Help a windows admin

Taboc741
New Contributor III

Hello folks,

My company is turning off an old wifi profile in favor of a new one that is certificate based. I deployed a configuration profile and are enjoying a high failure rate due to users who simply aren't on the network to fetch their AD cert when the profile is applied. While retries when the user is on the network works fine, we can't seem to get our deployment over about 70%.

I've decided to push the mobile config via a Policy scoped to Mac's who are on the network, and who need the wireless profile. It's that second part I am having trouble with. I suck at bash and scripting out a extension attribute is beyond me at this time. (I'm in the I see shiny stuff and can sometimes understand it phase of learning bash, one day I hope to graduate to I see shiny stuff and understand it)

Anyone want to help out with what they'd do to get the extension attribute created?

3 REPLIES 3

koalatee
Contributor II

So what you could do is check by the profile's ID:

#!/bin/sh
profileInstalled=$(profiles -C) 

if [[ ! $profileInstalled =~ "$UNIQUEIDSTRINGHERE" ]]; then
result="Not Installed"
else
result="Installed"
fi

echo "<result>$result</result>"

As far as I know, the easiest way to get the profile ID would be to run profiles -C before and after installing the profile and see what's different...

Then to actually create the extension attribute: settings > computer management > extension attributes > new > make the data type a string and the input type a script. Paste the above script into the EA. It should then be available as a criteria in a smart group.

Also, just note that EAs only happen on inventory (jamf recon) so you may not see an immediate jump, but profiles should be pushed near instantaneous.

alv2015591
New Contributor III

I think you are making this to hard. Have you tried using a smart group instead? You have a general idea of what makes these Mac Computers unique correct? Using a smart group is in Casper is going to be much easier then sending a policy to all your Macs hoping to weed out the ones that need it. If its all your Mac Laptops then Mac that your smart group if its much harder then that use the additional attributes to trim down your smart group.

donmontalvo
Esteemed Contributor III

802.1x? If so wouldn't the computer only be able to get the cert if it is on the company network? I suppose this is a good argument to get your JSS onto the DMZ, and allow AD traffic, to allow these kinds of certs to be pushed via MDM.

--
https://donmontalvo.com