Posted on 02-04-2021 01:33 PM
For the longest time, we used a pkg to install our network profile. I had a postinstall script that would make sure the domain controller was accessible first prior to installing to make sure there wouldn't be an issue with the AD cert payload. The benefit of this was that it would just "overwrite" the existing network profile on the device and everything would continue to work without issue.
Enter Big Sur, and the removal of the ability to use the "profiles" command to install a config profile... I was told a long time ago by our certificate team that whatever the functionality behind the scenes to be able to use the "renew" button in System Preferences to get a new machine certificate would break something on the Windows side of things.
With that said, my testing workflow has been to have an "a" and "b" version of the same profile. So when your "a" profile AD certificate is expiring, you go to Self Service and install the "b" profile which gets a new profile. The issue with this workflow, is when you go to remove the "a" profile (at "b" install time or down the road to reinstall "a" when "b" expires), is that it removes our WiFi configuration as well. So now the machine is knocked off the network, and the user has to know to select TLS-EAP and then the machine certificate to reconnect.
I've reached out to our certificate team to revisit the renewal process, but I was wondering if anyone else ran into a similar workflow and it's inherent problems.