Skip to main content

Hello Jamf experts,

 

We have a weird issue that just started occurring which we're not sure if it's because of a recent update to our Jamf Cloud instance because we hadn't added new Macs over the past few months.

 

Anyway, we have a Configuration Profile that generates and deploys a SCEP certificate along with the Wi-Fi profile that uses the certificate. All's been well until recently when we provisioned a new Macbook Pro and it just refuses to install any Configuration Profile at all (we check in the Macbook's History > Policy Logs page in Jamf).

 

After a lot of troubleshooting which included a check on the firewall to see if anything is being blocked (there isn't) we stumbled upon the fact that when the SCEP is applied, the Macbook immediately switches to and connects to that Wi-Fi and then it fails to proceed. When I exclude the deployment of SCEP, everything works as before.

 

Now the question is, how can I make it so that the SCEP is deployed last? I know we can dictate the order of Policies but not sure about Configuration Profiles?

I forgot to mention that when I say it switches Wi-Fi, it goes from our Onboarding SSID (which is very restricted to just access our Domain Controllers/DNS, MS/Intune IPs and Apple / Jamf IPs) to the Staff SSID which is pretty much wide open so it can't be the firewall blocking (besides, we've monitored it when it switched IPs and nothing comes up in the firewall logs).

You could setup a smart group that is something like an "onboarding complete" situation.  if you use connect you can use something like this as an EA https://github.com/jamf/jamfconnect/blob/main/built_in_extension_attributes/Jamf_Connect_FirstRunDone.sh


which you can use to scope the profiles so it doesn't interfere.

You could setup a smart group that is something like an "onboarding complete" situation.  if you use connect you can use something like this as an EA https://github.com/jamf/jamfconnect/blob/main/built_in_extension_attributes/Jamf_Connect_FirstRunDone.sh


which you can use to scope the profiles so it doesn't interfere.


Thanks. I'll check it out although we use NoMAD and NoMAD Login.

I can confirm that workaround fixes the problem. I created a Smart Group that had an app criteria (the last app we install which is NoMAD Login) and only then does it apply the SCEP.

 

Cheers!

@myu could you hit me in macadmins? I had a couple other questions to ask.

Reply


Terms & ConditionsCookie settings