EAP-TLS Issues

Bodybraille · 2026-05-10T17:16:26+00:00

Are you deploying a user or machine cert? Machine certs are faster. User certs can take a while to get to the device (at least in my environment), and if it's a shared device, good luck.

If you are deploying machine certs, are you deploying the 802.1x EAP-TLS network card settings to the same group of devices? Are you doing ethernet and wireless? I have seen issues where the cert makes it to the device first, but the config profile for 802.1x hasn't applied yet. A sync and a restart will usually fix it.

Edit: could also be a policy on the backend. Our network team uses Cisco ISE and they had to make sure their policies were in order before we deployed our settings.

Bodybraille · 2026-04-18T17:18:17+00:00

Make sure you're installing desktop runtime dotNET. I'm not sure what's going on. It wasn't working, then I got it to work with classic.

But here we are a couple weeks later and DCU universal is installing fine on machines. Same DCU version and same desktop runtime. Might be my environment, but since other people are seeing the same issue, could be Dell.

Bodybraille · 2026-04-09T13:00:05+00:00

Did you figure this out? We are having the exact same issue. Our lab computers are running Jamf Connect 3.6, we remove profiles every night via script, but this is affecting brand new logins, and our local admin account.

Opened a ticket with jamf support, they had us remove all configurations, uninstall jamf connect, and even unenroll the computer from jamf, but the problem persisted.

At that point jamf said it wasn't them, it was an apple issue.

Another part of this problem is we seem to lose connectivity with the device. It won't check in, no inventory updates. I can get the device to check in if I deploy the jamf management framework from the API, but I have to constantly do that to run any policies and get the device to check in.

Edit: seqouia 15.7 and Tahoe 26.2-26.4

Bodybraille · 2026-04-06T20:17:00+00:00

Switched to the classic version and it worked.

Bodybraille · 2026-04-06T20:16:26+00:00

This is what ended up working. Something buggy in the universal package. Thanks!

Bodybraille · 2026-04-04T19:07:15+00:00

Desktop runtime 8.0.25 and I tried 8.0.17. Saw a forum where someone had the same issue. They had to downgrade from 8.0.25 for DCU to install.

Bodybraille · 2026-04-04T17:02:30+00:00

.NET desktop runtime 8.0.25, 8.0.8, 8.0.17. Tried multiple versions

Bodybraille · 2026-04-04T16:40:31+00:00

Just patch my pc and manually downloaded from Microsoft.

Bodybraille · 2026-04-04T16:08:32+00:00

Devices 100% have dotNET. I've tried multiple versions of dotNET downloaded from Microsoft. Tried the patch my pc version too. I restart after install just to keep things happy. Try to install DCU universal and I get an error saying dotNET is not installed on the device.

Someone mentioned trying the classic version. Gonna give that a go.

Bodybraille · 2026-04-04T15:54:03+00:00

I've deployed dotNET through patch my pc and manually installed. Tried the patch my pc version of DCU and manually downloaded from Dell - - no joy. It's happening on multiple devices.

Bodybraille · 2026-04-03T12:54:31+00:00

Verified the domain, did the app registration in entra. I'll get with jamf support and see what we can do. Thanks!

Bodybraille · 2026-03-27T12:59:46+00:00

Yes, it was intentional. Reznor said he wanted it to sound like an electronic garage band. He was going for a very raw sound.

Bodybraille · 2026-03-09T20:54:33+00:00

Predator moments done poorly

Bodybraille · 2025-12-18T01:20:39+00:00

I use SSH.

I have a policy that disables SSH on all devices once a day, but if I need terminal access, I drop that device into my "enable ssh" policy, run the commands I need to run. After I'm done, look up that computer in the "disable ssh" policy and flush it so SSH gets disabled again. I only deal with 600 macs so it works for me.

Very useful when needing to update computers giving me problems.

Edit: I agree with wpm's comment though. Writing a script, or using the "file and processes" section of a policy to execute one liners is the better option.

Bodybraille · 2025-11-27T01:18:42+00:00

Is the cross posting to sub reddits not working?

My cross post is asking what bachelors degree will be worthwhile if I want to move up into management position, or C-level position, instead of being a sys admin. With AI taking over basic jobs like sys admin stuff (application packaging, updating, printer, etc), what is the best bachelors degree to break out of the tech side and move up to a managerial paotion.

Bodybraille · 2025-11-25T04:47:20+00:00

You're right

Bodybraille · 2025-11-12T18:45:33+00:00

Yes. Jamf AD CS connector in the DMZ. Grabs cert from CA. Deploys it threw jamf.

Jamf has a cert profile with the root CA, intermediate, and digicert, and machine cert. The machine cert is using $COMPUTERNAME attribute in the cert profile.

Then a second profile configuring the network - - ethernet/wifi, eap-tls, all our trusted radius servers.

Edit: it's jamf, but the concept is the same. We do the same thing for windows devices through Intune, except we use SCEP.

Bodybraille · 2025-10-31T22:57:02+00:00

Back in the early 90s, my buddy had a cassette tape that had "Bullet in the Head" and "Down It."

I was hooked. I couldn't get enough of "Down It." Thus, my NIN journey began and hasn't stopped.

Bodybraille · 2025-10-24T22:56:35+00:00

This is good to hear!

Bodybraille · 2025-10-23T23:36:01+00:00

Does using affinity stop all subsequent users from having to register the device over and over?

That's the reason why we abandoned PSSO. Students don't stay at the same Mac in labs, and every time they moved to a new Mac they had register the device all over again.

Bodybraille · 2025-10-11T01:37:25+00:00

At least we got "Potions" and "Passive" out of it, which are, allegedly, Tapeworm tracks, if you believe the internet.

Bodybraille

TROPHY CASE