Looking for advice while on a contract deployment, automatic certificate install

Stubakka
Contributor II

Hello guys and gals, im looking for suggestions on how to automate the install of keychain certificates , some end in .PEM and setting them to system keychain, always trust. its about 5 certificates in total. They have pretty much shot down my suggestions on using Deploystudio and they do not have JAMFPro. I think I may end up using a combination of AUTODMG , or using scripts and PKG files sent from ARD.... Its yet to be determined. Any suggestions are helpful. it would be ideal to build a PKG file that would install them and set them to always trust. Its for about 80 systems.

4 REPLIES 4

mm2270
Legendary Contributor III

Are they open to using Config Profiles? While I don't always recommend deploying certs in Config Profiles that come over OTA MDM, if installing the profile locally, it's a good option. The certs get installed to the System keychain and trusted in that manner. I'm installing a Decryption Authority cert this way and it works well.
Regarding my issue with MDM deployment for those, I found that due to various bugs, sometimes the profile ended up being removed or disappearing from the device and it would remove the cert in the process, so I switched to using a locally installed profile and haven't had any issues since.

If this is an option, you can "package" the profile in a pkg installer, have it drop the profile(s) to /tmp/ and then use the profiles command to install it/them.

mgshepherd
Contributor

@mm2270 : what is your preference for creating Config Profiles that will be installed locally? AC2?

Once the config profile gets installed on the remote system are the certs automatically trusted or do you script them to be trusted?

Pushing out wireless certs is on my list to accomplish this summer...

mm2270
Legendary Contributor III

@mgshepherd My experience is that the certs are automatically trusted when installed in a Config Profile, which is part of why I recommend doing that. No scripting required to trust them, unless you have a special trust setting you need to apply, but then, you might not be able to script that kind of trust setting anyway.

As for building the profiles themselves, I'm not sure on AC2 for that. I don't use it myself, but it's possible it's an option.
OTOH, you can actually build them in Jamf Pro, then download the profile, convert it to an xml file for reading into a plain text editor like TextWrangler/BBEdit, etc. then remove/change the UUID that Jamf adds to it to something more human readable and generic. I don't believe Jamf adds anything to the profile that specifically identifies it as coming from that MDM, but I'd need to check on that to be sure. I believe just the UUID is what comes from your Jamf Pro server and should probably be changed as a precaution.

Lastly, there is Apple's Profile Manager, but I keep moving away from Apple's server product since Apple seems intent on putting that product six feet under sooner rather than later. But it's still an option for now I think.

justin_smith
New Contributor III

I've had some success with a package and post flight script:

sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /private/tmp/CERT

Perhaps some variation thereof could be helpful for this.