Guidance on Setting up MDM when there is not a code signing certificate
search cancel

Guidance on Setting up MDM when there is not a code signing certificate

book

Article ID: 422558

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Administrators may ask whether macOS MDM (Modern Device Management) enrollment can proceed without a Code Signing Certificate when the certificate is not yet available due to vendor delivery or process delays. This article clarifies whether the Code Signing Certificate is a mandatory requirement for client enrollment and outlines what MDM functionality can be used while the certificate issue is being resolved.

Environment

ITMS 8.7.x, 8.8
MDM (Modern Device Management)

Cause

It’s possible to use MDM without signing the MDM profiles, as long as this approach aligns with the organization’s policies and requirements. In this setup, most functionality works as expected—the main difference is that the profiles will show a “Not Signed” label, like in the example below.

That said, Apple may limit or block certain payloads when they’re delivered through unsigned profiles. Even with those limitations, most payloads should still apply correctly, so this is a reasonable option to test and use in the meantime.

Resolution

What happens without a code signing certificate

You can proceed with MDM enrollment, but:

  • The MDM enrollment profile will be unsigned

  • macOS will clearly show “Unsigned” during profile installation

  • Users must manually approve and trust the profile

  • Some environments (especially stricter security baselines) may block or discourage installation

  • This setup is not suitable for automated in real-world deployments

This is expected behavior and is documented behavior (see KB "MDM profile shows "unsigned" label").

What still works without code signing

  • Manual enrollment testing
  • Basic device enrollment into ITMS
  • Initial connectivity and workflow validation
  • Early lab / proof-of-concept testing

This can be useful to:

  • Validate network paths (SMP ↔ MDM ↔ APNS)

  • Confirm Linux MDM server functionality

  • Verify enrollment policies and targeting

  • Test profile delivery mechanics

What does not work or is not recommended

  • Clean, trusted enrollment experience
  • Production rollout
  • Security-sensitive environments
  • Avoiding user trust warnings

macOS treats unsigned profiles as a trust risk, and many customers will (correctly) refuse to proceed once they see the warning.

Best-practice guidance 

  • You can continue with enrollment for testing purposes only

  • A code signing certificate is required before moving to:

    • Production enrollment

    • Broad user rollout

  • Final validation and go-live should wait until the signing certificate is in place

 

Yes, MDM enrollment can proceed without a code signing certificate, but only with limitations.

When a code signing certificate is not configured, macOS MDM enrollment profiles generated by ITMS will be unsigned. These profiles can still be installed manually, allowing devices to enroll and basic MDM functionality to work. This approach can be useful for initial setup validation, lab testing, or proof-of-concept scenarios.

However, unsigned profiles will display a clear warning in macOS, requiring manual user approval. In addition, Apple may restrict or ignore certain MDM payloads when they are delivered through unsigned profiles. Because of this, proceeding without a code signing certificate is not recommended for production use, or large-scale deployments.

For a trusted enrollment experience and full MDM capability, a valid MDM code signing certificate is required before moving forward with production macOS enrollments.

Additional Information

Modern Device Management

Powered by Wolken Software