Configuration Profiles - How does this work?

stevewood
Honored Contributor II
Honored Contributor II

I've read through the 8.3 manual and made sure I have all of the pre-requisites met that are listed. Yet when I create a config profile, or import one from the iPhone utility, I cannot see any of my 10.7 machines in the scope.

What am I doing wrong?

1 ACCEPTED SOLUTION

jason_vanzanten
New Contributor III
New Contributor III

Hi Guys,

The issue we are seeing here is probably not a bug. Computers will not show up in the scope of a computer configuration profile in the JSS web application until they are fully enrolled with certificate-based communication enabled (JSS web application > Settings > Computer Management Framework Settings > Security).

Enrollment occurs when a managed 10.7 client applies the updated management framework with certificate-based communication enabled. This should happen automatically in Casper Suite version 8.31 but can be manually triggered through a jamf binary command (sudo jamf manage).

Part of the enrollment process creates a certificate for the device that: 1) gets assigned to the computer inventory record in the database; and 2) gets added to the following file on the client:

/Library/Application Support/JAMF/JAMF.keychain

Managed 10.7 clients should also receive an 'MDM Enrollment' profile in System Preferences > Profiles (this tab will not exist until the client receives a profile).

Computers should start showing up in the scope of a computer configuration profile once they have been enrolled by applying the management framework and have received a device certificate in the database.

View solution in original post

23 REPLIES 23

nortonpc
Contributor

Steve we are seeing this issue as well. I am trying to get 802.1x to work with the iphone config profile. I can only map it to a static or smart group because it does not see any of the machines in the JSS.

I think I am going to have to open a ticket to see if there are some bugs or issues. Please let us know if you get any further because we are stuck at the moment without being able to deploy 802.1x connection settings.

nortonpc
Contributor

Steve I did open a ticket and our account rep said that there are a bunch of known issues with the configuration profiles. I only asked about the certificate issue we were having in particular but the bugs could explain your issue as well.

The next release is scheduled to be out in a month or so, they also said.

jason_vanzanten
New Contributor III
New Contributor III

Hi Guys,

The issue we are seeing here is probably not a bug. Computers will not show up in the scope of a computer configuration profile in the JSS web application until they are fully enrolled with certificate-based communication enabled (JSS web application > Settings > Computer Management Framework Settings > Security).

Enrollment occurs when a managed 10.7 client applies the updated management framework with certificate-based communication enabled. This should happen automatically in Casper Suite version 8.31 but can be manually triggered through a jamf binary command (sudo jamf manage).

Part of the enrollment process creates a certificate for the device that: 1) gets assigned to the computer inventory record in the database; and 2) gets added to the following file on the client:

/Library/Application Support/JAMF/JAMF.keychain

Managed 10.7 clients should also receive an 'MDM Enrollment' profile in System Preferences > Profiles (this tab will not exist until the client receives a profile).

Computers should start showing up in the scope of a computer configuration profile once they have been enrolled by applying the management framework and have received a device certificate in the database.

stevewood
Honored Contributor II
Honored Contributor II

Jason that is excellent information! Now if you guys can just update the manual to include that information, or put out a white paper with it. :-)

So once the machine is enrolled, and shows up in the scope of a profile, how does the profile get pushed down to the machine? Is this something where we need to run a "jamf manage" or "jamf recon" to install the profile?

I'm thinking about times where I might be testing a profile, how do I re-apply that profile? Just like MCX settings I can use the jamf binary to re-apply.

Thanks again for this insightful information.

jason_vanzanten
New Contributor III
New Contributor III

Hi Steve,

Computer-level configuration profiles should automatically apply almost instantaneously, depending on network conditions and the availability of the client computer.

User-level configuration profiles, on the other hand, require a user login with login hooks enabled in the JSS web application (Settings > Computer Management Framework Settings > Login/Logout Hooks). We need to check the box to 'Create login and logout hooks' along with the options to 'Log username at login and logout' and 'Check for Policies with login and logout' for user-level configuration profiles to be applied.

There is also a new verb in the jamf binary, similar to the existing 'jamf mcx' verb, that applies computer configuration profiles:

jamf configurationProfile -username <username>

where the -username flag is optional and <username> is the actual name of the user. Omitting the -username flag will apply computer-level configuration profiles. As with all jamf binary commands, we can also add the -verbose flag for additional logging.

stevewood
Honored Contributor II
Honored Contributor II

Okay, so that makes sense and I can see the new verb, but it doesn't appear to do anything. I have a very simple profile set in the JSS to install a certificate and configure 802.1x settings for our internal wi-fi network. I scope it to my machine and save the profile.

Nothing ever comes down. I run the jamf binary with the configurationProfile and get the following:

Checking for Device Level Configuration Profiles from https://jss.integerdallas.com:8443//...
There are no configuration profiles to apply at the device level.
There are no configuration profiles to remove at the device level.

So what am I doing wrong? Or what am I missing?

PlacoLL
New Contributor

I have the same problem

peterfisher
New Contributor

Having same issues the machine shows up in JSS and is in the configuration profile scope but the configuration profile never gets pushed down to the machine.

What are we doing wrong?

glutz
New Contributor III

I just tried to run jamf configurationProfile and it is coming up as a unknown syntax. So I ran jamf help and I do not see configurationProfile listed. I ran jamf version and I am on version 8.43

lsivier
New Contributor II

I am also having this issue.

Matt
Valued Contributor

I've been playing with this as well. Seems like a cool idea in theory but so far its not ready for primetime. I also wish there was a way I could block asking the client if they want to enable or disable the profile when they login.

