Help

Signed profiles can not be added more than once and can not be cloned.

Go to solution
BCPeteo
Contributor II

Posted on ‎04-24-2023 01:15 PM

Have issue with Sophos signed mobile config profile. Have uploaded the mobile config file provided by sophos into jamf and it works fine. I need to add the profile to another site but I can not clone the profile (which is fine) but when I try to upload the mobile config file to the other site it will not let me. I am assume since it signed and its name can not be changed this is why it would not let me upload it to another site?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎04-24-2023 01:46 PM

@BCPeteo The signed profile has a unique profile ID, and because it's signed Jamf Pro can't modify that ID. Jamf Pro would also not be happy to have >1 profile with the same ID installed which is why you can't clone it or upload a 2nd copy.

You could try un-signing the profile (using something like Hancock https://github.com/JeremyAgost/Hancock) and see if Jamf Pro will successfully import an unsigned version (since it can change the ID) without mangling it.

View solution in original post

3 REPLIES 3

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎04-24-2023 01:46 PM

@BCPeteo The signed profile has a unique profile ID, and because it's signed Jamf Pro can't modify that ID. Jamf Pro would also not be happy to have >1 profile with the same ID installed which is why you can't clone it or upload a 2nd copy.

You could try un-signing the profile (using something like Hancock https://github.com/JeremyAgost/Hancock) and see if Jamf Pro will successfully import an unsigned version (since it can change the ID) without mangling it.

Go to solution
mm2270
Legendary Contributor III

Posted on ‎04-24-2023 02:12 PM

If I had to guess, it's likely not because of the profile names. I think (not sure as I've never tried it) that you can have 2 profiles with the same display name. But what you can't do is have 2 profiles with the same identifier, (UUID). That identifier is how the Mac sees the profile, not by its human readable name, so you can't have an identifier conflict. I'm guessing Jamf Pro also can't have such a conflict.

Since the profile in question is locked, so is the UUID embedded in the profile, and the locked nature means Jamf Pro can't assign a new identifier to it when you try to upload it again.

I'm not sure if there's an easy solution to this, because I think the only way to assign a unique profile identifier to it would be to remove the signing, edit the actual xml contents of the mobileconfig to enter a new unique UUID, and then re-sign it. Removing the signature is easy, but resigning it would require you creating your own signing profile/certificate, since you obviously can't use the one from Sophos. The below references may help with understanding how to do that, in case you decide to go down that path.

https://imazing.com/guides/how-to-sign-apple-configuration-profiles

https://amsys.co.uk/sign-configuration-profile

Another option would be to not assign the profile to a Site, and then scope appropriately to the needed devices, assuming that would work for you. I have many "global" profiles that need to be applied to all Macs in our Jamf Pro, regardless of what Site they are in, and then I have site specific profiles.

Go to solution
Tribruin
Valued Contributor II

Posted on ‎04-25-2023 06:33 AM

This is on my list of annoyances of Jamf Pro. I wish there was ability to directly replace a sign configuration profile, and better yet, keep the same scoping. Until the Restrictions payload gains the ability to chose individual settings, it is a pain. 

0 Kudos