Replace deployed network configuration profile without disconnect

Contributor II

We have a Network Configuration Profile with embedded certificate (for 802.1x WiFi authentication) on our Mac computers (Catalina/Big Sur/Monterey) deployed over the last 2 years.

Unfortunately, we now need to replace this Configuration Profile for 2 reasons:
- The embedded certificate is about to expire.
- We need to change a few settings in the profile (Proxy and Any Ethernet)

btw, the current and future Configuration Profile is set to "Make Available in Self Service".

What is the best way to implement this without a user losing their WiFi connection to our corporate network? (Unfortunately we have only one WiFi network!). It seems, this is not an easy task.

Would there also be an option to at least just replace the certificate via script without changing the Configuration Profile itself? e.g. deploy the new certificate via PKG and then install it into the system keychain using the security command.
Will this be automatically recognized by the existing WiFi settings (as long as the new certificate also has the same name, of course) or will the WiFi connection continue to use the old, expired certificate?

Another idea was to run a script, which would install the new Configuration Profile via the Self Service link (e.g. jamfselfservice://content?entity=configprofile&id=39&action=execute). This seems to work for INSTALLING a Configuration Profile, but not for REMOVING an existing one. Even if the button in Self Service shows "Remove", the same link will not remove it. If there would be a way to remove the old (existing) Configuration Profile by script, we maybe had a (not perfect) solution.



Esteemed Contributor II

@hansjoerg_watzl Do you use an AD CS Connector, or Jamf PKI Proxy, so that your 802.1x certificate can be proxied through Jamf Pro to devices not connected to your internal network? If so here's an option... 

For our 802.1x certs (which is proxied through Jamf Pro also used for other user authentication purposes) I've switched to a User Level pushed profile. There is a Smart Group used as an Exclusion for that Profile, and membership in that Smart Group is triggered by an EA which looks for the presence of a flag file used to indicate the profile should be removed from a machine. I have a script that can be run via Self Service that: creates that flag file, does a recon so the JSS knows to remove the profile, waits for the profile to be removed, removes the flag file, does a recon so the JSS will re-push the profile, and finally waits for the new profile to be installed which then displays a notification to the user.

If your users have access to a Wi-Fi hotspot you could use the same approach, or if not you could have a policy configured to run a similar script to replace the profile only when your Macs are not connected to your corporate network.