TimT
Contributor

Have been trialling profiles and have all the necessary pieces in place cert wise but cannot bring individual computers into scope. I can apply to buildings but that's not useful for most situations.

The one machine that I have managed to scope I have applied varying payloads but with very mixed results.

Just curious to know if there are many of of you out there that have had success with config profiles and 10.7?

Running 8.52 and a combination of 10.7.3 / 10.7.4.

Cheers

zmbarker
Contributor

Tim - I have also had problems with configuration profiles. See my post https://jamfnation.jamfsoftware.com/discussion.html?id=4685

any info would be good.

johankjellman
New Contributor II

Same problem here... :(

There are no configuration profiles to apply at the device level.
There are no configuration profiles to remove at the device level.

talkingmoose
Moderator
Moderator

After speaking with JAMF and consulting the Twittersphere (thank you, @hammen), I've determined that my problem with this is more than likely due to the fact that neither our JSS nor our client workstations are able to freely access the Internet. We use an authenticated proxy.

Both client and server need unfettered communication with Apple for push notifications. Apparently, the JSS doesn't support just downloading the .mobileconfig files without the clients receiving the push notifications from Apple. JAMF says this is restricted by Apple and is out of their control.

Putting our JSS in a DMZ is possible. I still need to do some testing to see if simply removing authentication for any communications to 17.0.0.0/8 (Apple) will still allow us to work through our proxy.

FYI, Apple seems to use the term "firewall" interchangeably with "proxy". If you're looking for proxy information then search for "firewall".

This white paper explains using Configuration Profiles with Lion server but the networking requirements should be the same for the JSS:
Managing OS X with Configuration Profiles

Also see the Other Tips and Tricks section at the bottom of this page on Apple's site:
https://developer.apple.com/library/mac/#technotes/tn2265/_index.html

nkalister
Valued Contributor

My solution for this has been to use profiles, but take the JSS push mechanism out of the loop- I get the profiles onto the client machines by triggering a package via policy. The package puts the configuration profile into a temporary folder, and a postflight script installs them, then removes the temp location. Works flawlessly, doesn't require push notifications.

Kumarasinghe
Valued Contributor

@talkingmoose

We have gone through the diagnostics with APNs and firewall/proxy setup and findings described in this post;
https://jamfnation.jamfsoftware.com/discussion.html?id=4650#responseChild22897

talkingmoose
Moderator
Moderator

@Kumarasinghe

Very helpful! Thank you.

michaelhusar
Contributor II

It would be great to have your thoughts on this: So far we did the build of the profiles with osx server profile manager and distributed them with a casper policy and bash like nkalister. Worked great so far.
We wanted to enable WiFi at the login-window - as done on AFP548: http://www.afp548.com/2013/03/07/another-way-to-enable-wi-fi-at-login-window-with-profiles/#comment-40671
But to edit the profiles they are now unsigned and not encrypted.....what I do not like.
Has anyone an idea to sign or encrypt the xml-edited profiles with bash or any tool or... ?
Thank you!

Tennant
New Contributor

One thing that I've seen when trying to use the configurationProfile command is that sometimes, you need to delete your MDM Enrollment profile before applying the configurations. Also, make sure you are running your jamf commands with root privileges.

  1. Delete MDM enrollment profile
  2. open terminal and run sudo jamf configurationProfile

This has solved almost all of my config profile issues.

michaelhusar
Contributor II

@Tennant
Thank you for your quick response. I have seen that too - you are right - when using the terminal I also had troubles when an enrollment profile was present.

My issue is a different one:
I tried IPCU and Profile Manager (OSX Server) but of course these "point and click tools" only have a limited range of commands, keys, etc.
There are more "functions" as you can see e.g. in the Configuration Key Reference http://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/iPhoneConfigurationProfileRef.pdf But to use those I understand you have to use a text editor or xcode to put those commands in the xml-"template" you made with the point and click tools.
In order to change the xml-file - you have to turn of the "signing" and "encrypting" in the tools otherwise.. you know.
So what I did:
1. Use IPCU or ProfileManager to set as many payloads as possible.
2. Download Profile unsigned
3. Change/add "missing" keys from reference: like "activate Wifi at loginwindow"
4. Deploy with Casper and bash script
5. Works wonderful

But :-) now I have the profiles on the client machines in plain xml. (Of course I delete them after installation, but anyway)
I would like it more if I could sign or encrypt the "hand changed" Profiles - (password are plain text, ..)
...this would give also the possibility to make them available in self-service.

So far I did not find a way to sign/encrypt "handmade" profiles. Help is very appreciated.
Thanx!

cfranc5
New Contributor

Mr Stevewood''
I have been following you work for some time. I am a long time call but first time listener :-) Policy and really my strong suit, for multi tenant multi forest environments. built some of the largest client management systems for Avery Dennison, Hyatt Global, Celestic, St Jude Medical, Stanford Hospital, Star Bucks, and not im with a global financial company doing the migration from On-Prem to Jamf Cloud and im impressed with the newest version of JSS.

My Point here is I would like to talk with you about a deep dive into Policy Config Profile and DEP Staged Enrollment Theory.

Bundling Categories of Policy, Extension Attributes, Config Profiles based in Scoping for CORE Sec Tools and Certs etc, and then Core Applications like MSO365 Edge Teams, and patching..

Should I start a thread or ask for a time to talk or how do I grab you interest in this way..

Thanks Much and Kind Regards... Looking forward @Stevewood

stevewood
Honored Contributor II
Honored Contributor II

@cfranc5

You can reach me on Twitter and we can start there: @stevewood_tx