macOS device not checking in to Hexnode: Scan Device fails with Root CA "Not found in keychain"Solved

Participant
Discussion
5 months ago Jan 26, 2026

Hi everyone. A few of the macOS devices in our Hexnode portal have suddenly stopped checking in properly. The weird part is that the device-side sync says it completed successfully, and agent-based actions like running a custom script or scanning installed apps still work fine. However, the Scan Device remote action fails completely, and the portal keeps showing the device as non-compliant because the last check-in time isn’t updating.

I checked the affected Mac, and the MDM profile certificate shows an error similar to “Not found in keychain” under the Profiles section. Has anyone seen this before? I am trying to understand why the Root CA trust would just break like this, and I really need to know how to bring the device back online without having to fully wipe and re-enroll it.

Replies (1)

Marked SolutionPending Review
Hexnode Expert
5 months ago Jan 26, 2026
Marked SolutionPending Review

Hello,

Thanks for reaching out to Hexnode Connect.

This specific behavior usually indicates that while the Hexnode agent application is still functional (which is why scripts still work), the core macOS MDM communication channel has lost its trust relationship with the installed management profile.

Here is a breakdown of how to verify, fix, and monitor this issue:

1. The Check-Up

To quickly confirm this loss of trust, check the MDM profile directly on the Mac:

  • Open System Settings (or System Preferences on older versions).
  • Navigate to Profiles (or Privacy & Security > Profiles).
  • Select the Hexnode MDM enrollment profile.
  • Check the Root CA certificate. If it explicitly displays an error such as “Not found in keychain”, the trust chain is indeed broken.

2. Command Suggestion (The Fix)

You do not need to fully wipe and re-enroll the Mac. You can force the device to fetch a fresh trust certificate by refreshing the Automated Device Enrollment profile via Terminal.

  • Open the Terminal application on the affected Mac and run the following command:

    sudo profiles renew -type enrollment

  • Crucial Step: After running the command, macOS will push a banner notification to the top-right corner of the screen prompting you to download or install the updated MDM profile. You must click this notification and complete the profile installation. The command only initiates the process; the installation prompt must be manually approved. Once installed, the MDM trust chain is restored, and the device will begin checking in again.

3. Other Conditions (Why does this happen?)

Hexnode does not actively remove the Root CA certificate. The “Not found in keychain” error is caused by the local macOS profile or keychain state becoming corrupted or misaligned. Common triggers include:

  • Time Machine Restores: Restoring a backup onto a Mac that was previously enrolled through Apple Business Manager often breaks the MDM certificate trust chain.
  • Network Interruptions: Brief drops in connectivity during a profile or SCEP synchronization.
  • Local OS Changes: Background macOS updates, local admin modifications to the keychain, or keychain permission changes can inadvertently sever the trust relationship.

4. Recurring Cases & Monitoring

If you see this happening repeatedly to the same devices, it is highly recommended to check the macOS system logs around the exact time the device stopped checking in (specifically looking for profile, SCEP, certificate, or keychain-related events). This will help you pinpoint if a specific local admin action or background OS update is the root cause.

As a practical monitoring approach, continue utilizing the Hexnode portal’s last check-in time and non-compliance reports to catch these affected devices early. Once identified, running the sudo profiles renew -type enrollment command is the cleanest recovery method.

I hope this helps. If you find any more issues or need further assistance feel free to reach out.

Best regards,
George,
Hexnode UEM

Save