terraform-provider-jamfpro icon indicating copy to clipboard operation
terraform-provider-jamfpro copied to clipboard
verified publisher icon deploymenttheory

Bug Report: Associated Domains payload missing after update

Open poundbangbash opened this issue 1 month ago • 3 comments

Description

I'm seeing an issue where part of a mobileconfig playload goes missing in Jamf after applying changes via Terraform.

If I terraform destroy the target object from Jamf and let Terraform build the whole Configuration Profile policy from the same mobileconfig file, the policy is configured properly in Jamf.

This issue is only seen when the mobileconfig (see below) is re-uploaded to an existing Jamf policy.

Steps to Reproduce

  1. I created the Configuration Profile policy in Jamf GUI,
  2. validated the payload worked as expected on an endpoint,
  3. downloaded the .mobileconfig from Jamf to use in Terraform,
  4. removed the Jamf signature from the mobileconfig with security cms -D -i '/path/to/CP.mobileconfig' | plutil -convert xml1 -o '/path/to/CP-Unsigned.mobileconfig' -,
  5. created the TF resource,
  6. imported the TF resource, and
  7. verified there were no changes detected when running terraform plan

The TF and Jamf environments are synced. When I run terraform plan there are no changes detected. To test, if I make an edit to the Jamf configuration profile policy and run terraform plan the changes are detected.

Expected Behavior

When a change is detected in the resource, applying the change plan would result in a complete Jamf Configuration Profile policy with all data in both the Single Sign-On Extensions and Associated Domains Jamf objects.

Actual Behavior

If terraform plan detects a change and I then terraform apply the plan, the result in Jamf is the Associated Domain entries are removed from the Jamf Configuration Profile object. Only the domain entries for the Associated Domains object is missing, the object itself is still listed in the Jamf Configuration Profile policy UI. This is also confirmed by the Associated Domain payload contents not being delivered to the scoped machine. In this TF state, every time I issue a terraform plan it still detects changes are needed, but when terraform apply runs the changes are not made and the cycle continues.

Environment

  • OS: macOS
  • Terraform Version: Terraform v1.13.3
  • Provider Version: registry.terraform.io/deploymenttheory/jamfpro v0.28.0

Additional Context

Enabling logging with TF_LOG=debug TF_LOG_PATH="terraform-debug.log" terraform plan shows some WARN references around unexpected data on a couple mobileconfig files, one being the Single Sign-on Extension payload. I'm new to TF and am not sure what those warnings mean. Two other TF managed payloads show the same warning-type messages and are functioning fine in Jamf.

