Help

Installation of SCEP and Wi-Fi Profile stops Provisioning Process

Go to solution
myu
Contributor

Posted on ‎09-14-2023 05:48 PM

Hello Jamf experts,

 

We have a weird issue that just started occurring which we're not sure if it's because of a recent update to our Jamf Cloud instance because we hadn't added new Macs over the past few months.

 

Anyway, we have a Configuration Profile that generates and deploys a SCEP certificate along with the Wi-Fi profile that uses the certificate. All's been well until recently when we provisioned a new Macbook Pro and it just refuses to install any Configuration Profile at all (we check in the Macbook's History > Policy Logs page in Jamf).

 

After a lot of troubleshooting which included a check on the firewall to see if anything is being blocked (there isn't) we stumbled upon the fact that when the SCEP is applied, the Macbook immediately switches to and connects to that Wi-Fi and then it fails to proceed. When I exclude the deployment of SCEP, everything works as before.

 

Now the question is, how can I make it so that the SCEP is deployed last? I know we can dictate the order of Policies but not sure about Configuration Profiles?

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
TheAngryYeti
Contributor II
Contributor II

Posted on ‎09-15-2023 09:05 AM

You could setup a smart group that is something like an "onboarding complete" situation.  if you use connect you can use something like this as an EA https://github.com/jamf/jamfconnect/blob/main/built_in_extension_attributes/Jamf_Connect_FirstRunDon...

which you can use to scope the profiles so it doesn't interfere.

View solution in original post

0 Kudos
Reply

Go to solution
myu
Contributor

Posted on ‎09-19-2023 06:06 PM

I can confirm that workaround fixes the problem. I created a Smart Group that had an app criteria (the last app we install which is NoMAD Login) and only then does it apply the SCEP.

 

Cheers!

View solution in original post

0 Kudos
Reply
5 REPLIES 5

Go to solution
myu
Contributor

Posted on ‎09-14-2023 05:51 PM

I forgot to mention that when I say it switches Wi-Fi, it goes from our Onboarding SSID (which is very restricted to just access our Domain Controllers/DNS, MS/Intune IPs and Apple / Jamf IPs) to the Staff SSID which is pretty much wide open so it can't be the firewall blocking (besides, we've monitored it when it switched IPs and nothing comes up in the firewall logs).

0 Kudos
Reply

Go to solution
TheAngryYeti
Contributor II
Contributor II

Posted on ‎09-15-2023 09:05 AM

You could setup a smart group that is something like an "onboarding complete" situation.  if you use connect you can use something like this as an EA https://github.com/jamf/jamfconnect/blob/main/built_in_extension_attributes/Jamf_Connect_FirstRunDon...

which you can use to scope the profiles so it doesn't interfere.

0 Kudos
Reply

Go to solution
myu
Contributor
In response to TheAngryYeti

Posted on ‎09-15-2023 12:07 PM

Thanks. I'll check it out although we use NoMAD and NoMAD Login.

0 Kudos
Reply

Go to solution
myu
Contributor

Posted on ‎09-19-2023 06:06 PM

I can confirm that workaround fixes the problem. I created a Smart Group that had an app criteria (the last app we install which is NoMAD Login) and only then does it apply the SCEP.

 

Cheers!

0 Kudos
Reply

Go to solution
COWgil
New Contributor II

Posted on ‎01-29-2024 08:54 AM

@myu could you hit me in macadmins? I had a couple other questions to ask.

0 Kudos
Reply