We have a profile that pushes a network certificate for wireless. The profile policy has set limitations so it will only pull a certificate when it is on campus. Our certificate server is on-site so I didn't want the profile failing when they are off-site, hence the limitations. This part is working great.
The problem is that now when that computer is off-site and checks in with Jamf, Jamf is pulling the profile. So when they come back on campus they can not reconnect to the network because the profile is not there to verify the certificate. So they have to connect to the gated garden and re-pull the profile and end up pulling a new certificate. Each laptop is pulling its own certificate specific to it.
Does anyone have any ideas on how I can fix this?
For 802.3x authentication Apple interprets (correctly) the relevant standards as requiring the user to be prompted about the certificate regardless of its trust status, unless the entire login is automated with stored credentials. Thus you're out of luck avoiding the certificate prompt to get on Wi-Fi.
Ideas that come to mind: