802.1x certificate trust and configuration + MAC address randomization.

Question

Ok, to start I'm brand new to JAMF and Mac management in general, so please bear with me.
This post is kind of two-fold. I'm trying to figure out expected behavior and possibly some guidance on whether or not what we have in place is the best way to do this kind of thing.

Basically, we have Network configurations that set up our Wired and Wifi Network connections and configure for 802.1x authentication.

We have some expired certs to servers that no longer exist that I've been asked to remove, and I also have been asked to "fix" the connection to handle the MAC address randomization that is turned on by default for MacOS Sequoia.

The profiles (wired and wifi) both have a certificate chain, a network connection and a SCEP cert that is used for user auth.

In order to test, I've made a copy of the existing profile, and moved a few devices over to it.

As soon as the test profile hits, the devices are disconnected from the network, because it appears it removes the existing network connection and re-adds it as part of the new profile. Is this expected?

Next, If I then remove the expired certs from that profile (after the profile has been applied to the devices with the full cert chain before removing) the certs do not get removed from the profile shown on the device.

So it would seem...that the network payload is destructive, which I wouldn't want, and the certificate removal is NOT destructive...which in this case I WOULD want.

Is this correct??

I'd think it would make sense to have the certificate chain installed as its own profile, but it looks like the certs have to be a part of the network config because they have to be checked off as part of the Trust section of the Network payload.

The other question, is that I see JAMF has added the checkbox to turn off MAC address randomization for MacOS 15+ in the Network payload setting. But our security/network teams would like to keep it on and try to use the SCEP cert SAN to identify our devices. Has anyone done anything like that? I'm not sure how to set up the SAN, because it appears there can't be multiple.

garybidwell · Answer

Yes, that expected behaviour with updating Apple MDM profiles.
Any changes made to existing profiles do not get updated, they get completely pulled and replaced with a completely fresh new profile in its place.
As APNs is so quick deploying and swapping over (Unless you have to work with Microsoft Intune) its a non-issue with 99% of profiles until you have to deal with WiFi profiles, then it becomes a complete pain with 802.1x as you no longer have access to the main network to receive its replacement (a catch-22 situation).

Not a problem on iPhone's to get around the issue where is has GSM/3G/4G to failover, but on Wifi only iPads and macOS services is a major problem unless you have a intermediary network you can push out to all devices in advance to failover to when your main network profile gets pulled (i.e a deployment network or open public wifi)

With address randomization there a few gotcha's with that as well, so you probably want to read this article from Joel Bruner on it:
https://www.brunerd.com/blog/2024/09/27/getting-ahead-of-private-wi-fi-address-changes-in-macos-sequoia/

Thanks very much, I'm going to have to play around with this stuff quite a bit, just trying to get a feel for things. I think the script to set it prior to upgrade might be a good solution.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded