Force Trigger From Self Service

Beriuv
New Contributor

Hi all, 

I have a .pfx file with password, It must be installed all computer but for users account not a system. 

So i deploy it to private/var/tmp and execute Command. 

cd /private/var/tmp && security import Deploy_User.pfx -k ~/Library/Keychains/login.keychain -P \password

It works in my computer when i try to run in terminal. But in in jamf it did not work. Also did not copy to var/tmp my .pfx file. 

But when i deploy from self service. Everything is fine. Users can install from Self Service. And also i can see that login keychain. But i cannot deploy silently. i have lots of users. So i cannot say to everyone that install from self service. 

 

So i need to force installing from  all users self service. Do anyone know that? 

Anyone have other solution? 

5 REPLIES 5

sdagley
Esteemed Contributor II

@Beriuv  Is this certificate common for all users, or unique for each? If it's common you could deploy a User Level Configuration Profile with a Certificate payload containing your certificate. You can set the Distribution Method to Install Automatically or Make Available in Self Service .

Beriuv
New Contributor

It is not Unique. Certificate is same for All Users. I must see our Certificate in Keychain with login status. 

This is a .pfx file with password. You can see my Config Profile. It didn't work. Nothing is distribute. So i changed my decision and i run command as you see on first message. And In Self service, it is ok to install and if i deploy to user this pfx file, User must write sudo jamf policy. If not, Policy cannot apply. 

Also you can see my config Profile.

 
 

 

General
Name Display name of the profile
Certificate - CONNECT_SSLVPN_USER
Description Brief explanation of the content or purpose of the profile
Category Category to add the profile to

Configuration Profiles
Level Level at which to apply the profile

User Level
Distribution Method Method to use for distributing the profile

Install Automatically

----------------------------------------------------------------------------------------

Certificate
 
Certificate Name Display name of the certificate credential
Connect_SSLVPN_User
CERTIFICATE
Upload Certificate
Filename
Connect_SSLVPN_User.pfx

Password Password used to secure certificate credentials
••••••••••••••••••••
Verify Password
••••••••••••••••••••

Allow all apps access
Allow all apps to access the certificate in the keychain

Allow export from keychain
Allow computer's administrators to export private key from the keychain

 

sdagley
Esteemed Contributor II

@Beriuv  Deploying a certificate to the user's login keychain should work. Does the management commands log show that there was an error deploying the profile? Does the .pfx you're deploying have the complete certificate trust chain for the final certificate (i.e. contains the root and any intermediate CAs if the issuing CA isn't one of Apple's pre-installed Global CAs). And BTW, you probably shouldn't flag a certificate that's being used to authorize access to your VPN as exportable.

Beriuv
New Contributor

When user download from self service which is prepared with policy by me , certificate is correct and we can see in keycain access with login. But if i deploy with like this as you can see, nothing is change and also i cannot see any log. 

 

General
Name Display name of the profile
Certificate - CONNECT_SSLVPN_USER
Description Brief explanation of the content or purpose of the profile
Category Category to add the profile to

Configuration Profiles
Level Level at which to apply the profile

User Level
Distribution Method Method to use for distributing the profile

Install Automatically

----------------------------------------------------------------------------------------

Certificate
 
Certificate Name Display name of the certificate credential
Connect_SSLVPN_User
CERTIFICATE
Upload Certificate
Filename
Connect_SSLVPN_User.pfx

Password Password used to secure certificate credentials
••••••••••••••••••••
Verify Password
••••••••••••••••••••

Allow all apps access
Allow all apps to access the certificate in the keychain

Allow export from keychain
Allow computer's administrators to export private key from the keychain

 

 

sdagley
Esteemed Contributor II

@Beriuv  Have you checked System Preferences->Profiles on the target Mac to verify your Configuration Profile with the certificate actually installed? Unlike Computer Level profiles that install almost immediately there can be a delay before a User Level profile installs. You can speed up the issue somewhat by restarting the target Mac.