Screenshots or Videos

Jamf Configuration prior to Terraform update: Image

Terraform detecting plan changes, including the Associated Domain data: Image

Jamf Configuration after the Terraform update: Image

Redacted Jamf Configuration Profile mobileconfig:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>Configuration</key>
			<array>
				<dict>
					<key>ApplicationIdentifier</key>
					<string>B7F62B65BN.com.okta.mobile</string>
					<key>AssociatedDomains</key>
					<array>
						<string>authsrv:okta.domain.com</string>
					</array>
				</dict>
				<dict>
					<key>ApplicationIdentifier</key>
					<string>B7F62B65BN.com.okta.mobile.auth-service-extension</string>
					<key>AssociatedDomains</key>
					<array>
						<string>authsrv:okta.domain.com</string>
					</array>
				</dict>
			</array>
			<key>PayloadDescription</key>
			<string>Only for 10.15 MacOS</string>
			<key>PayloadDisplayName</key>
			<string>ASSOCIATED_DOMAINS</string>
			<key>PayloadEnabled</key>
			<true/>
			<key>PayloadIdentifier</key>
			<string>4D9D779D-DE41-4D91-8633-0354245ACFD8</string>
			<key>PayloadOrganization</key>
			<string>Company Name</string>
			<key>PayloadType</key>
			<string>com.apple.associated-domains</string>
			<key>PayloadUUID</key>
			<string>4D9D779D-DE41-4D91-8633-0354245ACFD8</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>AuthenticationMethod</key>
			<string>Password</string>
			<key>ExtensionIdentifier</key>
			<string>com.okta.mobile.auth-service-extension</string>
			<key>Hosts</key>
			<array/>
			<key>PayloadDisplayName</key>
			<string>Single Sign-On Extensions Payload</string>
			<key>PayloadIdentifier</key>
			<string>A0FEEC08-68E7-4187-A1FB-3663BDCA7D3F</string>
			<key>PayloadOrganization</key>
			<string>JAMF Software</string>
			<key>PayloadType</key>
			<string>com.apple.extensiblesso</string>
			<key>PayloadUUID</key>
			<string>A0FEEC08-68E7-4187-A1FB-3663BDCA7D3F</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PlatformSSO</key>
			<dict>
				<key>AccountDisplayName</key>
				<string>Company Name</string>
				<key>AllowDeviceIdentifiersInAttestation</key>
				<true/>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>EnableAuthorization</key>
				<true/>
				<key>EnableCreateFirstUserDuringSetup</key>
				<true/>
				<key>EnableCreateUserAtLogin</key>
				<true/>
				<key>EnableRegistrationDuringSetup</key>
				<true/>
				<key>LoginPolicy</key>
				<array>
					<string>AttemptAuthentication</string>
				</array>
				<key>NewUserAuthenticationMethods</key>
				<array>
					<string>Password</string>
				</array>
				<key>NewUserAuthorizationMode</key>
				<string>Standard</string>
				<key>NonPlatformSSOAccounts</key>
				<array>
					<string>account1</string>
					<string>account2</string>
				</array>
				<key>SynchronizeProfilePicture</key>
				<true/>
				<key>TokenToUserMapping</key>
				<dict>
					<key>AccountName</key>
					<string>macOSAccountUsername</string>
					<key>FullName</key>
					<string>macOSAccountFullName</string>
				</dict>
				<key>UseSharedDeviceKeys</key>
				<true/>
				<key>UserAuthorizationMode</key>
				<string>Standard</string>
			</dict>
			<key>RegistrationToken</key>
			<string>54321</string>
			<key>TeamIdentifier</key>
			<string>B7F62B65B</string>
			<key>Type</key>
			<string>Redirect</string>
			<key>URLs</key>
			<array>
				<string>https://okta.domain.com/device-access/api/v1/nonce</string>
				<string>https://okta.domain.com/oauth2/v1/token</string>
			</array>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string>[Config] Platform SSO Extensions</string>
	<key>PayloadEnabled</key>
	<true/>
	<key>PayloadIdentifier</key>
	<string>AC905D64-5F0E-4260-A15E-997ABF531258</string>
	<key>PayloadOrganization</key>
	<string>Company Name</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>AC905D64-5F0E-4260-A15E-997ABF531258</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Logs & Console Output

I'm not sure what is relevant but I can gather whatever logging or information may be beneficial with some instruction of how to gather it.

Priority

How critical is this issue? Choose one of the following:

  • High (Causes significant problems, needs prompt attention)

I would stay this is a High critical issue as the Terraform apply event happens successfully and there is no indication that anything is wrong in the payload. I only happened to notice the missing data because the PSSO Setup Assistant process was failing to connect due to missing Associated Domains.

poundbangbash avatar Nov 18 '25 22:11 poundbangbash

I am seeing the same behaviour when uploading your test profile above via the Jamf Pro UI.

I can reproduce it if the file is using spaces for indentation. If I switch to tabs and re-save, the domains appear...

Can you try changing indents in your source file to tabs, saving and then applying again?

Assuming VSCode it's https://code.visualstudio.com/docs/editing/codebasics#_autodetection

Click the part in the status bar (bottom right) that says Spaces: 4, choose Indent Using Tabs then 4. Then save the file and try again.

Not sure about other editors ;)

neilmartin83 avatar Nov 19 '25 20:11 neilmartin83

@poundbangbash If you're able to compile a version of the provider from #935 and test updating that profile, it should work properly. It's consistently updating for me correctly now, preserving the Associated Domain entries when the provider isn't applying space indentation during updates.

neilmartin83 avatar Nov 19 '25 21:11 neilmartin83

I've compiled and tested the updated code and can confirm the issue is resolved. Using the same mobileconfig when replicating the issue:

  1. Used Terraform to create a new Configuration Profile policy in Jamf; Associated Domains and Single Sign-On payloads are created properly.
  2. Modified the Jamf policy in the Jamf UI to remove one Associated Domains domain entry. terraform plan saw the change and re-applied the mobileconfig back to the original state; Both Associated Domains were present in Jamf.
  3. Edited the local mobileconfig resource file to remove an Associated Domain domain entry. terraform plan saw the change and applied the edited mobileconfig to Jamf properly.

All scenarios ended up in the proper, expected results in the Jamf UI and Jamf deployed payload.

poundbangbash avatar Nov 21 '25 15:11 poundbangbash