for profiles can be enabled with the following commands:
sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2 sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1
After logging out and logging back in, very verbose logging will begin being dumped into /Library/Logs/ManagedClient/ManagedClient.log. To disable debug logging, delete the /Library/Preferences/com.apple.MCXDebug.plist file and log out and log back in once more.
Read .mobileconfig profile in plaintext:
security cms -D -i /Path/To/profile.mobileconfig | xmllint --format - > /Path/To/profile.txt.mobileconfig
Credit: Multiple authors.
See what’s installed: /usr/bin/profiles -I -F /path/to/mobileconfig
See the ktickets: klist -l
Make kticket: sudo kinit -k <computername>
- “Enroll subject without requiring any user input” is enabled.
- Subject name format: Common name
- Subject Alternative Name: User principal name (UPN)
- Domain computers have Read and Enroll permissions enabled.
- Make sure the “Certificate Template Name” in your AD Certificate payload matches the “Template name” (not the “Template display name”) of the target certificate template.
- Make sure your profile includes the intermediate and root CA’s for the certificate you are requesting, and also the entire chain of trust (root + intermediate CA certs if they are different from the client certificate CA’s, and the server certificate) for the CA server.
- Machine must be bound to AD.
- Ensure the machine has a Kerberos ticket (<machineName>$.<DOMAIN>).”
Also, check that the Domain Computers group is in the ADCS template ACL
Spaces in template name will break the request on some versions of OS X. <- Details needed.
PSU Mac Admins – Slides