All User Level Configuration Profile install fails immediately

djrory
Contributor

I have created 3 config profiles to push out certificates for our users VPN access, however the profiles simply will not install.

I have tried, WiFi, LAN, 2 different devices, confirmed the cert templates are correct, I've even created new templates and tried those, created an entirely new config profile rather than copying an existing one, install automatically and avail in self service, putting the credentials in the policy and leaving them blank, reinstalling Self Service. Nothing works

Nothing makes any difference, the auto-install policy never installs and in avail. in self service as soon as you click install it fails and disconnects Self Service.

If I download the .mobileconfig file (from the config policy in JAMF donwload option) and install manually it works perfectly fine. Its just via JAMF the issue occurs.

Computer level profiles are wholly unaffected.

Any help much appreciated.

f4fc23e6a18a42888dbd7b0602520d32

40b5b9d3c5244a15b55e0a4feff68f64

36829a5bd0e4448aa05585b87e1ec93f

d89d5d89c7f944ab8dd4a213d8abda04

287abfe1b0064a059345c42e16e67e1f

9 REPLIES 9

djrory
Contributor

Manual install works perfectly fine, prompts for server credentials (if not provided in config profile) and installs. ee8672d23c62439a89dbba198609231c

a3efeefb898149ff98bfbb02a606a174

e581b659bcb04923b36ab2ae956c1e56

djrory
Contributor

Have just discovered that this applies to ALL user Level config profiles and that Computer Level profiles install as they should.

Phantom5
Contributor II

I believe in order to install user level profiles you either need to have your Mac bound to Directory Services or install the Identification configuration profile first.

djrory
Contributor

@f.deis all our machines are bound to AD, can you elaborate on the Identification configuration profile?

pabohr
New Contributor II

@djrory Did you manage to solve your issue? I am experiencing the same issue since 2 weeks now.

When running ANY user level configuration profile from Self Service, it fails immediately and I get the red banner with the "Cannot connect to Jamf Pro server..." error.
It happens only with user level configuration profiles. Computer level config profiles or policies install without issue from Self Service, and user level config profiles installed automatically work as well.

I've been working with Jamf and Apple support for the past week without success.

Not all our devices are impacted, and even on the device we were using to repro the issue it was failing for one week, that all of a sudden it worked for a few hours and then it was failing again.

LovelessinSEA
Contributor II

@pabohr So we have run into something similar, are you using local accounts or are you using network accounts? Our resolution, with local accounts, was to use Enterprise Connect, this gives us a kerberos ticket and then allows us to deploy user level certificate based config profiles. Forgive me if i missed this but are you cloud or on-prem?

sdagley
Honored Contributor II

@djrory If you want a User Level Profile to install immediately make it a Self Service installable profile. Otherwise it's not going to install until some point when the user's credentials are verified, such as login.

pabohr
New Contributor II

@LovelessinSEA We are on-prem. We are using network accounts and have Enterprise Connect configured. Just to add that this has been working for the past couple of years with for us and we just started seeing this issue 2 weeks back, without any change in our environment except and upgrade from Jamf Pro 10.14 to 10.16, end of April.

djrory
Contributor

Sorry for the delay in response here. JAMF Support said that this was a PI and that they are working on it. Their workaround is to download the profile, package and distribute it, then run it via a script. It's crude and tedious but works. Not really a solution for 99% of our profiles as they are all meticulously scoped based on LDAP and Smart User groups that change all the time. but works if you're really stuck with say a VPN certificate template.