JSS and Configuration Profiles not working

adroitboy
New Contributor III

Hello all. I haven't been using configuration profiles in the JSS for MacOS, but want to start - I think.

I just finished reading through the documentation. Perhaps I'm missing something, but I can't get them to push to the computers.

JSS: 8.73
APNs cert is installed
Certificate communications are enabled
Push notifications for 10.7+ is enabled
Test machine is running 10.8.5 and is JSS managed.
Test machine shows the JSS MDM enrollment profile

I created a computer-level profile and scoped it to 2 test machines. Neither got the config profile. Is there something that I can do to figure out why configuration profiles aren't being pushed? I know there's

The profile installs just fine if I install manually. If I can't figure this out I'll probably just scope a policy with a pkg and postflight to do it, but figured configuration profiles in the JSS would be the proper way. Perhaps not?

Thanks!
Aaron

4 REPLIES 4

CasperSally
Valued Contributor II

Try making it user level and logout/in. I've been struggling through this as well lately. Some settings that I think should definitely be user level work fine at computer, others not so much. Other settings I'm having trouble getting to work at all (some .globalpreferences I had working fine with MCX, and forcing bluetooth off). Also, check out mcxtoprofile if you haven't already. For settings that don't work always, this gives you once/often options.

adroitboy
New Contributor III

I'll try something simple and make it user-level just to see if it pushes anything, although what I'm trying to do (getting an AD machine cert) should be machine level I would think.

This is one of those things that need to be dead-reliable. I don't really see much for reporting etc for config profiles. Perhaps installing a profile with a .mobileconfig and script would be a better method?

adroitboy
New Contributor III

I just enrolled and tested with an IOS device and it works fine, so I'm assuming that APNs is working. I'll move on to setting it to a user-profile and see if that works.

bentoms
Release Candidate Programs Tester

OSX also needs port 443 access to Apple to perform a handshake post enrolment. (I think it receives a device cert from Apple).

So, make sure 443 to (at least) 17.0.0.0/8 is unblocked. (Along with 2195, 2196 & 5223).

This is an OSX thing only & only post mdm enrolment, after the OSX client receives it cert (or whatever it is) from Apple.. It'll use the same ports as iOS.