Pushing to failed Configuration profiles.

danielgrm
New Contributor III

I am pushing a NAC profile to our machines here at our company. The problem is we are in the midst of a transition so not all the machines have proper network access when i push the NAC configuration profile, some of them fail due to lack of network connectivity. With that being the case does anyone have any good work arounds to automate the phs of the failed ones? I was thinking of publishing it in self service, but wondered if we had any other ideas?

5 REPLIES 5

sshort
Valued Contributor

If your NAC policy is primarily focused on wifi, and there are no (or fewer) ethernet restrictions you can have your users plug into ethernet to receive the profile. But yeah, it's definitely a catch-22 situation. Aside from manually distributing a profile, you can also create an installer pkg that installs the profile to distribute outside of Jamf.

danielgrm
New Contributor III

@sshort I am attempting that now. I packaged the profile up and am deploying it to /private/tmp.

From there I am runnign this command:
profiles -i -F /private/tmp/SettingsforADCertificateanddot1x Configuration.mobileconfig -f

I am getting error one through Jamf. Locally i am getting no erroir, but i do not see the profile Pop up. Is that command right? Should i be running something else?

Dan

danielgrm
New Contributor III

So I am getting the same error that i got when I was pushing the configuration profile.

Script result: profiles install for file:'/tmp/SettingsforADCertificateanddot1x Configuration.mobileconfig' and user:'root' returned -319 (The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Is there anyway to force this profile and ignore this error? I know the problem is i don;t have a connection to the PKI server, but i was hoping to just push this profile have it sit there for where the connectivity is active?

Thanks,

Dan

sshort
Valued Contributor

@danielgrm I'm not familiar with the lowercase -f flag, and I capitalize the -I. This is what I've used with success:

usr/bin/profiles -I -F /path/to/profile.mobileconfig

patgmac
Contributor III
Script result: profiles install for file:'/tmp/SettingsforADCertificateanddot1x Configuration.mobileconfig' and user:'root' returned -319 (The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Sounds like you're using the AD cert payload, which means the machine needs to be able to reach the CA server when it does the certificate request. So if you're plugged into ethernet, your firewall needs to allow traffic from that NAC subnet to AD and the CA servers. It also needs to have a good AD bind for the cert request to work.

So if you're installing via a script, check that you can reach AD before trying to install the profile. Also have it check the AD bind, and re-bind if needed.