Our Wi-Fi network requires certificate authentication and for this reason we are pushing a managed profile on computer level which includes the Wi-Fi configuration and the certificates needed to connect to it. The managed profile's Distribution Method is set to "Install automatically".
The issue we are having is that the managed profile gets pushed to the Macs the moment they enroll and that is being done with the local Administrator logged in. The result of this is that the deployment fails since the local Administrator does not have rights to reach out to the CA and request the certificate for connecting to the wireless network.
The error messages reported under "Management commands" for these Macs are:
- The 'Active Directory Certificate' payload could not be installed. The client failed to get the Active Directory server credentials.
- The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.
When the managed profile deployment fails to install, it won't attempt to re-install when the domain user logs in and that is sort of the end of the story. Given that we don't have the option to deploy the managed profile on user level, does anyone have a workaround for this situation? The way I see it, the profile should only be deployed when a. the computer is joined to the AD domain and b. a domain user has logged in.
Any ideas?