dayglojesus / managedmac

Comprehensive Puppet module for OS X.
http://dayglojesus.github.io/managedmac/
Apache License 2.0
62 stars 21 forks source link

creating a 'com.apple.wifi.managed' profile causes the installer to loop. #10

Closed groob closed 10 years ago

groob commented 10 years ago

I've had success using the mobileconfigs for creating various profiles, but when I try to create one to manage the wifi credentials, the profile gets installed each time, causing the wifi to reconnect.

Debug: Executing '/usr/bin/profiles -P -o /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/d20140717-85034-7ojbsq/profiles76fd2869aa620eab79aa344a43a7b4cc.plist'
Notice: /Stage[main]/Managedmac::Mobileconfigs/Mobileconfig[com.apple.wifi.managed]/content: content changed '-234184370357129213' to '-4492789466839370892'
Debug: Executing '/usr/bin/profiles -I -F /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/d20140717-85034-ofne00/c02a34201439162b0968b37b33b6eed5.mobileconfig'
Debug: Executing '/usr/bin/profiles -P -o /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/d20140717-85034-16i9hm/profiles5120282a46a0f365dcc0995f3c0e5661.plist'
Debug: /Stage[main]/Managedmac::Mobileconfigs/Mobileconfig[com.apple.wifi.managed]: The container Class[Managedmac::Mobileconfigs] will propagate my refresh event

here's the relevant subset from hiera:


---
classes:
  - managedmac
managedmac::organization: "MyOrg"
managedmac::mobileconfigs::defaults:
  description:  'Installed by Puppet.'
  organization: 'MyOrg'
managedmac::mobileconfigs::payloads:
  'com.apple.wifi.managed':
    content:
      PayloadType: 'com.apple.wifi.managed'
      AutoJoin: true
      EncryptionType: 'WPA'
      HIDDEN_NETWORK: true
      Interface: 'BuiltInWireless'
      Password: 'MyOrgPassword!'
      SSID_STR: 'MyOrg'
      ProxyType: 'None'
    displayname: 'Managed Mac: WiFi'
dayglojesus commented 10 years ago

Does the profile contain certificates?

groob commented 10 years ago

No. It uses a password only. I was able to successfully implement the WiFi profile using a template previously.

https://github.com/whitby/puppet-module-profile/commit/e76f902ce67fedfdf8c1dca04ae2c59d572c2065

dayglojesus commented 10 years ago

Ah-ha. Okay, this looks like another edge case. Please read the section labeled "Important" to get an idea about what is happening.

http://dayglojesus.github.io/managedmac/types/#Mobileconfig

I am almost positive the cause of this is that the password is being scrubbed from the output of /usr/bin/profiles. If that's the case, then using a template is your best choice at present. Still, that doesn't mean it cannot be addressed. I fixed this problem for the com.apple.DirectoryService.managed Payload Types, so I can probably address this as well.

To check, run sudo puppet resource mobileconfig com.apple.wifi.managed

Review the output of this command -- does the Password key appear as a series of asterisks?

Thanks!

groob commented 10 years ago

Thanks for the explanation. That's likely what it is. I will use the template method in this case.

mobileconfig { 'com.apple.wifi.managed':
  ensure            => 'present',
  content           => [{'AutoJoin' => 'true', 'EncryptionType' => 'WPA', 'HIDDEN_NETWORK' => 'true', 'Interface' => 'BuiltInWireless', 'Password' => '********', 'PayloadType' => 'com.apple.wifi.managed', 'SSID_STR' => 'WhitbySchool'}],
  description       => 'Installed by Puppet.',
  displayname       => 'Managed Mac: WiFi',
  organization      => 'Whitby School',
  removaldisallowed => 'false',
}
dayglojesus commented 10 years ago

Okay. I will see what I can about this. Thanks for the report!!!

dayglojesus commented 10 years ago

@groob I've implemented some large changes to the Mobiileconfig type that should address this issue. Can you please test branch 0.4.2 and let me know if this gets the job done?

Thanks!

groob commented 10 years ago

Looks like the issue was resolved. The profile is being created and is only re-applied when I change the password in my hiera file!

dayglojesus commented 10 years ago

Huzzah! That's what it should do. I have reimplemented how the Mobileconfig perform checking on values in the :content property. I am hoping this will fix this issue and more that creep in -- with the exception of embedded certificates, of course. Thanks for you report!