Macos bootstrap vs chef-client role

I am looking at using Chef to help manage end user devices (primarily macos), some of which are remote and on different networks.

I can't ssh to bootstrap devices, but I can use another tool to run arbitrary scripts to get chef installed. So far I've been using a slightly mod'd version of this script to get chef initially installed.

Mods being:

• Remove the org_cert bit
• Added 10.14 to the script
• Ignore admin check for now

I've tested by the running the chef-client command with daemonise and pointing to the runlist that's inserted etc, which seems to mostly have worked.

Part of the tutorials point to the chef-client cookbook which I am keen to use, but is it wise to use it in this scenario?
eg.
If a client picks up the chef-client cookbook and runs it, is it going to potentially wipe out the bootstrap install I've just ran?
Or if configured correctly will it ensure the chef client is installed correctly on every run?

Im conscious that I don't want to get it working, and then make a device uncontactable again because the config passed wasn't correct in the role. On the other hand, I want to ensure the client is always correctly configured as per the config from the server.

So far I've been testing using a Mac VM and have the client reporting back in the UI and run history. However under nodes the Mac host does seem to be missing some information:

(vagrant just my learning vm on ubuntu)
ARANDOMSERIAL being the macos VM in virtualbox. Is the result typical when running on Macos?

I'm not doing anything fancy currently, just running a role that places some files whilst I figure out what config I'd need to pass to the chef-client cookbook.

From a lot of reading, there seems to be suggestion that you need to get a certificate from the Chef Server (CA Cert?) to the host as well as the client certificate that get generated during the initial run? Any idea how / where you can get that from hosted chef.

Appreciate any help or guidance around these issues, or if anyone is doing similar.

Just replying here incase anyone else follows a similar track to me.

I worked out what the ORG_CRTshould have been in the script I was using and got the certs by combining the output of knife ssl fetch.

The reason I was getting run information but nothing showing up in the nodes dashboard was due to some settings in the script, eg. I commented out the whitelist parameters:

# whitelist = [
# ]
# automatic_attribute_whitelist whitelist
# default_attribute_whitelist []
# normal_attribute_whitelist []
# override_attribute_whitelist []

I also set:

no_lazy_load           true

Which I think was false previously.

I've now written a role which includes:

    "recipe[chef-client::default@11.1.1]",
    "recipe[chef-client::delete_validation]",

This has worked really well as the first run just ensures the chef-client is as configured in the role and after a bit of fiddling and tweaking, ensuring it runs periodically on Mac.
There are two ways to run chef periodically on mac. Default is launchd which doesn't show up in ps output, and the second is to run chef-client -d ... which confused me as I didn't know about mac's lacund. This was in the docs but it took me a long while to stumble across it whilst debugging.

Thanks to the people @ Chef Support for helping me with SSL options and an x509 issue I was seeing.