Jamf Nation Community

Steve I did open a ticket and our account rep said that there are a bunch of known issues with the configuration profiles. I only asked about the certificate issue we were having in particular but the bugs could explain your issue as well.

The next release is scheduled to be out in a month or so, they also said.

Jason that is excellent information! Now if you guys can just update the manual to include that information, or put out a white paper with it. :-)

So once the machine is enrolled, and shows up in the scope of a profile, how does the profile get pushed down to the machine? Is this something where we need to run a "jamf manage" or "jamf recon" to install the profile?

I'm thinking about times where I might be testing a profile, how do I re-apply that profile? Just like MCX settings I can use the jamf binary to re-apply.

Thanks again for this insightful information.

Hi Steve,

Computer-level configuration profiles should automatically apply almost instantaneously, depending on network conditions and the availability of the client computer.

User-level configuration profiles, on the other hand, require a user login with login hooks enabled in the JSS web application (Settings > Computer Management Framework Settings > Login/Logout Hooks). We need to check the box to 'Create login and logout hooks' along with the options to 'Log username at login and logout' and 'Check for Policies with login and logout' for user-level configuration profiles to be applied.

There is also a new verb in the jamf binary, similar to the existing 'jamf mcx' verb, that applies computer configuration profiles:

jamf configurationProfile -username <username>

where the -username flag is optional and <username> is the actual name of the user. Omitting the -username flag will apply computer-level configuration profiles. As with all jamf binary commands, we can also add the -verbose flag for additional logging.

Okay, so that makes sense and I can see the new verb, but it doesn't appear to do anything. I have a very simple profile set in the JSS to install a certificate and configure 802.1x settings for our internal wi-fi network. I scope it to my machine and save the profile.

Nothing ever comes down. I run the jamf binary with the configurationProfile and get the following:

Checking for Device Level Configuration Profiles from https://jss.integerdallas.com:8443//...
There are no configuration profiles to apply at the device level.
There are no configuration profiles to remove at the device level.

So what am I doing wrong? Or what am I missing?

I have the same problem

Having same issues the machine shows up in JSS and is in the configuration profile scope but the configuration profile never gets pushed down to the machine.

What are we doing wrong?

I just tried to run jamf configurationProfile and it is coming up as a unknown syntax. So I ran jamf help and I do not see configurationProfile listed. I ran jamf version and I am on version 8.43

I am also having this issue.

I've been playing with this as well. Seems like a cool idea in theory but so far its not ready for primetime. I also wish there was a way I could block asking the client if they want to enable or disable the profile when they login.

Have been trialling profiles and have all the necessary pieces in place cert wise but cannot bring individual computers into scope. I can apply to buildings but that's not useful for most situations.

The one machine that I have managed to scope I have applied varying payloads but with very mixed results.

Just curious to know if there are many of of you out there that have had success with config profiles and 10.7?

Running 8.52 and a combination of 10.7.3 / 10.7.4.

Cheers

Tim - I have also had problems with configuration profiles. See my post https://jamfnation.jamfsoftware.com/discussion.html?id=4685

any info would be good.

Same problem here... :(

There are no configuration profiles to apply at the device level.
There are no configuration profiles to remove at the device level.

After speaking with JAMF and consulting the Twittersphere (thank you, @hammen), I've determined that my problem with this is more than likely due to the fact that neither our JSS nor our client workstations are able to freely access the Internet. We use an authenticated proxy.

Both client and server need unfettered communication with Apple for push notifications. Apparently, the JSS doesn't support just downloading the .mobileconfig files without the clients receiving the push notifications from Apple. JAMF says this is restricted by Apple and is out of their control.

Putting our JSS in a DMZ is possible. I still need to do some testing to see if simply removing authentication for any communications to 17.0.0.0/8 (Apple) will still allow us to work through our proxy.

FYI, Apple seems to use the term "firewall" interchangeably with "proxy". If you're looking for proxy information then search for "firewall".

This white paper explains using Configuration Profiles with Lion server but the networking requirements should be the same for the JSS:
Managing OS X with Configuration Profiles

Also see the Other Tips and Tricks section at the bottom of this page on Apple's site:
https://developer.apple.com/library/mac/#technotes/tn2265/_index.html

My solution for this has been to use profiles, but take the JSS push mechanism out of the loop- I get the profiles onto the client machines by triggering a package via policy. The package puts the configuration profile into a temporary folder, and a postflight script installs them, then removes the temp location. Works flawlessly, doesn't require push notifications.

@talkingmoose

We have gone through the diagnostics with APNs and firewall/proxy setup and findings described in this post;
https://jamfnation.jamfsoftware.com/discussion.html?id=4650#responseChild22897

@Kumarasinghe

Very helpful! Thank you.

It would be great to have your thoughts on this: So far we did the build of the profiles with osx server profile manager and distributed them with a casper policy and bash like nkalister. Worked great so far.
We wanted to enable WiFi at the login-window - as done on AFP548: http://www.afp548.com/2013/03/07/another-way-to-enable-wi-fi-at-login-window-with-profiles/#comment-40671
But to edit the profiles they are now unsigned and not encrypted.....what I do not like.
Has anyone an idea to sign or encrypt the xml-edited profiles with bash or any tool or... ?
Thank you!

One thing that I've seen when trying to use the configurationProfile command is that sometimes, you need to delete your MDM Enrollment profile before applying the configurations. Also, make sure you are running your jamf commands with root privileges.

1. Delete MDM enrollment profile
2. open terminal and run sudo jamf configurationProfile

This has solved almost all of my config profile issues.

@Tennant
Thank you for your quick response. I have seen that too - you are right - when using the terminal I also had troubles when an enrollment profile was present.

My issue is a different one:
I tried IPCU and Profile Manager (OSX Server) but of course these "point and click tools" only have a limited range of commands, keys, etc.
There are more "functions" as you can see e.g. in the Configuration Key Reference http://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/iPhoneConfigurationProfileRef.pdf But to use those I understand you have to use a text editor or xcode to put those commands in the xml-"template" you made with the point and click tools.
In order to change the xml-file - you have to turn of the "signing" and "encrypting" in the tools otherwise.. you know.
So what I did:
1. Use IPCU or ProfileManager to set as many payloads as possible.
2. Download Profile unsigned
3. Change/add "missing" keys from reference: like "activate Wifi at loginwindow"
4. Deploy with Casper and bash script
5. Works wonderful

But :-) now I have the profiles on the client machines in plain xml. (Of course I delete them after installation, but anyway)
I would like it more if I could sign or encrypt the "hand changed" Profiles - (password are plain text, ..)
...this would give also the possibility to make them available in self-service.

So far I did not find a way to sign/encrypt "handmade" profiles. Help is very appreciated.
Thanx!

Mr Stevewood''
I have been following you work for some time. I am a long time call but first time listener :-) Policy and really my strong suit, for multi tenant multi forest environments. built some of the largest client management systems for Avery Dennison, Hyatt Global, Celestic, St Jude Medical, Stanford Hospital, Star Bucks, and not im with a global financial company doing the migration from On-Prem to Jamf Cloud and im impressed with the newest version of JSS.

My Point here is I would like to talk with you about a deep dive into Policy Config Profile and DEP Staged Enrollment Theory.

Bundling Categories of Policy, Extension Attributes, Config Profiles based in Scoping for CORE Sec Tools and Certs etc, and then Core Applications like MSO365 Edge Teams, and patching..

Should I start a thread or ask for a time to talk or how do I grab you interest in this way..

Thanks Much and Kind Regards... Looking forward @Stevewood

@cfranc5

You can reach me on Twitter and we can start there: @stevewood_tx