We are testing 802.1x for our summer rollout.
I've seen a few posts here from users installing their cert/settings via profiles command @ image time.
Is there a benefit to doing it this way over pushing the cert/settings with config profiles with JAMF?
Thanks!
I just recently started doing it myself because I was having problems with the machines encountering an obscure error and removing the WiFi profile by themselves.
By adding it at imaging time, the MDM Framework does not control it so the profile does not get removed. It allows the machines to remain in contact with the network and allows me to fix the rest of the profiles without any machine downtime.
I don't do this for all the profiles, just the Wifi one since the machines are essentially offline when they have problems. Not a huge fan of this method because I lose the power from utilizing MDM, but in this situation, it's a fair trade for me.
Have you got 802.1x machine authentication working?
@kumarasinghe, we have 802.1x machine auth working on a test domain, but not in production. It makes it a little hard to test right now with our imaging flow as the test domain is totally separate from our production (and even our test) JSS. In the test environment, we are installing the profile with the profiles command in terminal.
I'm trying to think through how we'll best deploy it when we do move it to production.
We use the following scheme when packaging our 802.1x wireless profile for OS 10.7 and 10.8:
- Build the 802.1x profile with Lion or MtnLion server. (Example: 196-Wireless.mobileconfig)
- Create a deploy package (.pkg) with Composer containing our 802.1x .mobileconfig profile. In our case we place the .mobileconfig profile in a temporary folder in the System Library.
- Add a postinstall Script to install the profile and then delete the temporary folder containing the .mobileconfig.
example:
------------------------------------------------------------------------------
#!/bin/sh
## postinstall
profiles -I -F /Library/TempFolder/196-Wireless.mobileconfig;
rm -r /Library/TempFolder
------------------------------------------------------------------------------
We set the .pkg to install to the boot volume at imaging time. This has served us well on both OS 10.7 and 10.8. I hope this helps...
We install all through config profiles from the JSS.
Internal CA cert, machine auth 802.1x etc.
No issues for us using the in built method.
Got it working. Missing step was to create a Machine Template with alternative subject name setting is set to “User Principal Name (UPN)” for "Ad Certificate" payload.
Read this for more info;
http://tinyurl.com/bljyoha
Thanks everyone for the feedback.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.