Jamf Nation Community

Nick:

This is totally bogus. I am having an issue with my loginwindow profile disappearing, and while your post explains WHAT is happening, it doesn't explain WHY jamf (in all of their wisdom) decided that this would be a good plan.

Seriously. WTF.

I do not have any other profiles coming from the JSS, just the MDM profile that gets automatically added when you enable certificate based authentication. Also, I used the JSS to build the profile that is being auto-deleted! You would think that JAMF would sign the profile so that it would be recognized as originating from the JSS and not be deleted... and you would be wrong.

Sorry for the rant. I am contacting our JAMF support person. This is just so ridiculous that I had to vent.

--Andy

OK, so according to my support rep, this issue was fixed as of 8.52; manually installed profiles can coexist with those from the JSS, as long as the manually installed profiles were not created via the JSS, since the server would then see them as being installed onto the wrong systems (unless the profile was scoped to that machine, in which case the server would then install the profile a second time). Makes sense...? Um.

Nevertheless, we are still faced with a quandary:

How do you manually deploy a profile that was created by the JSS, to a machine that does not have that profile scoped to it in the JSS, without the JSS removing it (since it isn't scoped to the machine)? Wow, that was a mouthful :)

Apparently I could recreate the profile using Lion or Mountain Lion server and the JSS would then ignore it. This assumes that I have a production server running profile manager, which I don't. Might be time to get that enabled.

Or, I could just log into each computer, allow mdmclient to remove the profile, and then scope the profile to the computers via the JSS. However, I am unclear on how each computer will request the profile without being plugged into ethernet, since the wireless profile will no longer be present. Chicken. Egg. Ugh.

Hopefully support will get back to me with a viable workflow for correcting this catch 22. I will be sure to share what I find out.

--Andy

my solution has been to just not push profiles from the JSS. I create them in profile manager and install them using the profiles bash command.

OK, no word from JAMF on this yet, but I am going to try deleting the profile from the JSS. My hope is that if it is not present on the server, that mdmclient will not remove it (since it will not think that it is out of scope).

Gee, I sure hope this works.

FYI this appears to be working. The profile is not being removed. Note to self: if you plan to use the JSS to create profiles, be sure to remove the profiles from the server after creating them!

also, HI ANDY!! I didn't realize that was you!
:)
nick

LOL, hey Nick, long time no see :)

Use mcxToprofile

https://github.com/timsutton/mcxToProfile

Hi, any advice ?

I'm manually installing a VPN configuration profile that was originally created and downloaded from the JSS, is there any way to convert it so that the error below does not occur ? i had a look at mcxToProfile, if i could find a way to convert the profile to a plist then use mcxToProfile to convert it back ?

I also had a look to see if it was creating a plist in /Library/Managed Preferences but nothing in there.

i'm manually installing the profile rather than pushing it from the JSS as once the profile gets installed from the JSS it falls out of scope and gets removed, i couldn't find another way to approach it

Going to try this here
de-sign the downloaded JSS profile, create a plist, then use mcxtoprofile to create a new .mobileconfig
then see if the JSS still gives an error
thanks @bentoms !

Downloading from the JSS and de-signing or re-creating did not stop the error message, as the JSS
is looking at the profiles UUID and even if deleted the record still exists in the database.

The approach i got to stop the errors

• Create and download configuration profile from JSS
• Delete the Profile from the JSS
• Make a back up of the JSS database
• Delete the Profile (Identify by UUID or name) from the JSS database, easy with Sequel Pro

as the profile no longer exists the JSS doesn't try and remove it.