Ok, to start I'm brand new to JAMF and Mac management in general, so please bear with me.
This post is kind of two-fold. I'm trying to figure out expected behavior and possibly some guidance on whether or not what we have in place is the best way to do this kind of thing.
Basically, we have Network configurations that set up our Wired and Wifi Network connections and configure for 802.1x authentication.
We have some expired certs to servers that no longer exist that I've been asked to remove, and I also have been asked to "fix" the connection to handle the MAC address randomization that is turned on by default for MacOS Sequoia.
The profiles (wired and wifi) both have a certificate chain, a network connection and a SCEP cert that is used for user auth.
In order to test, I've made a copy of the existing profile, and moved a few devices over to it.
As soon as the test profile hits, the devices are disconnected from the network, because it appears it removes the existing network connection and re-adds it as part of the new profile. Is this expected?
Next, If I then remove the expired certs from that profile (after the profile has been applied to the devices with the full cert chain before removing) the certs do not get removed from the profile shown on the device.
So it would seem...that the network payload is destructive, which I wouldn't want, and the certificate removal is NOT destructive...which in this case I WOULD want.
Is this correct??
I'd think it would make sense to have the certificate chain installed as its own profile, but it looks like the certs have to be a part of the network config because they have to be checked off as part of the Trust section of the Network payload.
The other question, is that I see JAMF has added the checkbox to turn off MAC address randomization for MacOS 15+ in the Network payload setting. But our security/network teams would like to keep it on and try to use the SCEP cert SAN to identify our devices. Has anyone done anything like that? I'm not sure how to set up the SAN, because it appears there can't be multiple.