Help

AD Certificate Payload in Profiles

forrestbeck
New Contributor III

Posted on ‎04-18-2014 05:54 AM

I have an AD Certificate payload added to a configuration profile which is working well. The scoped machine obtains a certificate from the CA as expected. The problem I am seeing is that if I make a change to the profile (like the name or description), Save, and then select Distribute to All. All the machines scoped to the profile will go to the CA and obtain a another certificate. Every time I click Distribute to All, the machines grab another certificate.

Has anyone else seen this behavior? I am using 10.9.2. The CA is a Windows CA Server.

0 Kudos
Reply
1 REPLY 1

were_wulff
Valued Contributor II

Posted on ‎04-18-2014 06:47 AM

Hi @forrestbeck ,

That sounds like expected behavior.

When we click “distribute to all”, we’re telling the JSS to tell the clients that are scoped to get that profile that the profile as a whole has changed (not just a description/single payload) and they need to check in and grab a new copy.

The machines will grab the entire profile, all payloads included, and will do what’s specified in those profiles.
Since the profile still contains the AD certificate payload, all scoped computers will reach out to the CA server and re-download the certificate.

There is no way to just tell it to pick up a profile name change/description and leave everything else intact if no changes were made.

If I’ve misunderstood what you’re asking and we’re seeing behavior such as clients ending up with multiple copies of a certificate or multiple copies of the same profile with a different title/description, I’d recommend reaching out to your Technical Account Manager either by phone, by sending an e-mail to support@jamfsoftware.com, or by using the My Support feature on JAMF Nation.

Thanks!

Amanda Wulff
JAMF Software Support

0 Kudos
Reply