Skip to content

Add docs for 38002 - FLEET_MDM_CERTIFICATE_PROFILES_LIMIT#38028

Merged
rachaelshaw merged 4 commits intodocs-v4.83.0from
JM-38002-docs
Feb 12, 2026
Merged

Add docs for 38002 - FLEET_MDM_CERTIFICATE_PROFILES_LIMIT#38028
rachaelshaw merged 4 commits intodocs-v4.83.0from
JM-38002-docs

Conversation

@JordanMontgomery
Copy link
Member

@JordanMontgomery JordanMontgomery commented Jan 8, 2026

Related issue: Docs example for #38002

Should not be merged yet as this is not targeted for a specific release branch

@JordanMontgomery JordanMontgomery changed the title Add docs for 38002 Add docs for 38002 - FLEET_MDM_RECONCILER_CA_LIMIT Jan 8, 2026
@JordanMontgomery JordanMontgomery mentioned this pull request Jan 8, 2026
Open
25 tasks
marko-lisica
marko-lisica reviewed Jan 20, 2026
View reviewed changes
marko-lisica
marko-lisica reviewed Jan 20, 2026
View reviewed changes
@marko-lisica marko-lisica marked this pull request as ready for review January 20, 2026 15:17
@marko-lisica marko-lisica marked this pull request as draft January 20, 2026 15:17
@JordanMontgomery @marko-lisica
Update docs/Configuration/fleet-server-configuration.md
87d1331 
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
@JordanMontgomery @marko-lisica
Update docs/Configuration/fleet-server-configuration.md
76763ba 
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
@JordanMontgomery
Correct environment variable name for certificate profiles limit
40e42af 
Updated environment variable name for certificate profiles limit in documentation.
@JordanMontgomery JordanMontgomery changed the title Add docs for 38002 - FLEET_MDM_RECONCILER_CA_LIMIT Add docs for 38002 - FLEET_MDM_CERTIFICATE_PROFILES_LIMIT Jan 21, 2026
@JordanMontgomery JordanMontgomery changed the base branch from main to docs-v4.83.0 January 21, 2026 16:39
JordanMontgomery
JordanMontgomery commented Jan 22, 2026
View reviewed changes
docs/Configuration/fleet-server-configuration.md

The profile reconciler runs approximately every 30 seconds. The best practice is to set this at a level that is half or less the number that can be handled by your certificate authority in one minute. If a profile for instance is uploaded that references a SCEP server which can handle 100 transactions per minute, best practice would be to set this to 50 or less. Lower values will mean that a profile potentially takes longer to be sent to all hosts targeted by it, with a tradeoff that it will result in lower Certificate Authority load.

For a team with 10,000 hosts targeted by a newly-uploaded profile containing Certificate Authority variables, a setting of 100 would mean that it would take 100 runs of the profile reconciler, or, at least 50 minutes, for all 10,000 certificate profiles to be sent.
Copy link
Member Author

@JordanMontgomery JordanMontgomery Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahtalerman @marko-lisica Rate limits for various CAs:
Digicert: https://dev.digicert.com/en/certcentral-apis/services-api/rate-limits.html Digicert One doesn't have any documentation around Ratelimits that I can find but CertCentral says 100/5 seconds, 1000/3 minutes. We should stay below these limits with the default of 100
Smallstep: Could not find
Hydrant(Not supported in macOS profiles yet): Nothing publicly available
NDES: No fixed limit, based on your config
SCEP: Too many SCEP servers out there to really give an answer, depends on customer config

Given the above do we need to document them since we're having trouble finding published numbers to link to?

Copy link
Member

@noahtalerman noahtalerman Jan 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welp...thanks for checking!

Given the above do we need to document them since we're having trouble finding published numbers to link to?

Jordan, up to you. I think it makes sense to not document since we don't have the numbers.

Copy link
Member Author

@JordanMontgomery JordanMontgomery Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think if we stick with our current default and refer admins to their CAs for additional guidance we should be good. The CA vendors may have more guidance only available to paying subscribers or via support channels as well

@JordanMontgomery JordanMontgomery marked this pull request as ready for review February 10, 2026 18:16
@noahtalerman noahtalerman removed their request for review February 11, 2026 14:29
@rachaelshaw rachaelshaw merged commit 620e2ce into docs-v4.83.0 Feb 12, 2026
6 checks passed
@rachaelshaw rachaelshaw deleted the JM-38002-docs branch February 12, 2026 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noahtalerman noahtalerman noahtalerman left review comments

@marko-lisica marko-lisica marko-lisica left review comments

@rachaelshaw rachaelshaw rachaelshaw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JordanMontgomery @rachaelshaw @noahtalerman @marko-lisica