Skip to main content
Solved

JSS configuration profiles and locally installed configuration profiles


Forum|alt.badge.img+19

Hey JAMFnation, I'm beginning to explore using configuration profiles with my JSS, and I'm running into an issue with profiles I've created myself. Basically, I've been using a profile to configure VPN, and I install it either from a script, or by just double-clicking the mobileconfig file.
Now that I'm enrolling my machines with the JSS MDM profile, I'm seeing these errors in Console every few seconds:

4/19/12 12:01:46.579 PM mdmclient: [Agent:2136138485] Removing profile: HDS VPN (com.apple.mdm.virtualion.hds.com.cbbd9ca0-e1ab-012e-8e62-001c4227f7c4.alacarte) for: <User: 2136138485>
4/19/12 12:01:46.580 PM mdmclient: *** ERROR *** [Agent:2136138485] <MDMClientError:90> Cannot remove profile 'com.apple.mdm.virtualion.hds.com.cbbd9ca0-e1ab-012e-8e62-001c4227f7c4.alacarte' because it was not installed by the MDM server <MDMClientError:90>

It looks to me like the JSS is telling the MDM client to remove that profile, which I do not want. I've tried pushing that VPN profile from the JSS and it doesn't set up the proxy correctly, so I'd like to keep the local installation method if I can . . . anyone mixing non-jss profiles with profiles coming from the jss successfully?

Best answer by nkalister

JAMF support confirms that this is expected behavior, so you'll have to choose either to install all profiles manually or all from the JSS . . .mixing 2 sources is not supported.
So that means I won't be able to use profiles from the JSS at all. Sadness.

View original
Did this topic help you find an answer to your question?

12 replies

Forum|alt.badge.img+19
  • Author
  • Contributor
  • 437 replies
  • Answer
  • April 23, 2012

JAMF support confirms that this is expected behavior, so you'll have to choose either to install all profiles manually or all from the JSS . . .mixing 2 sources is not supported.
So that means I won't be able to use profiles from the JSS at all. Sadness.


Forum|alt.badge.img+18
  • Valued Contributor
  • 238 replies
  • August 28, 2012

Nick:

This is totally bogus. I am having an issue with my loginwindow profile disappearing, and while your post explains WHAT is happening, it doesn't explain WHY jamf (in all of their wisdom) decided that this would be a good plan.

Seriously. WTF.

I do not have any other profiles coming from the JSS, just the MDM profile that gets automatically added when you enable certificate based authentication. Also, I used the JSS to build the profile that is being auto-deleted! You would think that JAMF would sign the profile so that it would be recognized as originating from the JSS and not be deleted... and you would be wrong.

Sorry for the rant. I am contacting our JAMF support person. This is just so ridiculous that I had to vent.

--Andy


Forum|alt.badge.img+18
  • Valued Contributor
  • 238 replies
  • August 28, 2012

OK, so according to my support rep, this issue was fixed as of 8.52; manually installed profiles can coexist with those from the JSS, as long as the manually installed profiles were not created via the JSS, since the server would then see them as being installed onto the wrong systems (unless the profile was scoped to that machine, in which case the server would then install the profile a second time). Makes sense...? Um.

Nevertheless, we are still faced with a quandary:

How do you manually deploy a profile that was created by the JSS, to a machine that does not have that profile scoped to it in the JSS, without the JSS removing it (since it isn't scoped to the machine)? Wow, that was a mouthful :)

Apparently I could recreate the profile using Lion or Mountain Lion server and the JSS would then ignore it. This assumes that I have a production server running profile manager, which I don't. Might be time to get that enabled.

Or, I could just log into each computer, allow mdmclient to remove the profile, and then scope the profile to the computers via the JSS. However, I am unclear on how each computer will request the profile without being plugged into ethernet, since the wireless profile will no longer be present. Chicken. Egg. Ugh.

Hopefully support will get back to me with a viable workflow for correcting this catch 22. I will be sure to share what I find out.

--Andy


Forum|alt.badge.img+19
  • Author
  • Contributor
  • 437 replies
  • August 28, 2012

my solution has been to just not push profiles from the JSS. I create them in profile manager and install them using the profiles bash command.


Forum|alt.badge.img+18
  • Valued Contributor
  • 238 replies
  • August 29, 2012

OK, no word from JAMF on this yet, but I am going to try deleting the profile from the JSS. My hope is that if it is not present on the server, that mdmclient will not remove it (since it will not think that it is out of scope).

Gee, I sure hope this works.


Forum|alt.badge.img+18
  • Valued Contributor
  • 238 replies
  • August 29, 2012

FYI this appears to be working. The profile is not being removed. Note to self: if you plan to use the JSS to create profiles, be sure to remove the profiles from the server after creating them!


Forum|alt.badge.img+19
  • Author
  • Contributor
  • 437 replies
  • August 29, 2012

also, HI ANDY!! I didn't realize that was you!
:)
nick


Forum|alt.badge.img+18
  • Valued Contributor
  • 238 replies
  • August 29, 2012

LOL, hey Nick, long time no see :)


Forum|alt.badge.img+21
  • Honored Contributor
  • 970 replies
  • September 27, 2012

Forum|alt.badge.img+12
  • Valued Contributor
  • 190 replies
  • September 13, 2016

Hi, any advice ?

I'm manually installing a VPN configuration profile that was originally created and downloaded from the JSS, is there any way to convert it so that the error below does not occur ? i had a look at mcxToProfile, if i could find a way to convert the profile to a plist then use mcxToProfile to convert it back ?

I also had a look to see if it was creating a plist in /Library/Managed Preferences but nothing in there.

i'm manually installing the profile rather than pushing it from the JSS as once the profile gets installed from the JSS it falls out of scope and gets removed, i couldn't find another way to approach it


Forum|alt.badge.img+12
  • Valued Contributor
  • 190 replies
  • September 13, 2016

Going to try this here
de-sign the downloaded JSS profile, create a plist, then use mcxtoprofile to create a new .mobileconfig
then see if the JSS still gives an error
thanks @bentoms !


Forum|alt.badge.img+12
  • Valued Contributor
  • 190 replies
  • September 15, 2016

Downloading from the JSS and de-signing or re-creating did not stop the error message, as the JSS
is looking at the profiles UUID and even if deleted the record still exists in the database.

The approach i got to stop the errors

• Create and download configuration profile from JSS
• Delete the Profile from the JSS
• Make a back up of the JSS database
• Delete the Profile (Identify by UUID or name) from the JSS database, easy with Sequel Pro

as the profile no longer exists the JSS doesn't try and remove it.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings