When 10.12.5 was discovered to break 802.1x, I had to scramble to build a completely new 802.1x profile that I had to add computers to the scope for that one at a time because if I did a massive pull of the old profile then push of the new one, it would break networking and the new one would never make it to the target computers. Well now that I have completed that project and 100% of our macs are now scoped to the new 802.1x profile and the old profile is no more, I'd like to change the scoping from a bunch of individual machines to just a smart group for macs bound to AD. That way there's less work for me in the future and machines will automatically get the profile after they join AD post-imaging.
My question is this: The way I envision doing this is to add the "AD bound" smart group to the scope, but when I click on Save, I am presented with the choices of distributing to all machines or distributing to only recently added. All existing machines ARE already part of the "AD bound" smart group, so if I choose to distribute to the recently added, what will happen? Will it push to all the Macs AGAIN on top of existing profile? will it remove the existing profile and push it again? OR (what I hope) will it see that the computers in the "AD bound" group aren't actually recently added and just not push anything since the sum total of recently added will be zero?
Then the question is: If i do add the "AD bound" smart group successfully without mucking anything up, what will happen when I delete the individual entries from the scope?
I don't want to set the scope to All Computers because after imaging, computers join AD within different timeframes. If I try to push the 802.1x profile to a machine that hasn't joined AD yet will cause errors and as we know, getting profiles to push correctly after a failure is usually hit or miss.
