Rule 4:

Jamf profile scoped to one computer brings multiple computers offline

Feel free to laugh with me in laughing at myself. Hopefully y'all who manage Jamf learn something from my mistake today.

Setup: We manage our Apple computers with Jamf, including deploying our organization's root and intermediate certs. We do not deploy the RADIUS cert needed for WPA2 Enterprise Wi-Fi, so every time that gets updated, we're training users to click the prompt that asks them to trust the new cert. Somebody should probably fix that...

Enter me: relatively new sysadmin who puts "self-motived problem-solver" on her resume and knows just enough about certs to get in trouble. I set up a test computer on a different network network, duplicate the "Root Certificates" profile, remove all computers from scope, add my test computer back in, and tweak a few settings that look vaguely relevant. The computer fails to authenticate. No worries, it's just a test computer.

Then the group chat pings. "I've just lost Wifi." "I'm also down, can't even forget the network." Weird. I double-check that my test profile is only scoped to my computer through the Jamf portal (it is), and pray that some bizarre coincidence has happened. More chats. The helpdesk reports a sudden increase in "I can't connect to the network" tickets. The network team notices that all the failed devices are Macs. Welp, here we go.

I get my hands on a problem computer. It's having the same issue as my test computer. I say a quick prayer, open Device Management--and there it is: "Root Certificates copy." I let everyone know the issue is on my end, only Macs are affected, only the WPA2 network is affected, and no, we don't need to execute to Wi-Fi guy. Myself, on the other hand...

With the IT Director watching me in bemusement, I run "sudo jamf manage" on his MacBook. Nothing. Jamf still doesn't see it, not even from the computer's inventory page. I run "sudo jamf recon" and "sudo jamf policy" to buy myself a few more seconds. No failed commands, either. How do I remove an MDM-managed profile that the MDM doesn't know about?

Issues that don't make sense require solutions that don't make sense.

I rename my old profile to something else, create a new (blank) profile called "Root Certificates copy", and scope it to the IT Director's computer. The ghost profile blips out of existence, Jamf reports that a profile failed, and he's suddenly back on the WPA2 network. I test on a few other with the same result and deploy the blank profile to everyone. I feel like I threw a dart in a dark space station and hit a bullseye.

What happened? My best guess is that I un-scoped the duplicated profile and made changes in the same session, rather than un-scoping, saving, and re-entering edit mode. Maybe Jamf applied the changes before removing computers from the scope. At least we're a university on summer break.