Enable Certificate-based communication

oligiles
New Contributor

Hi Everyone
Does anyone have first hand experience of running 10.6 casper macs bound to OD and adding 10.7 macs with Computer level management driven by casper?
I have an existing environment running 10.6 but it wont support 10.7 so i need to manage the 10.7 clients with Casper.
I'm keen to know if switching on APN's certificates and certificate based-comms is going to affect the 10.6 macs?

Many thanks
Oli

8 REPLIES 8

tsd25108
New Contributor II

We run both 10.6 and 10.7, and having an APNS certificate and enabling certificate based communication hasn't affected our 10.6 macs. They pretty much ignore it all. IE if you have configuration profiles setup and scoped to all managed clients, your 10.6 machines won't be affected.

cbrewer
Valued Contributor II

I saw different. Many of my 10.6 machines were getting errors when submitting inventory after turning on certificate based communication. I don't remember the exact error but it was something like: 401, could not reach jss.

mm2270
Legendary Contributor III

@cbrewer- are you sure you didn't enable the "This JSS has a valid certificate installed" option that caused that? Because my understanding is the top option to "Enable Certificate-Based Communication" should not affect 10.6 clients communicating with the JSS.
I'm curious to hear if that's different, since I've been considering making the suggestion to enable that for our Lion clients. We still have a bunch of Snow Leopard Macs as well.

cbrewer
Valued Contributor II

I'm positive it was only the "Enable Certificate-Based Communication" option. I did it to test pushing profiles to Lion machines (which worked fine). However, after having it on for a couple weeks we came across quite a few problems with 10.6.8 machines failing to submit inventory. It wasn't every 10.6 machine though. Turning the option off immediately got the troubled 10.6 machines working again.

bentoms
Esteemed Contributor
Esteemed Contributor

IIRC, the 8.51 release resolved the 401 error when enabling secure communication.

mm2270
Legendary Contributor III

Ah, Ben is right. Its right in the release notes for 8.51, defect 002556 on pg 17-

"Fixed an issue that caused the jamf binary to return a 401 Failure error when collecting inventory if certificate-based communication is enabled in the JSS."

That's good to know.

cbrewer
Valued Contributor II

I waited for 8.51 to see if the problem would be resolved, but it was not for us. That's when I decided to just turn it off for now. Probably should have looked into it more, but had enough other irons in the fire.

oligiles
New Contributor

thanks for your responses guys.
I think the first thing i'm gonna do is update to 8.51
Once that's done i'll enable it.
I spoke to the guys at Jamf and they also said that my 10.6 OD environment would be unaffected.