MacOS 11 "Big Sur" prevents automatic installation of profiles using the command line "profiles" command. This was introduced for security reasons (to prevent malware from installing silently profiles which could damage the device installation), this has an impact on how profiles must be installed with FileWave.
Currently, FileWave manages profiles:
- using FileWave agent (fwcld), which in turns uses profiles command line tool:
- profiles are installed using profiles -I
- profiles are removed using profiles -R
- profiles are updated using profiles -R followed by profiles -I as there is no "update" option
- using FileWave MDM, which uses InstallProfile, ProfileList and RemoveProfile commands if your device is MDM enrolled
In addition, FileWave keeps track if a profile has been installed via command line tool before it has been MDM enrolled. The reasons are:
- the MDM protocol does not allow to "take ownership" of a profile ; in other words, there is no way to manage, via MDM, a profile already installed via profiles command line
- managing such a profile from MDM requires the removal of the profile using command line before installing it via MDM
- removing Network, Certificate or any profile required to setup communication with FileWave server may break MDM management and require manual interaction to fix the issue
Therefore, FileWave keeps track of the method of installation and keeps managing via the profiles command line a profile which has been installed that way initially.
But, MacOS Big Sur now makes profiles -I command ineffective ; as FileWave removes and then reinstalls profiles when upgrading them, this can lead to profile removal.
Starting with FileWave 14.0.2, upgrading (command line) profiles on macOS Big Sur using the fwcld agent will be disabled, so profiles will not be removed accidentally. The next steps will be:
- ensure your device is MDM enrolled (DEP or User Approved)
- for any profile installed via command line, you need to remove the association so FileWave removes the profile via command line
- re-associate the profile, so FileWave now installs the profile via MDM
Removing profile(s) may disconnect your device from your network ; proceed carefully. It may be required to deploy another profile which will allow the device to stay connected during the process.