Config Profiles corrupt when migrating

[joseracosta]

When migrating profiles from one JSS to another the config profile signature is not getting removed so the JSS will fail to properly send and receive feedback with migrated profiles. Current fix is to download profile from JSS1 and upload to JSS2 and recreate. This seems to fix all the errors in logs and weird problems with macOS devices properly applying config profiles.

[BIG-RAT]

Interesting. Is there a particular type of payload included in the configuration profiles you're seeing fail. The app downloads the profiles as text, note the payload will be xml encoded. If you could provide more details about the errors in the logs that might help. Or, if it contains no sensitive information, the raw xml of a profile that is not migrating properly.

[joseracosta]

Nothing sensitive I’ll see if I can get one but any migrated profiles will look like they are working and won’t show any errors till you start to get errors in the logs. They will appear to be working and show feedback errors in the logs. The one that is most obvious is the KEXT config profile. The profile will appear to be pushed normally till it actually has to allow the configured KEXTS then it will act as if the profile isn’t even installed on the system. Once you remove the bad profiles and re-upload them and remove the signature it seems to fix the issue. No more errors in the logs and profiles seem to activate normally.

[BIG-RAT]

Wonder if you're still having issues with profile corruption still, or haven't needed/used the app. There are limitations around migrating profiles with a KEXT payload, most significant being: Approved Kernel Extension payloads that contain bundle IDs will be dropped from the Configuration Profile. The other, as you may be aware, being the display names being dropped.

[BIG-RAT]

seems to be resolved.