigiCert Code-Signing certificate

CN = Kandji, Inc. 
Issuer = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 
Serial = 0C C7 82 FE B6 BB 31 C5 B0 74 AF D5 DD BB 1D 8D   
Fingerprint (SHA-256) = 6F FB D2 02 24 94 DE 3D FD 66 4C 42 5C 85 97 37 5A DC DF 97 40 2E 5A 89 F7 A2 E7 68 0A 7B 2B 7D

To a new Apple issued Code-Signing certificate

CN = Developer ID Application: Kandji, Inc. (QFJA6MU275)
Issuer = Developer ID Certification Authority G2
Serial = 4B 65 D6 55 84 2A 2D FA 70 3F E7 69 04 49 50 13
Fingerprint (SHA-256) = 2B 70 A0 29 98 46 CE B6 8E 5A 2B 7F 9F AD 3A 66 5A 11 74 89 B7 83 3F F7 98 F8 65 97 F1 44 B6 42

Kandji does not automatically resign and redistribute profiles already installed on devices. If you see a "Not Verified" message in system settings for a profile, it's just a UI element. This doesn't impact the profile's effectiveness. This aspect dates back to when configuration profiles were manually installed, requiring integrity verification.

If you or your users would prefer to update the installed MDM profile to use the new code-signing certificate you can leverage the existing API endpoint to do so.