802.1x "Vanishing"

New Contributor III

Edit: FYI - Working off of 10.9 - moving to 10.11.1 this Thursday. I also want to note we don't see this behavior with the other profiles, just our 802.1x profile

Hey everyone -

We have just started experiencing a weird behavior with our 802.1x MDM profile. What we are seeing is users having their profile "stripped" and then re'pushed at random times.

Checking the logs, there is a visible removal being sent from the JSS, followed by an install for the very same profile within the same minute. If the device is off campus, or can't communicate with the CA at this time, the profile cant reinstall and the user is left with no 802,1x payload - ie no wireless :(

I checked the scoping, and the devices are remaining in scope for the profile, so I am not sure what could be causing my Jamf server to even send a removal action to the device. I am just about out of ideas, and wondering if anyone else has seen something like this before?



New Contributor

This is funny; I just put in a ticket for this exact same problem. Anyone else experiencing this?

Contributor III

This has been an issue for a while and is a big reason why we moved to local 802.1x profiles. We're now close to moving back to MDM-delivered profiles via AD CS, which might have the same problem, but doesn't require communication to the CA when reinstalling.

Esteemed Contributor II

@patgmac How are you handling the case of the SSID you're trying to configure access for not being available to connect to when installing the 802.1x configuration?

Valued Contributor II

And this is why we deploy our wireless profile via pkg / profiles command. Can't count on MDM to be 100% reliable, and you need connection to fix it...

New Contributor III

This is getting interesting -- My question is how are you implementing an updated Root/Intermediate if the profile is local without a wired connection? ie you need to push an updated certificate?

One of the reasons we decided to make the jump to MDM 802.1x is because we are looking at updating the Root/Intermediate which is in that 802.1x payload. We were hoping to make this seamless by pushing it out through Jamf... wouldn't you need to reinstall the profile for it to get its new certificates if its running as a local profile? ie creating a chicken before the egg problem by dropping off the old profile to install the new one?

I am actually rather surprised to hear so many are doing 802.1x with a local profile, but now I am starting to wonder if switching to MDM was the right move :(

New Contributor III

Any of you all get any new information on this? We opened a ticket awhile back but didn't really get a direct answer/solution.