Solved

Can you package a configuration profile?

Forum|Forum|8 years ago
March 10, 2017
29 replies
214 views

+8

duffcalifornia
Contributor

So, odd use case I know, but here's my dilemma:

Our privileged wifi is allowed via certificates that are installed via configuration profile, and they authenticate based on the machine being bound to AD. Sometimes, our users take their laptops offsite for periods of time, during which their AD password changes. The next time the machine touches our network, it breaks the privileged wifi and puts the laptop on our general network.

The solution has been to delete the wifi profile, delete the keychain entry that our general wifi installs in the login keychain, and then reinstall the wifi profile.

I'd love to come up with a solution that a user can do from Self Service, but the issue becomes: how do i get the wifi certificate back on the machine if it doesn't have internet?

Would it be possible to use Composer to create a package that "installed" the wifi profile, cache it, and then create the Self Service profile that uninstalls the current profile, deletes the single keychain entry, and then install the cached "package" which will reinstall the profile?

Best answer by mm2270

We have a mix of Config Profiles that are deployed directly from Jamf Pro over Apple's MDM framework, and some that are deployed and installed locally with a package or script, bypassing APNs.
What I found, like others posted here, is that there are some reliability issues with Profiles randomly getting removed or vanishing from machines and then being redeployed again when done over APNs. Where the issue comes in is if using an important profile, like one that adds an 802.1x Wi-FI profile, or, in our case, that adds an important Intermediate SSL Decryption Authority certificate, this creates big problems for us. We can't have those profiles disappearing from our Macs for no apparent reason or it creates problems for the end users, so for the most important ones, we deploy them with a script or a package/script combo. They tend to stick around much more reliably when done this way.

I wanted to just add though, that I found its pretty easy to deploy the Profile entirely in a script and bypass a package altogether. Here are the steps you can take to do this.

Create the Configuration Profile .mobileconfig however you want, for example, in Jamf Pro, or in Apple's Profile Manager. As long as you can get a physical .mobileconfig file in the end, or access the direct xml of the profile.
If you created it in Jamf Pro, access it in the GUI and use the Download button in the Profile details.
Use the following command on the downloaded file. This is necessary with any downloaded from Jamf Pro, since they end up as signed Config Profiles:
- security cms -D -i /path/to/profilename.mobileconfig | xmllint --format -
Take the output from the above command in Terminal and copy it. You will paste this into a script.
Create a script with the following information in it. You will need to edit some of this to correspond to whatever it is that you're deploying, like a name for the profile for example.

#!/bin/bash

## Create the .mobileconfig file in /private/tmp/
cat << EOF > /private/tmp/profile.mobileconfig
*<paste the entire xml code for the configuration profile from step 3 and 4 here, unaltered>*
EOF

## Install the .mobileconfig with the profiles command
/usr/bin/profiles -I -F /private/tmp/profile.mobileconfig

if [ $? == 0 ]; then
    echo "Successfully installed. Deleting local file..."
    rm -f /private/tmp/profile.mobileconfig
    exit 0
else
    echo "Installation of profile failed. Deleting local file..."
    rm -f /private/tmp/profile.mobileconfig
    exit 1
fi

In this way, the profile can be contained in the script and deployed and installed without needing to create a separate package for it, which can sometimes work better. I've been using the above process for deploying some of our profiles and its working well.

Be sure also to create an Extension Attribute that captures the installed profile names or identifiers, so you can build Smart Groups for machines that should get it or not. This may be necessary even if just pushing the profile in a regular package install.

Show first post

1
2

Forum|pagination.label 2 / 2

+24

mm2270
Legendary Contributor
Forum|Forum|5 years ago
February 13, 2020

Hmm, I actually don't know with any degree of certainty if a bad or poor APNs connection would be removing profiles. I suppose it's possible, but I haven't seen anything like that happen to us in quite some time now.

But, if you're determined to go this route for now, I would suggest taking another look at the script I posted above on my GitHub page (found here), which has the necessary code to install User Level profiles as the current user. The relevant code starts on line 167. You'll see that I'm getting the logged in user and the logged in UID, and then on line 174, it installs the profile as the user. You could try to incorporate what I have there into your own script.
Unlike System Level profiles, User Level get installed to an account, not globally like System profiles.

Like

+9

LaMantia
Contributor
Forum|Forum|5 years ago
February 13, 2020

Thanks again. I don't want to go this route but support keeps getting tickets that the user loses o365 so I am hoping to have this available in self service for them. Just in case. I will be opening a ticket with Jamf support as well to discuss it. Maybe they can find the issue.

Like

J

+10

Joyrex
Contributor
Forum|Forum|4 years ago
February 10, 2021

delete

Like

W

+7

wifichallenges
Valued Contributor
Forum|Forum|4 years ago
February 23, 2021

FYI they removed the ability to install a profile with the command line profile command in osx 11.0

"profiles tool no longer supports installs. Use System Preferences Profiles to add configuration profiles."

see here:
https://www.alansiu.net/2021/01/06/semi-automating-profile-installation-in-big-sur/

so the method above wont work. I am happy that other people find the configuration wireless profile to be buggy as well. My macs are all losing their profile randomly sadly so i was looking for alternative methods to connect them up. I guess this wont be it. The open command referenced in the article does not do what i wanted.

i think we will move towards a certificate based install anyway and away from PSK. I dont supposed someone has a guide on that? well i am going to look around and research it now.

Like

1
2

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded