Matt_nz_Karamu wrote:
Hi, I imported using the command line. I certinately want a SystemConfiguration payload.
I was logged on as a local administrator (the machine is already bound to AD, but I didnt think this would matter)
The kerberos ticket is valid as I can see an entry using klist -l
Maybe I have something wrong in the mobileconfig file, but its pretty basic so I cant see what could be wrong. I assume I can name the PayloadDescription PayloadDisplayName, PayloadIdentifier, PayloadOrganization, anything I like?
Does the profile import without error using the profiles command? It might help to check the console for any output related to the import. I don't think that the tool would fail silently. You can enable verbose logging by passing the "-v" flag along with the other program arguments to obtain additional info.
You do not need to be logged in as a network administrator - a local administrator account should work fine. I'm pretty sure you need to be bound to AD for the domain controller to be able to manage your computer via machine records (and subsequently issue a certificate that allows it to authenticate itself)...
If you're getting a Kerberos ticket, the ADCertificatePayloadPlugin should be able to use that to authenticate against the certificate services web service, and generate a machine certificate when the profile is imported - are you able to locate a certificate or keypair with this machine's name in the keychain?
The mobileconfig names that you mention above are customizable...Some of the others (like the "PayloadType") should not be changed.
If your signing CA is using an untrusted certificate, you may need to set trust of that certificate first (the logs would probably mention this) in Keychain Access or by using the 'security' command line tool.