Jamf Nation Community

chrisw · ‎05-02-2013

We have a laptop cart and configuration profiles created in JSS that tell which WIFI network the laptop should connect to. The config profile are scoped out correctly in JSS. But for some reason the config profiles are being removedor are not applying thus causing the laptop to have no wifi connection. The students connect to a guestpublic wifi but they cannot print ...thus the helpdesk getting calls about no printing for the cart. I doubt the students are navigating to Syst PreferencesProfiles and deleting the profile. My questions is - is there a systematic way that the profiles are being deleted or are just not applying? I can create a config profile in 10.8.x server Profile manager to never remove the profile without authorization. So this profile is locked down I guess. That tested good. But the JSS created profiles are not applying on random computers and at one point in time they were applying.

mscottblake · ‎05-02-2013

I had the same issue and worked extensively with JAMF to find that it's a bug in the OS that causes the client to remove the profile without the JSS's knowledge, so it doesn't know to push it back.

I still push most profiles through MDM, but I take my Wiki profile and install it locally at imaging time. Doing it this way prevents the OS from removing it.

You can download the profile from https://jss.url:8443/exportOSXConfigurationProfile.html and then add the .mobileconfig file into Casper Admin and deploy as just another package. The catch is that you need to run ```
/usr/bin/profiles -I -F "/path/to/<configName>.mobileconfig"
``` to actually perform the profile installation.

View solution in original post

barnesaw · ‎05-02-2013

This bit us on our Mac cart. Plugging in to ethernet and logging in as ANY user would push the profiles back out, but loginwindow wifi profiles would fail after sleep. If the laptops were properly shut down, things were good. When the lids got shut down and opened back up the next day....shaky box time.

View solution in original post

mscottblake · ‎05-02-2013

I had the same issue and worked extensively with JAMF to find that it's a bug in the OS that causes the client to remove the profile without the JSS's knowledge, so it doesn't know to push it back.

I still push most profiles through MDM, but I take my Wiki profile and install it locally at imaging time. Doing it this way prevents the OS from removing it.

You can download the profile from https://jss.url:8443/exportOSXConfigurationProfile.html and then add the .mobileconfig file into Casper Admin and deploy as just another package. The catch is that you need to run ```
/usr/bin/profiles -I -F "/path/to/<configName>.mobileconfig"
``` to actually perform the profile installation.

barnesaw · ‎05-02-2013

This bit us on our Mac cart. Plugging in to ethernet and logging in as ANY user would push the profiles back out, but loginwindow wifi profiles would fail after sleep. If the laptops were properly shut down, things were good. When the lids got shut down and opened back up the next day....shaky box time.

chrisw · ‎05-02-2013

Thank you very much for response. I also asked JAMF Support the same question. I await their response.

barnesaw - yes that is what we basically did as well. Just re-establish some network connectivity and the profiles get pushed back on.

This summer, I will most likely create the config profile using Profile Manager on our 10.8.x server. At least you can lock down the profile. This tested successfully on my 10.7.x client with manually installing the profile. I did upload that profile to JSS but its not scoped to anything yet.

Thank you again for your responses

alexjdale · ‎05-02-2013

Yup, we install the profiles manually via script (rolled into a package) and Casper monitors installed profiles via an extension attribute that is the list output of the profiles command. I set up Smart Groups for systems that do not have a specific profile and scope a policy against the group to install the profile.

This way, if a user removes the profile (which can be done by sudoing the profiles command to remove all profiles, ignoring any password protection on them), it gets reinstalled automatically.

bentoms · ‎05-02-2013

We had a similar issue too.

Turns out it was network related.

The office affected by the issue was recently added to our network, the DHCP scope was specifying their old router & not the one on our MPLS.

Correcting this has resolved things for us.

gachowski · ‎07-02-2013

Alex, Can you share your extension attribute, I need to do the same and your AE would be a great place to start.

Thanks

C

mscottblake · ‎07-02-2013

This Extension Attribute will display an alphabetically sorted list of Configuration Profiles that are applied. I've submitted it to JAMF and I will update this post once it is approved.

#!/bin/sh

profiles=`profiles -C -v | awk -F: '/attribute: name/{print $NF}' | sort`
echo "<result> $profiles </result>"

exit 0

Edit: This configuration profile is downloadable from https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=654. It is quite handy to see which profiles are actually installed on the machine.

Jamf Nation Community

Configuration Profiles being removed by user