Hello all! Working with JAMF support on this but figured I would post to see if anyone else is seeing this issue. For quite awhile now we have been deploying machine certificates through our load script. All of our machines require network connectivity on first login (bound to AD) so this did great for us. With the recent JSS upgrade it seems like our profile is still installing normally as it should, but when the machine attempts to connect to our SSID, it seems like it doesn't know what certificate to use. Our config profile contains the network setting for our WI-FI network and the AD certificate information. All proper keychain settings are all were they are supposed to go (comparing to machines that currently are working).
If I go into network under wifi press connect under 802.1x it prompts me for what cert to use, I choose our proper machine cert and it actually connects successfully, however we need this to work at login so the profile should be automatically setting this.
Just another fun day in the office! :)
I had a ticket open with both JAMF and Apple on this subject. The only way I was able to automate this for the end user completely was to add to the profile, sign it and then upload it to the JSS for distribution.
I have been working with Apple Enterprise on this since last October. In the case of devices that have built in ethernet the profile configuration I am using generally works with one caveat. If the network interface is removed and re-added then authentication via System Mode profile never applies.
For devices with no Ethernet built in the behavior is very inconsistent, especially in our environment where it is not assured a 1:1 relationship of dongle-device. IF, and it is a big if. I can ensure the dongle used when the profile is installed is the only dongle ever used with the device, generally the system mode profile works and authenticates automatically, though I have seen it periodically fail and User Mode authentication request credentials. I have worked with apple on modifying some delay timers on this.
I need to be able to install a system mode profile with specified credentials (certificate, machine credentials, etc...) and be able to plug in any ethernet adapter with an assumption the device will authenticate.
Apple keeps coming back to problems with the profile but it works until it doesn't work. There is something wrong with the framework, not the profile. I don't know if it is an issue with enumerating ethernet devices as they are connected and disconnected or what but I am growing increasingly frustrated with the amount of manual massaging I have to be doing to have device authentication in our environment.
I have both Apple Enterprise cases and Radar's logged for these issues, you can contact me off list if you would like to contact your apple representatives to get attached to those.
Hi Alex, we recently moved our organization from one building to another & witnessed that in new block we have to select the Device cert manually , we are on 9.96 at the moment & we are on 10.12.6 & 10.13. Nothing changed on configuration profile or on JSS side.
Hope you could draw some light on this , we are OK to select the cert as it is one time activity as it is setting the keychain.
But would really appreciate the root cause of this behaviour.
Try removing the cert and reinstalling it with your primary ethernet connection.
I discovered this to be an issue after installing the certificate while connected to our corporate 802.1x using thunderbolt ethernet and then switching over to display ethernet. Seems like the certificate is link to the ethernet connection used during installed. For other ethernet connections, the cert will need to be manually selected.