JSS configuration profiles and locally installed configuration profiles

nkalister
Valued Contributor

Hey JAMFnation, I'm beginning to explore using configuration profiles with my JSS, and I'm running into an issue with profiles I've created myself. Basically, I've been using a profile to configure VPN, and I install it either from a script, or by just double-clicking the mobileconfig file.
Now that I'm enrolling my machines with the JSS MDM profile, I'm seeing these errors in Console every few seconds:

4/19/12 12:01:46.579 PM mdmclient: [Agent:2136138485] Removing profile: HDS VPN (com.apple.mdm.virtualion.hds.com.cbbd9ca0-e1ab-012e-8e62-001c4227f7c4.alacarte) for: <User: 2136138485>
4/19/12 12:01:46.580 PM mdmclient: *** ERROR *** [Agent:2136138485] <MDMClientError:90> Cannot remove profile 'com.apple.mdm.virtualion.hds.com.cbbd9ca0-e1ab-012e-8e62-001c4227f7c4.alacarte' because it was not installed by the MDM server <MDMClientError:90>

It looks to me like the JSS is telling the MDM client to remove that profile, which I do not want. I've tried pushing that VPN profile from the JSS and it doesn't set up the proxy correctly, so I'd like to keep the local installation method if I can . . . anyone mixing non-jss profiles with profiles coming from the jss successfully?

1 ACCEPTED SOLUTION

nkalister
Valued Contributor

JAMF support confirms that this is expected behavior, so you'll have to choose either to install all profiles manually or all from the JSS . . .mixing 2 sources is not supported.
So that means I won't be able to use profiles from the JSS at all. Sadness.

View solution in original post

12 REPLIES 12

nkalister
Valued Contributor

JAMF support confirms that this is expected behavior, so you'll have to choose either to install all profiles manually or all from the JSS . . .mixing 2 sources is not supported.
So that means I won't be able to use profiles from the JSS at all. Sadness.

andyinindy
Contributor II

Nick:

This is totally bogus. I am having an issue with my loginwindow profile disappearing, and while your post explains WHAT is happening, it doesn't explain WHY jamf (in all of their wisdom) decided that this would be a good plan.

Seriously. WTF.

I do not have any other profiles coming from the JSS, just the MDM profile that gets automatically added when you enable certificate based authentication. Also, I used the JSS to build the profile that is being auto-deleted! You would think that JAMF would sign the profile so that it would be recognized as originating from the JSS and not be deleted... and you would be wrong.

Sorry for the rant. I am contacting our JAMF support person. This is just so ridiculous that I had to vent.

--Andy

andyinindy
Contributor II

OK, so according to my support rep, this issue was fixed as of 8.52; manually installed profiles can coexist with those from the JSS, as long as the manually installed profiles were not created via the JSS, since the server would then see them as being installed onto the wrong systems (unless the profile was scoped to that machine, in which case the server would then install the profile a second time). Makes sense...? Um.

Nevertheless, we are still faced with a quandary:

How do you manually deploy a profile that was created by the JSS, to a machine that does not have that profile scoped to it in the JSS, without the JSS removing it (since it isn't scoped to the machine)? Wow, that was a mouthful :)

Apparently I could recreate the profile using Lion or Mountain Lion server and the JSS would then ignore it. This assumes that I have a production server running profile manager, which I don't. Might be time to get that enabled.

Or, I could just log into each computer, allow mdmclient to remove the profile, and then scope the profile to the computers via the JSS. However, I am unclear on how each computer will request the profile without being plugged into ethernet, since the wireless profile will no longer be present. Chicken. Egg. Ugh.

Hopefully support will get back to me with a viable workflow for correcting this catch 22. I will be sure to share what I find out.

--Andy

nkalister
Valued Contributor

my solution has been to just not push profiles from the JSS. I create them in profile manager and install them using the profiles bash command.

andyinindy
Contributor II

OK, no word from JAMF on this yet, but I am going to try deleting the profile from the JSS. My hope is that if it is not present on the server, that mdmclient will not remove it (since it will not think that it is out of scope).

Gee, I sure hope this works.

andyinindy
Contributor II

FYI this appears to be working. The profile is not being removed. Note to self: if you plan to use the JSS to create profiles, be sure to remove the profiles from the server after creating them!

nkalister
Valued Contributor

also, HI ANDY!! I didn't realize that was you!
:)
nick

andyinindy
Contributor II

LOL, hey Nick, long time no see :)

tkimpton
Valued Contributor II

May
Contributor III

Hi, any advice ?

I'm manually installing a VPN configuration profile that was originally created and downloaded from the JSS, is there any way to convert it so that the error below does not occur ? i had a look at mcxToProfile, if i could find a way to convert the profile to a plist then use mcxToProfile to convert it back ?

I also had a look to see if it was creating a plist in /Library/Managed Preferences but nothing in there.

7e7ad02f0bc24c309023a7bcd22f9838

i'm manually installing the profile rather than pushing it from the JSS as once the profile gets installed from the JSS it falls out of scope and gets removed, i couldn't find another way to approach it

May
Contributor III

Going to try this here
de-sign the downloaded JSS profile, create a plist, then use mcxtoprofile to create a new .mobileconfig
then see if the JSS still gives an error
thanks @bentoms !

May
Contributor III

Downloading from the JSS and de-signing or re-creating did not stop the error message, as the JSS
is looking at the profiles UUID and even if deleted the record still exists in the database.

The approach i got to stop the errors

• Create and download configuration profile from JSS
• Delete the Profile from the JSS
• Make a back up of the JSS database
• Delete the Profile (Identify by UUID or name) from the JSS database, easy with Sequel Pro

as the profile no longer exists the JSS doesn't try and remove it.