Machine Certs Explosion

csanback
New Contributor III

So we use a machine cert here at my work for a lot of things. So when I push profiles out (vpn, wifi, etc.) I have to attach the AD Cert payload it each profile. Even though each computer already has one in its Keychain. Then we end up having multiple machine certs in the keychain not knowing which one goes to which profile (see image). So is there a better way to do this besides combining profiles?71226b577f8843dd9bfe7ac43f552aea

5 REPLIES 5

AVmcclint
Honored Contributor

You should only need a single config profile that does computer certs. Once it's there, it should be visible to all other systems that look for it. Why are you attaching the cert payload to each profile? Maybe you can consolidate? We're using certs for 802.1x and VPN authentication. We don't do a profile for VPN since that is done via Pulse, but Pulse reads the cert in the system keychain (because the 802.1x profile put it there).

Profiles that require frequent changes should not include things that you don't want to be changed frequently. I only bundle multiple payloads into single profiles where absolutely necessary.

csanback
New Contributor III

We've tried not adding in the machine cert to each profile, and the profile fails to install. Also not all machines will need VPN and WIFI so I really don't want to combine if I don't have too. Just thought this looked weird, not sure if this will really cause any issues.

AVmcclint
Honored Contributor

That will cause problems as the older iterations of the cert start to expire before the others. Depending on your network and VPN and anything else that uses those certs you may encounter a situation where the cert it WAS using has expired and you're prompted to pick another cert from the list of many.... and they all have the exact same name... with no indication to the user of what is the newest. Are you able to share a rundown of profiles you've had to attach the cert payload to?

csanback
New Contributor III

Get's one when we bind to AD automatically.

Then I have them in the profile for VPN via Netmotion Mobility, WiFi, and 802.1x

AVmcclint
Honored Contributor

That's interesting. We don't automatically get computer certs when binging to AD (I'm not sure how I would even do that on purpose), but binding to AD is required (via smart group) to receive the 802.1x/WiFi profile which includes the AD computer certificate. I include the AD Certificate in this profile because you can't set it up properly without that payload being built-in. Does your Netmotion Mobility require you to include the AD cert in the Config Profile? If not, then it may be like Pulse (which we use) where the app will see the already-installed certificate and run with it.

You say not every computer needs all those functions... what if you build a VPN-only profile, and an 802.1x profile, and a WiFi bundle, and a profile that contains ALL of them. Then scope them out to the machines that only need those things. If someone needs to add a VPN or WiFi to their setup, then remove them from the old config and add them to the one that has all the connections they need. I'm trying to think of ways to mitigate the situation, but if not all your machines have the same needs, then things will get complicated one way or another. What would happen if someone doesn't need VPN but you put that profile on their Mac? Is that verboten in your organization or can it be controlled by simply not giving that person an ID & PW?