Hello,
Thanks for reaching out to Hexnode Connect.
This specific behavior usually indicates that while the Hexnode agent application is still functional (which is why scripts still work), the core macOS MDM communication channel has lost its trust relationship with the installed management profile.
Here is a breakdown of how to verify, fix, and monitor this issue:
1. The Check-Up
To quickly confirm this loss of trust, check the MDM profile directly on the Mac:
- Open System Settings (or System Preferences on older versions).
- Navigate to Profiles (or Privacy & Security > Profiles).
- Select the Hexnode MDM enrollment profile.
- Check the Root CA certificate. If it explicitly displays an error such as “Not found in keychain”, the trust chain is indeed broken.
2. Command Suggestion (The Fix)
You do not need to fully wipe and re-enroll the Mac. You can force the device to fetch a fresh trust certificate by refreshing the Automated Device Enrollment profile via Terminal.
- Open the Terminal application on the affected Mac and run the following command:
sudo profiles renew -type enrollment
Crucial Step: After running the command, macOS will push a banner notification to the top-right corner of the screen prompting you to download or install the updated MDM profile. You must click this notification and complete the profile installation. The command only initiates the process; the installation prompt must be manually approved. Once installed, the MDM trust chain is restored, and the device will begin checking in again.
3. Other Conditions (Why does this happen?)
Hexnode does not actively remove the Root CA certificate. The “Not found in keychain” error is caused by the local macOS profile or keychain state becoming corrupted or misaligned. Common triggers include:
- Time Machine Restores: Restoring a backup onto a Mac that was previously enrolled through Apple Business Manager often breaks the MDM certificate trust chain.
- Network Interruptions: Brief drops in connectivity during a profile or SCEP synchronization.
- Local OS Changes: Background macOS updates, local admin modifications to the keychain, or keychain permission changes can inadvertently sever the trust relationship.
4. Recurring Cases & Monitoring
If you see this happening repeatedly to the same devices, it is highly recommended to check the macOS system logs around the exact time the device stopped checking in (specifically looking for profile, SCEP, certificate, or keychain-related events). This will help you pinpoint if a specific local admin action or background OS update is the root cause.
As a practical monitoring approach, continue utilizing the Hexnode portal’s last check-in time and non-compliance reports to catch these affected devices early. Once identified, running the sudo profiles renew -type enrollment command is the cleanest recovery method.
I hope this helps. If you find any more issues or need further assistance feel free to reach out.
Best regards,
George,
Hexnode UEM