Help

Configuration Profiles Restrictions

PaulHazelden
Valued Contributor

Posted on ‎02-21-2022 05:27 AM

Hi

I have a bunch of Lab Macs that were running with a Configuration Profile with Restrctions set up on them.

Up until now everything worked just fine.

Now however, There is nothing I can do. The profile is set to be excluded for my Administrator account, but it doesnt get excluded. I have set the profile to be un-assigned from the Macs, and it is still there. I have tried adding a different profile and this too fails. As the profile is for Lab Macs, there is a restriction in it for System preferences, so I cant access the Profiles pane to bin them from there.

Any suggestions for getting access back to the Mac without erasing it?

0 Kudos
Reply
4 REPLIES 4

Tangentism
Contributor III

‎02-21-2022 08:01 AM - edited ‎02-21-2022 08:02 AM

Try sending a blank push to the device under Computer > Management and check the logs to ensure that APNS communication is occurring in Event Logs.

 

If its more than one device not functioning with APNS then it could be a certificates issue.

Reply

PaulHazelden
Valued Contributor
In response to Tangentism

Posted on ‎02-21-2022 08:21 AM

I suspect you are right, but which cert is wrong I am not sure. Apple Push cert was due in May so I have renewed it now. Not sure where any others might be to be able to check on them.

0 Kudos
Reply

Tangentism
Contributor III
In response to PaulHazelden

Posted on ‎02-21-2022 08:32 AM

I have experienced a similar situation myself and the certs/chain of trust was somehow broken & once the APNS certs were renewed, it started communicating again.

You'll want to go into Settings > 'Push Certificates' and renew the main 'MDM Push Notification Certificate' - theres a little back and forth with Jamf & Apples portals but if its all devices not receiving/removing profiles, thats the first place to check.

Reply

howie_isaacks
Valued Contributor II

Posted on ‎02-21-2022 11:24 AM

I hide the profiles preference pane but I don't completely restrict access to it.  That has been effective for us. You can still get to it using the search function in System Preferences. I created a configuration profile with an Application & Custom Settings payload. Here's the plist text below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>HiddenPreferencePanes</key>
	<array>
		<string>com.apple.preferences.configurationprofiles</string>
	</array>
</dict>
</plist>

Using this method you can hide any preference pane.

Reply