Jamf Nation Community

Hi,

We’re having a lot of trouble trying to deploy a Configuration Profile for machine based wired 802.1x configuration settings using Casper.

Sending the profile out as a Configuration Profile isn’t the preferred option for this as we would have to open our restricted 802.1x guest/fail VLANs to communicate with Apple’s APN servers. That means they can’t pick up the 802.1x profile until they have already authenticated via 802.1x – so a catch 22 situation!

I’ve therefore been trying to deploy the exported .mobileconfig file as a PKG with a postinstall script to install it using the OSX profiles command. This is possible as clients can communicate with our Casper server from the 802.1x guest VLANs.

What I’m finding is:

The PKG installs the profile fine regardless of how it is installed.

If the PKG was installed manually the 802.1x authentication works fine.

If installed via Self Service the 802.1x the authentication works fine.

If set to install on check-in, and I manually tell the client to check in (sudo jamf policy) the authentication works fine.
However:

If the PKG is installed by an on enrolment policy, the package installs but the authentication doesn’t work.

If the PKG is installed by an automatic check-in with an ongoing policy, the package installs but the authentication doesn’t work. Even if the authentication was working OK before (i.e. installed manually/Self Service/manual policy check in), when it re-runs on the next check in it causes it to stop working.

If installed during a Configuration (with the package marked as ‘install after reboot’), the package installs but the authentication doesn’t work.

If the .mobileconfig profile is installed in the image, the related certificate in the System keychain is preserved when captured by Composer and the image is deployed, the authentication doesn’t work.

What I mean by “doesn’t work” above is that the IP address remains as the guest VLAN address and the Network preference pane says it is constantly ‘authenticating’. If I stop that process and click Connect, it prompts for a username and password (which we don’t want as authentication should be machine based). If I then delete the profile and manually reinstall, it then works!

Given that we are using this in computer labs we need this to work automatically – it’s not practical for us to install it manually on several hundred Macs after they installed.

I know our 802.1x profile works because a) it works when manually installed and b) I’ve tried importing the profile we used last year (created on our old Profile Manager server).

We are running v9.32 of the Suite. In v9.31 we had to bypass the JSS because of the known issue with network profiles, so we used our old (unsigned) .mobileconfig file directly. I’ve tried both this file and the one created in the JSS since we moved to v9.32.

Any idea why this isn’t working for us when installed automatically?