Computer-level certificates deployment fails while local user is logged in on AD-joined Macs

New Contributor III

Our Wi-Fi network requires certificate authentication and for this reason we are pushing a managed profile on computer level which includes the Wi-Fi configuration and the certificates needed to connect to it. The managed profile's Distribution Method is set to "Install automatically".

The issue we are having is that the managed profile gets pushed to the Macs the moment they enroll and that is being done with the local Administrator logged in. The result of this is that the deployment fails since the local Administrator does not have rights to reach out to the CA and request the certificate for connecting to the wireless network.

The error messages reported under "Management commands" for these Macs are:
- The 'Active Directory Certificate' payload could not be installed. The client failed to get the Active Directory server credentials.
- The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

When the managed profile deployment fails to install, it won't attempt to re-install when the domain user logs in and that is sort of the end of the story. Given that we don't have the option to deploy the managed profile on user level, does anyone have a workaround for this situation? The way I see it, the profile should only be deployed when a. the computer is joined to the AD domain and b. a domain user has logged in.

Any ideas?


New Contributor III

We have a similar setup. We have our profile set to 'Use Directory Authentication' and have no issues with the profile applying. Is that an option for you to try?

Contributor II

We handled this problem with smart groups and Extension attributes.

First we use machine certificates to authenticate to internal wifi and user certs to authenticate with our VPN.

Our workflow is a tad bit different than yours in that we aren't creating additional accounts on the machine, we are only creating the management account and the end users account.

to deploy the machine cert:
with a scripted policy fired off with a custom trigger during enrollment after AD bind, we touch a receipts file and we scope the configuration profile to a smart group looking for that receipt. When the machine gets scoped, it pushes the machine cert down.

The user cert is based on an Enterprise Connect attribute, the User certificate configuration profile comes down when the JSS sees that a user has logged into Enterprise Connect.

So in your instance, If you have something like Nomad or EC, you could build a workflow knowing when a user has authenticated with the AD based on a smart group.

I realize it may not be the ideal option, but this method works for us.