Help

Configuration Profile for CA Cert Distribution is Not Working during or after Pre-Stage Process

gustavo-suarez
New Contributor II

Posted on ‎01-12-2023 01:38 PM

I hope anyone in Jamf Support or in the community can provide some guidance since Jamf Support takes forever to respond...

Objective:

Install CA certificate to Mac's processed Pre-Stage enrollment.

 

Problem:

The configuration profile used to install the CA to enrolled Mac's works great for "User-Enrolled" Mac's. For some reason it is not working with Pre-Stage enrollments. The configuration profile should be available for distribution from the profile settings section but it is not available for Pre-Stage.

 

Troubleshooting:

- After Pre-Stage enrollment I signed in and out of the Mac computer to see if that would trigger the config profile to run on the computer, but no success there.

- For testing, I changed the distribution method from install automatically to Self Service and that did not worked as well.

 

Config Profile Details:

- Profile is configured with a Level of "User Level".

- Distribution Method is "Install Automatically".

- AD CS Server Integration configured and working successfully (No issues with User-Enrolled Mac's).

- PKI certificates setting configured correctly with server and client certificates not expiring for the next several years.

- Again, CA cert distribution works as expected for User-Enrolled Mac's, but not working for Pre-Stage Mac's.

- I have a ticket opened with Jamf Support and at least all day today I have not received any response.

0 Kudos
2 REPLIES 2

Tribruin
Valued Contributor II

Posted on ‎01-12-2023 02:35 PM

How are you creating your user with ADE? Are you manually creating the user in Setup (like you would in a User Enrollment) or are creating the user through Jamf Connect or another tool. 

My one thought is that, if you are using a user level profile, the user needs to be MDM capable. However, unless you are creating the user in macOS System Setup, the user is typically not MDM capable, so User Level profiles won't install. 

Also, does the profile need to be User Level? My limited understanding of ADCS is that it uses the user assigned to the computer in Jamf to request the certificate from AD. They certificate itself should be good at the Comptuer level. (And I could be wrong here as well.) 

 

 

0 Kudos

gustavo-suarez
New Contributor II

Posted on ‎01-13-2023 07:35 AM

Hello @Tribruin 

User is created with Jamf Connect. Due to our security requirements, all computers must have both a computer and a user CA. That is why the profile must be User Level because the certificate must be applied in the "Login > My Certificates" keychain. My understanding is if I change it to Computer Level then the certificate is applied under "System > My Certificates" keychain. Also, you hit it right in the nose. We are requesting and pushing the ADCS generated certificates through Jamf Pro with the support of Jamf Connect.

Any recommendations are greatly appreciated my friend! 

0 Kudos