The device identity certificates (apple profile, apple mdm , ios agent) that are pushed from the Xenmobile is valid from the date of enrollment for 2 years . The certificate should renew automatically. 

However these three certificates are not renewed and hence the device becomes unamanaged and all profiles are removed from the device 

The issue occurs mainly on Xenmobile 9.0 or for the versions that were upgraded from Xenmobile 9.0 to later versiosn 

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

 

1. On your browser type https://<xenmobile-url>/zdm/helper.jsp
2. under info select Read props and verify the following 

ios.mdm.identity.renewal.days		30	30
ios.mdm.identity.renewal.enable		true	true
ios.mdm.identity.renewal.use-system-policy		true	true

•  secure.device.renew.certificate.before                  2592000 

​
If property secure.device.renew.certificate.before is set to 30 change it to 2592000 (2592000 sec = 30 days ). You can quickly take back of your database and run either of the following queries depending upon the database that you are using . 

SQL Server
UPDATE EWPROPERTY SET VALUE = '2592000' WHERE NAME = 'secure.device.renew.certificate.before' AND VALUE = '30';

MySQL
UPDATE `EWPROPERTY` SET VALUE='2592000' WHERE `NAME`='secure.device.renew.certificate.before' AND `VALUE`='30';

Note: please ensure you take a backup before making any changes. 
 

---

Problem Cause

In Xenmobile the renewal of certificates value was in days and the default value was set to 30  - so that the certificate can renew 30 days prior to expiry of the certificate .

However the same property is using seconds as parameter in later schema Xenmobile 10+ . hence for all migrated instance the value is 30 seconds which is too low and hence the certificates are not renewed 

XMS 10.4 server after the migration from XM9 the device certificates are not getting renewed automatically