When you enroll ConfigMgr Mac agent, you may encounter the Certificate has untrusted root issue. In this post, I will cover the steps to fix the Certificate has untrusted root on Mac.
Troubleshooting the ConfigMgr Mac client agent enrollment is not as simple as you think. With Windows, yes you got the SCCM log files and troubleshooting is fairly simple.
In my previous post I covered the steps to install SCCM client agent on macOS Big Sur. During the ConfigMgr agent enrollment on Mac, I encountered Certificate has untrusted root issue. Let me show a screenshot so that it becomes familiar.
In the below screenshot, you can see on the Mac, the ConfigMgr client agent shows the enrollment status as Enrolled however we see the Certificate has untrusted root issue. Clicking Connect Now shows the same line again.
How to fix Certificate has Untrusted Root
The reason why you see the Certificate has Untrusted Root issue is because the root certificate is not trusted by your Mac. The other solution to this issue is to use a certificate on the MP that has both the Subject Name defined (as Type – Common name) and the Alternative Name (as Type – DNS).
On the Mac, click Launchpad > Keychain Access > System. Here you will find all the installed certificates. There is one certificate that is not trusted and that’s the root certificate. Select the root certificate and click Certificates.
Under the Trust section of the root certificate, next to When using this certificate, click that drop-down and select Always Trust. When you do that all the other options are also configured to Always Trust. This is an important step where you change the trust settings and tell mac to trust the root certificate.
After you make the above changes, the certificate now appears to be fine.
Now launch the Configuration Manager icon from System Preferences. Click Connect now, and you should no more see the certificate untrusted root issue. I would also recommend restarting your Mac once.