Jamf Nation Community

@Key1 would you mind sharing your script please?

I am particularly interested on how your script checks for the cert.

thank you

Hey @khey

You could create the config profile and then download it, pkg it and add a post install script to use the Profiles command to "manually" install the cert.

I am seriously considering continuing to deploy our wireless profile and any certificates which control access to the network via the packaged install method. I don't need Macs losing their MDM profile (and all associated profiles) and making it challenging for remediation due to lack of network access. Plugging into ethernet is becoming less and less an option.

Hi @PatrickD and @dgreening

What am worried with the packaged install is the renewal of the cert. Am not sure if the cert will get renewed automatically by the CA when nearing expiration.

Perhaps, create an EA to detect expiring cert and re-run the policy to renew the cert? things might get messy.

Thanks

@khey It really depends what is getting deployed. For instance we use SCEP certs for 802.1x network auth and these profiles are redistributed every 45 days. This is why I am relying on JAMF Config Profiles.

Personally I would rather figure out what the problem is with your JAMF Config Profiles and resolve that because, yes, in my opinion this ^^ process would get very messy.

I have never seen a Mac "lose" its MDM Profile but maybe that is just the environments I have worked in. I have had Config Profiles get "stuck" but a blank push resolves that without issue, again you may administer 2000 clients not 200. Again, I would be contacting JAMF and spend my time investigating the issue instead of ignoring it and trying to make a work around, maybe you have already done this???

Thanks @PatrickD you really have a good point there. i think i have to rely on Config Profile and work with JAMF when having issues.

Thanks again.

Plus if there is an issue on JAMFs end, they will work to fix it and then JAMF will be made better for everyone :D

@PatrickD wrote:

@khey It really depends what is getting deployed. For instance we use SCEP certs for 802.1x network auth and these profiles are redistributed every 45 days. This is why I am relying on JAMF Config Profiles.

Curious since we don't (yet) have SCEP in place to automate 802.1x certificates via MDM.

How quickly/reliable is re-issue of an 802.1x certificate via SCEP if for any reason an MDM Profile has to get yanked?

Of course most manageable/sustainable (SCEP/JSS) wins, but sometimes Apple Push Notification Service is kind of slow.

The reason I ask, if 802.1x certificate goes away because MDM Profile went away, user kind of loses their connection.

@khey

Have a look at this thread, discusses certificate expiry and duplication etc

[https://www.jamf.com/jamf-nation/discussions/14845/getting-expiry-date-of-certificate](link URL)

Hi @donmontalvo,

We meet again in a different thread, this one a little less tense... haha

Yeah, to answer the question of "if mdm prof is remove do they loss Wi-Fi" yes the user/computer will lose Wi-Fi as the SCEP Config Prof is pulled and so is the related cert and identity preference from Keychain so obviously they have no cert to auth with. Yes no Wi-Fi is bad but is that any different from distributing a different auth method Wi-Fi prof and then having that pulled?

Not too sure what you mean by this??

How quickly/reliable is re-issue of an 802.1x certificate via SCEP if for any reason an MDM Profile has to get yanked?

If MDM Profile is yanked, then so is the SCEP profile and associated cert from keychain. <- is that sort of what you are asking?

At our org we have a secure network and a, well less secure network. Secure one requires SCEP cert auth and less secure only requires AD username and pass, so if a disconnect occurs, users can connect again them selfs and then we can push MDM down again.

Pat

@PatrickD Yea, that thread is a real keeper. :) The reason I was curious about 802.1x certificates, is we currently don't have a SCEP server. The thought was, if for any reason MDM Profile has to be removed, and all the other profiles that were installed because of it get removed as well. If the computer was reliant on that 802.1x certificate that was part of the payload, how can it get it if it can't get onto the network to get it from the JSS?(*)

(*)As much as I wanted to end that sentence in "..get it from the Jamf Pro"...