Skip to main content
Question

Signed configuration profile

  • November 26, 2023
  • 3 replies
  • 172 views
Asifahmed
Forum|alt.badge.img+9

Hello All,

I can see one configuration profile is there in my JAMF Pro console which is read only and signed(It is doen by previous SME), and I can't read the payload of the configuration profile, if I click on Edit button it is asking me to remove the signature, please let me know if I click on "Remove Signature" and see the payload and modify as per my requirement and save it to rdeploy all computers with new changes made then it will create any issue?

    May I know how to sign such configuration profile from scratch level and what is the purpose to sign it?

    3 replies

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • November 26, 2023

    @Asifahmed Using a tool like the iMazing Profile Editor and signing the profile before uploading to Jamf Pro is a common practice to prevent Jamf Pro from modifying the profile contents when uploaded. Uploading a profile with a Restrictions payload that was unsigned will result in Jamf Pro adding potentially unwanted restrictions. For more details see this Jamf tech article: https://learn.jamf.com/bundle/technical-articles/page/Deploying_Custom_Configuration_Profiles_Using_Jamf_Pro.html#:~:text=Configuration%20profiles%20can%20be%20signed,Jamf%20Pro%20built%2Din%20CA

    You could download the profile you want to modify from Jamf Pro, import it into the iMazing Profile Editor, make the modifications you want, save the modified profile as a new signed profile (this article shows how to create a signing certificate using your Jamf Pro instance's CA: https://learn.jamf.com/bundle/technical-articles/page/Creating_a_Signing_Certificate_Using_Jamf_Pros_Built-in_CA_to_Use_for_Signing_Configuration_Profiles_and_Packages.html), then upload the new profile to Jamf Pro.

    Another tool you might find useful is Hancock which is a GUI tool for signing and un-signing things like profile .mobileconfig files.

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • November 27, 2023

    I suggest testing. Copy the Configuration Profile, remove the Signature and Deploy to a test group of Devices (Excluding the test Devices from the original Configuration Profile's Scope).

     

    Keep in mind, there is a reason why your predecessor signed that Profile as it's not common practice with JAMF. If you are not seeing a payload at all, I am going to guess that the Payload is not something that is compatible with JAMF.  Signing the Configuration Profile prevents JAMF from marking up the Configuration Profile and breaking it.

    A
    Forum|alt.badge.img+8
    • AlexHoffman
    • Contributor
    • November 27, 2023

    If the previous dev loaded profiles from Apple for pulling various logs, those are always signed and only valid for a few days. The annoying thing about them is that they will appear to not have any payloads too. If you have an Apple Developer account, there's a ton of them that you can download and use. They are especially useful if you have iPads or iPhones with issues that you can't figure out with the standard tools. It's less useful for Mac since you can basically pull any info off them that you want via scripts. 

    Terms & ConditionsCookie settingsAccessibility statement