QUANTUM LEAP: Using Smart Groups to Migrate Wi-Fi and Certificate Settings on 10,000 Macs | JNUC 23

The books had barely closed on JNUC 2022 when our team was asked to do something crazy: migrate 10,000 Macs from one Wi-Fi configuration to another and replace the identity certificates — without any user impact.

Our existing certificate management solution was sorely outdated, difficult for users to use and understand, and generated a lot of support calls to the Help Desk. The goal was to replace the existing Wi-Fi profile and manually-issued user certificates with a new solution that could be deployed during brand new enrollments as well as migrated from existing enrollments; required no action from the end user; and allowed the certificates to automatically renew. We were also asked to implement this with an integration we'd never tried before: Active Directory Certificate Services (ADCS).

We called this project "Quantum Leap" after the beloved 1980s NBC TV show about interdimensional, intercorporeal travel.

One major wrinkle in our Quantum Leap was that the new Wi-Fi configuration needed to use the same SSID as the previous one. On a Mac, if you install a profile with a duplicate Wi-Fi configuration then remove the older profile, the saved Wi-Fi network is removed and forgotten and the user is disconnected. We concluded that a second, alternate network would be required to complete the migration.

After many meetings with the Wi-Fi, VPN, PKI and cybersecurity teams, and more than 100 hours of testing and re-testing, we had a solid plan that would harness the power of Jamf smart groups, configuration profiles and an alternate Wi-Fi network, to systematically swap the Wi-Fi profiles and install a new certificate without any interaction from the end user.

At NBCUniversal, our large fleet of 13,000 Macs (and growing!) includes everything from engineers and creative artists to near-line editing stations and live on-air presentation systems. Our client platform engineering team is always looking for ways to automate deployment and configuration tasks, with the twin goals of standardizing and enhancing the end user experience and reducing the support landscape for our help desk.

A good solutions strikes a balance between simplicity and security; the best solutions require a lot of hard work by the engineers to make it look like magic.

Session 1173