Certificates delivered through configuration profiles disappearing (10.11)

mapurcel
Contributor III

We use configuration profiles to deliver root certificates to our population (system keychain). On 10.11, possibly only 10.11.1, the configuration profile installs correctly, the certificates populate in the keychain, then some minutes later the certificates are gone despite the configuration profile still being there. This workflow has been fine on 10.10, anyone else seeing this?

1 ACCEPTED SOLUTION

bentoms
Release Candidate Programs Tester

Maybe OS X 10.11.2 resolves, as per: https://support.apple.com/en-us/HT205579

Resolves an issue where reinstalling a configuration profile containing a certificate payload causes the certificates to be removed instead of updated

View solution in original post

7 REPLIES 7

nwiseman
Contributor

I saw this same behavior after upgrading to 10.11 on some of our systems. Basically, I noticed after the upgrade, the wireless wouldn't work anymore and I kept getting a weird error that I needed to move closer to the AP. After doing a little research on my system I noticed that although the config profile was still there, the certs were not. Since that was the case, I couldn't simply re-run the policy to insert the certs because it conflicted with the profile that was already in place. I ended up re-writing the script to first check for the config profile and if found, remove it before trying to re-install the certs. So far this has worked without issue on all affected systems. I also haven't had a problem with them disappearing afterward.

m_entholzner
Contributor III

I have seen this on my test systems too... The reason for me was that the config profile which contained the certificates was installed twice (once at imaging and afterwards via policy). We cannot use APNs to deliver the profile, so manually installing is the only way for us.

Modifying the policy and installing the profile only once was the solution for me.

andyinindy
Contributor II

I have also seen this behavior. Perhaps a bug in El Cap? What version of the JSS is everyone running? We are on 9.81, FWIW.

Aziz
Valued Contributor

Happened to me again today.

OS X 10.11.1 and JSS 9.81

bentoms
Release Candidate Programs Tester

Maybe OS X 10.11.2 resolves, as per: https://support.apple.com/en-us/HT205579

Resolves an issue where reinstalling a configuration profile containing a certificate payload causes the certificates to be removed instead of updated

mapurcel
Contributor III

Looks like 10.11.2 does indeed fix the issue, thats a relief

TreviñoL
Contributor

Its a product defect.

https://www.jamf.com/jamf-nation/discussions/24257/configuration-profiles-being-removed-and-reinstalled