Deploying config profile over Script vs Jamf config profile

khey
Contributor

Hi guys,

I am about to deploy Palo Alto GlobalProtect clients to machines and we use pre-logon authentication based on machine certificate (unique machine cert per device).

I have set up Configuration Profile in casper with the root CA certificate and AD Certificate and also exported the config as a .mobileconfig.

I am now contemplating whether to use bash Script to install the config profile (machine cert) or use Casper config profile. Pretty sure you guys are aware of Config Profile push that sometimes get stucked.

Whats making it harder is, if the GlobalProtect client is unable to authenticate the machine certificate (or certificate is not found), it will keep asking user to restart the service.

For the deployment of the Client, i have created an extension attribute to detect if the Root CA exist. If its not, then the client would not be installed.

Please advise.

Thanks

12 REPLIES 12

Key1
New Contributor III

@khey I use standalone profiles to deploy certificates wrapped in a script that keeps and eye on the global protect cert (expiring, duplicate, missing) using the security tool, then fire that from a launchdaemon (for computer certs) at login (delayed to allow a connection to start up) and again every 4 hrs.

I moved away from using a config profile in the JSS as it makes migrating MDM difficult and I found the certificate renewal inconsistent.

khey
Contributor

@Key1 would you mind sharing your script please?

I am particularly interested on how your script checks for the cert.

thank you

PatrickD
Contributor II

Hey @khey

You could create the config profile and then download it, pkg it and add a post install script to use the Profiles command to "manually" install the cert.

dgreening
Valued Contributor II

I am seriously considering continuing to deploy our wireless profile and any certificates which control access to the network via the packaged install method. I don't need Macs losing their MDM profile (and all associated profiles) and making it challenging for remediation due to lack of network access. Plugging into ethernet is becoming less and less an option.

khey
Contributor

Hi @PatrickD and @dgreening

What am worried with the packaged install is the renewal of the cert. Am not sure if the cert will get renewed automatically by the CA when nearing expiration.

Perhaps, create an EA to detect expiring cert and re-run the policy to renew the cert? things might get messy.

Thanks

PatrickD
Contributor II

@khey It really depends what is getting deployed. For instance we use SCEP certs for 802.1x network auth and these profiles are redistributed every 45 days. This is why I am relying on JAMF Config Profiles.

Personally I would rather figure out what the problem is with your JAMF Config Profiles and resolve that because, yes, in my opinion this ^^ process would get very messy.

I have never seen a Mac "lose" its MDM Profile but maybe that is just the environments I have worked in. I have had Config Profiles get "stuck" but a blank push resolves that without issue, again you may administer 2000 clients not 200. Again, I would be contacting JAMF and spend my time investigating the issue instead of ignoring it and trying to make a work around, maybe you have already done this???

khey
Contributor

Thanks @PatrickD you really have a good point there. i think i have to rely on Config Profile and work with JAMF when having issues.

Thanks again.

PatrickD
Contributor II

Plus if there is an issue on JAMFs end, they will work to fix it and then JAMF will be made better for everyone :D

donmontalvo
Esteemed Contributor II

@PatrickD wrote:

@khey It really depends what is getting deployed. For instance we use SCEP certs for 802.1x network auth and these profiles are redistributed every 45 days. This is why I am relying on JAMF Config Profiles.

Curious since we don't (yet) have SCEP in place to automate 802.1x certificates via MDM.

How quickly/reliable is re-issue of an 802.1x certificate via SCEP if for any reason an MDM Profile has to get yanked?

Of course most manageable/sustainable (SCEP/JSS) wins, but sometimes Apple Push Notification Service is kind of slow.

The reason I ask, if 802.1x certificate goes away because MDM Profile went away, user kind of loses their connection.

--
https://donmontalvo.com

Key1
New Contributor III

@khey

Have a look at this thread, discusses certificate expiry and duplication etc

[https://www.jamf.com/jamf-nation/discussions/14845/getting-expiry-date-of-certificate](link URL)

PatrickD
Contributor II

Hi @donmontalvo,

We meet again in a different thread, this one a little less tense... haha

Yeah, to answer the question of "if mdm prof is remove do they loss Wi-Fi" yes the user/computer will lose Wi-Fi as the SCEP Config Prof is pulled and so is the related cert and identity preference from Keychain so obviously they have no cert to auth with. Yes no Wi-Fi is bad but is that any different from distributing a different auth method Wi-Fi prof and then having that pulled?

Not too sure what you mean by this??

How quickly/reliable is re-issue of an 802.1x certificate via SCEP if for any reason an MDM Profile has to get yanked?

If MDM Profile is yanked, then so is the SCEP profile and associated cert from keychain. <- is that sort of what you are asking?

At our org we have a secure network and a, well less secure network. Secure one requires SCEP cert auth and less secure only requires AD username and pass, so if a disconnect occurs, users can connect again them selfs and then we can push MDM down again.

Pat

donmontalvo
Esteemed Contributor II

@PatrickD Yea, that thread is a real keeper. :) The reason I was curious about 802.1x certificates, is we currently don't have a SCEP server. The thought was, if for any reason MDM Profile has to be removed, and all the other profiles that were installed because of it get removed as well. If the computer was reliant on that 802.1x certificate that was part of the payload, how can it get it if it can't get onto the network to get it from the JSS?(*)

(*)As much as I wanted to end that sentence in "..get it from the Jamf Pro"...

--
https://donmontalvo.com