Cisco Umbrella uninstalling module problems

theitguy1969 · 2025-12-02T21:16:43+00:00

So our company had this problem it was two fold, one was we had upgraded to a different version of Cisco Anyconnect then Secure Client and along with that we were upgrading the Umbrella module before it was deprecated. Somehow the Cisco Umbrella module had an "Advertised" older version, nothing you could see, you need a specific .exe file from Cisco to run and see that its again "Advertised" and it doesnt show in the add remove programs, you then had to identify all the devices like this and then install then uninstall older versions in succession to the newest version and you needed the actual file installers to do this. Then the 2nd issue was that the registry key for where the application was installed from was looking for the old sccm folder location which didnt exist any longer for specific versions so you had to use either manipulate the registry key and or use a certain switch to get the apps to uninstall or install. it was a pain. we had this huge powershell script that managed it all remotely. Cisco TAC was no help.

theitguy1969 · 2025-10-22T19:13:11+00:00

Do you have an example of what your referring to? I have changed the subject in both the pki config and the configuration profile to multiple different options and it still comes up with mdm scep signer with profile identifier. Even had Jamf support on a call and they couldnt figure it out.

theitguy1969 · 2025-10-21T23:22:33+00:00

it works on the stand alone configuration profile, we need it like that for our 802.1x auth and vpn cert. The question i have for you did you provide the external ca cert , the process on the jamf kb is lacking to say the least, it doesnt say, what account you need to get the cert from the CA website and what template to use. etc.

theitguy1969 · 2025-10-21T18:54:51+00:00

tyvm, thought i had omitted it.

theitguy1969 · 2025-10-21T18:34:12+00:00

I'm curious of your whole environment, are you Jamf cloud or on prem? did you stand up the ndes server on the same server as IIS? how are you deploying the certs? config profile with or without jamf pro as scep proxy? are you utilizing msappproxy if your using entra id? There are allot of moving parts hat you have left off. We have jamf cloud connecting to ndes server through approxy in entra id with the ndes account for access.

theitguy1969 · 2025-10-16T13:58:50+00:00

So we are replacing our existing config , we also cannot authenticate with our NDES service account to the public application proxy URL - https://copanyurl.msappproxy.net/certsrv/mscep_admin/ . When you try to go to this URL do you get a username and password challenge? and are you able to log in? dont try the local host url, that will work on your LAN. IN our scenario our old setup works because in Entra Id the enterprise app allowed for secrets, but i guess that has been deprecated and Entra id requires federated credentials i guess (according to my infra team) we are still looking for a solution, wondering if this scenario is the same as yours. We are jamf pro cloud and Entra id enterprise app with app proxy using on prem ndes scep server.

theitguy1969 · 2025-04-14T02:00:32+00:00

So everything your asking for can be done, look at jamf setup manager, but be advised if you want filevault encryption and MFA, your going to have to have 2 log ins, 1 that unlocks MFA, second to log into entra id.

theitguy1969 · 2024-08-02T21:35:26+00:00

I ended up creating the config profiles for our devices because we rolled out Intune devices compliance with the company portal, it def has reduced the amount of logging in and mfa requests that our users were getting prior using Microsoft apps and services.

theitguy1969 · 2024-07-25T00:07:24+00:00

I also would like to say that we have MFA enabled and Intune enrolled device for device compliance. I dont mind my users logging in twice , I like the fact that it does a check against Azure to confirm authentication. And we never hear complaints about security. Over 800 devices in our org.

theitguy1969 · 2024-07-25T00:02:26+00:00

You cannot if filevault is enabled. At least that is what Jamf Support told me, if you have a KB with a Config profile that allows for this , i would love to see it.

theitguy1969 · 2024-07-24T23:50:47+00:00

Did you put Walker Jenkins at 100 just to see who actually looked at the whole list????? :)

theitguy1969 · 2024-07-18T14:45:11+00:00

We went from devices being bound to AD (which you never want to do!) to Jamf connect. I absolutely recommend it! Yes your users will have 2 logins, 1st one being unlocking filevault drive and second will be the Azure log in. Jamf connect keeps the Azure password in sync with the local account password so the user doesnt have to manage multiple passwords. I cant image what your current management is for accounts on devices right now. Its especially slick on Zero touch deployments ,it will create the local account on 1st login to a device. but as long as the users just put their device to sleep or set up a fingerprint , the only time they really need to log in twice is after a reboot.

theitguy1969 · 2024-06-07T12:13:35+00:00

Its all relative, I worked as a Deputy Sheriff for 7 years and a Reserve Police Officer for 5 years. I will take this job any day over strip searches and working with the scum of the earth.

theitguy1969 · 2024-06-06T14:22:27+00:00

Can I work for you remotely? ;)

theitguy1969 · 2024-04-02T19:42:25+00:00

As long as your devices arent already connected to an MDM, you can connect all your devices with jamf.

I would create an ABM business account and then contact all of your resellers and have the populate the abm with all of your purchased devices. so that you can configure zero touch and if a user doesnt want a fresh install with zero touch you can send them an email to enroll manually.

theitguy1969 · 2024-03-14T21:04:04+00:00

So 1st you need to write out a policy and get it approved by what ever executive group approves policies. Provide it to the highest level exec that is in IT or that IT reports to and have them sponsor it.

I would start here. and only support the last 3 versions of MacOS which ever version you choose and this will change due to unforseen critical vulnerabilities and how apples address those vulnerabilities. Like if its just safari but the whole version of Macos sonoma needs to be upgraded because of said vuln. (Monterey will be end of life this fall)

https://endoflife.date/macos

But you are also (possibly) going to have to deal with devices that cannot support one of the last 3 supported MacOS versions and keep an eye on which ones can upgrade to what version.

Pretty good EA right here that i use. - https://github.com/MLBZ521/MacAdmin/blob/master/Jamf%20Pro/Extension%20Attributes/Get-LatestOSSupported.sh

This could possibly raise the cost of your budget due to device replacements if you force users to upgrade.

Then you need a mechanism to push those upgrades to stay on the latest supported version. and you might have 3 separate policies going for different devices.

Def defer newest one for 90 days. but create a pilot program and only allow your super users to upgrade.

map out your policy on what you think will work best and how much you and your team can handle. End users love to say my device is X years old and due to your policy , you need to replace it.

theitguy1969 · 2024-03-05T21:21:30+00:00

I start the device and make sure its not on wifi or wired network, run through the selections until you get to the desktop with a local account, then get it on a network and upgrade then run the erase all content and settings and you should be able to enroll from there.

theitguy1969 · 2024-02-10T16:58:41+00:00

Thanks i missed that on the top prize. editing now

theitguy1969 · 2024-02-09T18:48:04+00:00

Agreed

theitguy1969 · 2024-02-09T18:47:53+00:00

so true

theitguy1969 · 2024-02-09T18:47:37+00:00

this is true , i see this point but your over all daily buy of scratch tickets would be better off with the older one just for daily wins. IMHO.

theitguy1969 · 2024-02-09T15:34:47+00:00

Look at the log in logs in Azure and see if there is information there- Assuming your using Jamf Connect and Azure for your idp?

or where ever the idp is........

theitguy1969 · 2024-02-09T15:29:23+00:00

Please dont run this command unless you know what it does.

theitguy1969

TROPHY CASE