Viewing/Editing Casper .mobileconfig files

fsteele
New Contributor II

I'm working on a new .mobileconfig file to distribute 802.1x settings.

I can make this work in a file built by ProfileManager, but when I build what appears to be the same thing on my JSS and load it on a test box, I'm getting "Acquired: cannot prompt for missing user name" from eapolclient in console.app.

I want to compare the two mobileconfig files, so I converted the PM file with plutil:

>>plutil -convert xml1 PMFile.mobileconfig

When I try to convert the JSS-generated file:

>>plutil -convert xml1 JSSFile.mobileconfig 
JSSFile.mobileconfig: Property List error: Unexpected character 0 at line 1 / JSON error: JSON text did not start with array or object and option to allow fragments not set.

Is there a way to get a standard Property List file from the JSS? (I can't convert to JSON either).

1 ACCEPTED SOLUTION

matt4836
Contributor II

Configurator, IPCU is no longer supported.

Drag the mobile config to Profiles Pane in the screen shot. Then highlight it and click right button (Arrow coming out of a square). If it is still there uncheck "Sign Configuration Profile".

a31c606749b242edb5abb56eeb82def3

View solution in original post

11 REPLIES 11

rderewianko
Valued Contributor II

When you import it into casper, are you passing the username as $USERNAME. I don't believe it'll pass happily trough a blank username field.

fsteele
New Contributor II

That's a good thought, but in this case, we have "Use Directory Authentication" checked, so we have only the "Outer Identity" field, where I'm using %AD_ComputerID% , which we've used on our previous configuration profiles successfully -- we usually see something like "eapolclient: System Mode using OD account 'CONTOSOMacADName$' ."

fsteele
New Contributor II

JAMF Support was able to explain this -- the configuration profile is signed with the JSS profile, which is why it won't convert and can't be directly read.

You can import the profile into iPhone Configuration Utility, remove the code signing, and export to view all or most of the settings. I say "all or most" because some properties aren't supported by iPCU, which tells me it's going to remove them. I haven't confirmed that it does this yet.

matt4836
Contributor II

You can import and export from configurator. This will strip the code signing.

fsteele
New Contributor II

Configurator or the iPhone Configuration Utility? I've heard Configurator from two sources now, but I don't see a way to import/export when I'm in there. Note also this is an OS X configuration profile, so iPhone Configuration Utility, at least, strips non-iOS content.

matt4836
Contributor II

Configurator, IPCU is no longer supported.

Drag the mobile config to Profiles Pane in the screen shot. Then highlight it and click right button (Arrow coming out of a square). If it is still there uncheck "Sign Configuration Profile".

a31c606749b242edb5abb56eeb82def3

fsteele
New Contributor II

Thanks!

The piece I was missing is that Supervision has to be "On" for that pane to show, so the screenshot really helped.

denmoff
Contributor III

In case anyone is interested in a way to simply convert the mobileconfig file to xml, i've been using the following command thanks to @timsutton :

security cms -D -i name_of_config_file.mobileconfig

dpratl
Contributor II

I found this on macmule: the same as the one above but including the output file for noobs like me ;)

/usr/bin/security cmd -D -i signed_profile_path -o unsigned_profile_path

bradtchapman
Valued Contributor II

This is a minor update to an old topic, addressing a typo in @dpratl 's command and piping the output through xmllint to "prettify" it for easier human readability. This dumps an .xml file in the same path as the original .mobileconfig:

security cms -D -i MyProfile.mobileconfig | xmllint --pretty 1 - > MyProfile.xml

Thank you for this!
I recently found that an older configuration profile retained some unwanted login window keys that shouldn't have been there, completely breaking our existing Jamf Connect configuration after Jamf Connect received an updated config profile.

This code allows me to inspect existing config profiles from Jamf Pro to rule out those artifact keys. The more you know!