Posted on 10-21-2024 07:04 AM
Hi everyone,
the first renewal of the radius cert is due in a month and I am not confident on how to do this without disconnecting all of our 250+ clients.
I believe I have perhaps made mistakes regarding best practices. However, I had no other choice since all certs and network payloads needed to be in one profile. The Jamf Profile used to deploy the 802.1x auth contains:
All certs are issued via the ADCS server to be able to renew automatically since MacOS and IOS would not be able to do this if done without it.
As far as I understood it, it had to be done this way, (all in one approach) to be able to select the cert to use for any given network connection that the conf-profile is controlling.
However, once I would re-redeploy this conf-profile, the clients would lose the connection before receiving the new config. Is it possible to deploy the renewed RADIUS certificate in a separate conf-profile? Then, however, I would not be able to select the cert in the WiFi and ethernet payload section... Any hints in the right direction are appreciated. If there is a better way to accomplish this.
with kind regards, Julian Niedzwetzki
Solved! Go to Solution.
Posted on 10-21-2024 07:14 AM
@jules1987 If you edit a previously deployed Configuration Profile and choose "Distribute to All" when saving it will simply update the profile on targeted devices, not do a remove then re-install.
a month ago
Three months ago, we updated our RADIUS certificate. During this process, we chose not to push the RADIUS certificate through Jamf because our WPA Enterprise setup uses Active Directory account credentials (rather than static accounts) for authentication.
With this setup, each user logs into Wi-Fi individually. After the RADIUS certificate change, Mac users encountered a pop-up upon connecting to Wi-Fi,
prompting them to continue and enter their MacBook login password to reconnect to the internet. However, users connecting via LAN cable were unaffected and did not see any pop-up.
then after that you can schedule to delete the expired cppm cert manually in Keychain Access.
Note:
We inform via email what to do after changing the cert, so that users know the steps to take.
300+ User Mac
300+ User iPad
Posted on 10-21-2024 07:14 AM
@jules1987 If you edit a previously deployed Configuration Profile and choose "Distribute to All" when saving it will simply update the profile on targeted devices, not do a remove then re-install.
Posted on 10-21-2024 11:31 AM
I put the new 802.1x cert into my existing profile ahead of when the networking team uploads the cert on their end and keep the existing cert in the profile as well. Then when networking does their thing, the Macs will already have the new cert and they reconnect. Just have to go back in a week or so and remove the expired cert from your profile
Posted on 10-21-2024 11:58 PM
Thank all of you. Until now, I was under the impression that edited profiles would be remove-redeployed so I was thinking too complicated. I have been using JamfPro for over 8 years but somehow, I never understood this properly.
a month ago
Three months ago, we updated our RADIUS certificate. During this process, we chose not to push the RADIUS certificate through Jamf because our WPA Enterprise setup uses Active Directory account credentials (rather than static accounts) for authentication.
With this setup, each user logs into Wi-Fi individually. After the RADIUS certificate change, Mac users encountered a pop-up upon connecting to Wi-Fi,
prompting them to continue and enter their MacBook login password to reconnect to the internet. However, users connecting via LAN cable were unaffected and did not see any pop-up.
then after that you can schedule to delete the expired cppm cert manually in Keychain Access.
Note:
We inform via email what to do after changing the cert, so that users know the steps to take.
300+ User Mac
300+ User iPad
a month ago
Thank you for your input. Yes, I have to do this as well, as most of our users are Gr.6 to Gr 12 students, and they are BYOD. So we have no control over them whatsoever. We will send an email to all of them, and the teachers. I figure a fair number of them will read and forget or not read the mail. But that's part of the business.