@astrugatch Good to hear! Thanks.

@Sebastian-Roth

I can safely assume my devices are all running the latest version so I created a group policy to replace the settings.json with a fixed copy on a network share. Which is fine for what I need and I will just update my base images to reflect the correct setting.

Thanks for the help

@Sebastian-Roth

Full rebuild on dev-branch works.

Thanks for looking into this so deeply!

I am making this a normal thread as this is not a real FOG problem that can be just solved. Please follow up in the feature request topic here: https://forums.fogproject.org/topic/12506/client-inventory-option

@george1421

My MySQL knowledge is pretty shallow. For this situation I’ve got enough data, but I’ll read up and maybe change things then.

@astrugatch Thanks for pointing us to JAMF as example for CA/cert management with clients. It’s been a while but I had this on my list of things to do/check and now I got to it.

JAMF can be setup to use different CAs/certs: https://docs.jamf.com/10.0.0/jamf-pro/administrator-guide/PKI_Certificates.html

That page led me to the so called Simple Certificate Enrollment Protocol (SCEP) which does handle some of the things that come with certificates. But the initial problem of establishing a CA trust is still the same - described in section 5.5:

Before any transaction begins, end entities have to get the CA (and possibly RA) certificate(s) first. Since the requester may have no CA certificates or CA public keys at all, this message can not be encrypted and the response must be authenticated by out-of-band means.
[…]
If the requester does not have a certificate path to a trusted CA certificate, this fingerprint may be used to verify the certificate, by some positive out-of-band means, such as a phone call.

Let’s assume the situation where the clients already trust the built-in self-signed FOG server certificate. We could use that to establish a trusted communication channel and send the new CA certificate to the clients and tell them to install and trust it. Definitely a possible route. But what about clients that are switched off at that moment? We would need allow clients to use both CA trusts over a period of time till all of them have moved to the new one. This is definitely possible but complex to implement and I wouldn’t find the time although I find it interesting and challenging.

Trying to digg a little deeper if and how JAMF has solved the above mentioned trust problem when moving from one CA to another I found those notes in the manual:

Note: By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.

and

Note: If you need to make changes to your organizational or third-party CA in Jamf Pro, it is recommended that you contact your Jamf account representative. Changes to the PKI could lead to re-enrolling the mobile devices in your environment.

Now let’s look at the other situation where no clients have been pinned to the FOG server yet. If you re-compile the client to check on a different name in the CA cert you can happily use external CA certs without an issue.

Nevermind. Found it (in my own post history no less…)

https://wiki.fogproject.org/wiki/index.php?title=BIOS_and_UEFI_Co-Existence#Using_Windows_Server_2012_.28R1_and_later.29_DHCP_Policy

Cross linking this: https://forums.fogproject.org/topic/12506/client-inventory-option

@astrugatch We are booting and imaging over the internet.

@wayne-workman

Perfect. I already made the script, just didn’t know if it would add the machines to my list or just install the software and then not communicate with the server. Thanks!

@tom-elliott Is this rolled into the master branch now or should i move over to the working branch?

I’ve just updated to RC12 (didn’t know it was out when I posted) and that is working correctly. So, I guess, Solved?

Just realized I don’t have any spare machines that use the USB adapter on hand to test. Guess I’m gonna put a pause on this until the next batch of machines come in.

@tom-elliott This is the part I didn’t know when I restarted. Im back on 1.5 and good now.

Then you may need to reset the state of your environment.

git reset --hard
git checkout dev-branch
git pull
…

@astrugatch You’ve probably read through this?! Fairly easy to setup. Though if you really only need UEFI then you can go ipxe.efi “single handed” and you should be all fine.

Got it working. This can be marked as solved.