Exclude SSID in .mobileconfig file for Apple profiles doesn't work anymore

Frederik_Rooms
1 yr ago
14replies
Fixed

I used to rely on excluding SSID's when devices are on the local LAN. By doing that I could manage the DNS routing of my clients on the DNS server at home via DHCP. I opted for the Apple Profile option because that is an app less, and it does the job very well (nice walktrough by NextDNS by the way). But since a couple of months it doesn't seem to work anymore, although I've looked on the Apple Developer site and found out the SSIDmatch is still a valid value. So it's not that apple has changed the rules, or is it a bug?

I read a lot of help center tickets but they all seem to rely on the NextDNS app. I downloaded the app but I cannot find the option to exclude SSID either. Is something changed, did I miss something?

Next to iOS profiles, MacOS is not working either. All clients are on the latest OS.

- Mike_Pike
- 1 yr ago
- Reported - view
Having the same issue. Hopefully it gets fixed soon.
- Shubs
- 1 yr ago
- Reported - view
I believe exclude SSIDs AND DOMAINS aren't working anymore.

macOS Ventura 13.5.1
- spydrphi
- 1 yr ago
- Reported - view
I did some research and found a couple of different things that I think are driving this ... firstly, on demand rules process first in order, so the odd default orange.fr and t-mobile.com domains at the top of the list seem to be preventing it from getting to the SSIDMatch section. Additionally it appears to be missing the InterfaceTypeMatch key as well as the OnDemandEnabled Key. I was able to get it working correctly by downloading an unsigned report and updating the file. Removing everything after the </dict> relating to <Key>DNSSettings</key> up until the </array> right before <key>Payload Type</key> and replacing it with this:

   <key>OnDemandEnabled</key>

<integer>1</integer>

<key>OnDemandRules</key>

<array>

<dict>

<key>InterfaceTypeMatch</key>

<string>WiFi</string>

<key>SSIDMatch</key>

<array>

<string>SSID_1</string> 

<string>SSID_2</string> 



</array>

<key>Action</key>

<string>Disconnect</string>

</dict>



   <dict>

   <key>Action</key>

   <string>Connect</string>

   <key>InterfaceTypeMatch</key>

   <string>WiFi</string>

   </dict>



<dict>

<key>Action</key>

<string>Connect</string>

<key>InterfaceTypeMatch</key>

<string>Cellular</string>

</dict>



<dict>

<key>Action</key>

<string>Disconnect</string>

<key>InterfaceTypeMatch</key>

<string>Ethernet</string>

</dict>

Hope this helps.
- Michael_Bierman
- 1 yr ago
- Reported - view
How do you edit the profile? I tried the Apple tool and that didn't seem to work.
- Michael_Bierman
- 1 yr ago
- Reported - view
I'm rather surprised nextdns is not only not fixing this, but not commenting on this (at least that I can find.) I don't doubt the problem might have been introduced by Apple or someone else, but at least acknowledging the issue and putting out a plan (or a plan for a plan) by now is really essential.
- spydrphi
- 1 yr ago
- Reported - view
I just used TextEdit on the Mac to do it. As long as unsigned version it will be readable and easy to do. I can’t get Apple Configurator to work.
- Michael_Bierman
  
  1 yr ago
  
  Reported - view
  Ah! I hadn't tried the unsigned version. I still hope nextdns will fix this properly, but I'll give this a go. Thanks.
- NextDNs
  
  1 yr ago
  
  Reported - view
  it is already fixed. Did you try to recreate the profile again recently?
- Michael_Bierman
  
  1 yr ago
  
  Reported - view
  fantastic! thank you.
- spydrphi
  
  1 yr ago
  
  Reported - view
  thanks for the update on this, any chance you’d consider adding the option to set the “Disable on Ethernet” key to the profile builder? This is important to me as the only place I plug in my Laptop or iPadPro is at home where I am already using NextDNS Cli on the router and have a specific profile for that, but I want the Laptop/iPad Profile to kick in when I leave the house and am on other Wifi Networks. Thanks.
- Michael_Bierman
  
  1 yr ago
  
  Reported - view
  spydrphi maybe I'm not following your use case. Currently it will work on all networks except the one(s) you specify. So in your case, ignore at home... on everywhere else. Isn't that what you want?
  
  That said, I think it could be handy to have the ability to say, "use this profile on network A or B" and "use this other profile for network C" Maybe a bit of an edge case?
- spydrphi
  
  1 yr ago
  
  Reported - view
  Michael Bierman - the current profile allows you to ignore specific WiFi networks. I am looking to also be able to excluded a wired Ethernet connection. If you see the profile I pasted above I care for wireless, cellular and wired. The generator only manages WiFi though, others have to be added by hand.
- Michael_Bierman
  
  1 yr ago
  
  Reported - view
  I see. How do you specify a wired network? CIDR?
- spydrphi
  
  1 yr ago
  
  Reported - view
  It’s this piece of the code snippet:
  
  
  
  <dict>
  
  <key>Action</key>
  
  <string>Disconnect</string>
  
  <key>InterfaceTypeMatch</key>
  
  <string>Ethernet</string>
  
  </dict>
  
  If you look at the other keys there you will also see option for Cellular. I can’t think of a reason to not have that on, but figured I’d drop the option in the code just in case.

Content aside

Status Fixed
3 Likes
1 yr agoLast active
14Replies
726Views
7 Following

Exclude SSID in .mobileconfig file for Apple profiles doesn't work anymore

14 replies

Content aside

Home

Tags