Hello all.
As there are different ways of deloying device certificates, I wonder what would be the Jamf-recommended workflow of certificate deployment.
My precedessor built a configuration profile with all the certificates in the payload (some are already outdated, but yeah...), but as I am not aware of any way to imply an auto-always-trust for them via this approach, he also built an additional policy which imports the security settings for this certificates via "security trust-settings-import -d .../trust_settings.plist". Now, I had to add new certificates to that, which I did. I exported the trust settings to a new trust_settings.plist, and on last Wednesday reapplied the updated config profile for the certificates payload and the updated policy for the trust-settings-import, and -somehow- ended up in dozens of clients suddenly losing their Wifi connection and therefore left completely unmanageable. :-( Okay, I simply cannot understand why this simple trust-settings-import obviously seem to have wiped or at least trust-altered some necessary certificate for Wifi connectitivity (okay, that is my bit that I did not know anything about this crucial dependency between certificate and Wifi here), but I am left totally unconfident in regards of how to effectively deploy certificates without running in such a mess again in the future.
How can I actually manage certificates in a way of a check "is that certificate already present and valid for a certain minimum amount of time?", avoiding duplicates? Why there seem to be no built-in way of auto-trusting critical certificates via configuration profiles? As I am working in a highly-regulated business, we have to rely heavily on certificates for good reasons, and I feel completely lost with that, as this topic is also not really touched by Jamf training classes (at least not up to 300). Does anyone ever found a reliable workflow for certificate distribution. The bits and pieces I found about that in the discussion forum and Jamf Pro documentation did not help me much and in some way led me to the "tiny" WiFi desaster last Wednesday. Thanks.
Best regards
Chris
