Skip to main content

We just got the Jamf AD CS Connector set up for our environment. It's awesome considering we were using an ancient, user-initiated script through Self Service for a long time to accomplish the same thing.



However, I am wondering what the best practice is for pushing the wireless config during or after enrollment is. As part of our zero touch efforts, we have the user enroll using our guest wifi network when on site. I'd like to get the wifi profile installed as close to enrollment time as possible so when it does its post-enrollment tasks (installing security software, settings, etc) it will pull from on-site distribution points rather than our Internet facing distribution point.



Has anyone had success with this? I seem to find myself getting railroaded installing this profile as it either interrupts the enrollment or post enrollment when it automatically switches from our guest network to the corporate network.



Thanks in advance for any thoughts.

I am also looking for the Best Practice method of of deploying our 802.1x WiFi. I am at the beginning stages of the testing process of the PreStage. The advice would be much appreciated.

After going through several iterations of this I would recommend running an NDES server and setting up jamf as a SCEP proxy. This will allow you to deploy certificates over less secure networks to allow them to jump onto the private network,

I have tried convincing my team to do a SCEP Proxy but no one wants to do it. In order to provision our devices they need to wired and configured prior to giving them to the user. At this time I am adding the wireless configuration profile in the PreStage. This wireless profile is a device authenticated profile, the device then is named then added to the domain and when the user logs on with their user account it gives them access to resources. Any better suggestions to step through this process smoothly? Order/Sequence...

@a.stonham Could you give more detail on how you configured the Wifi Profile. I have SCEP proxy and NDES setup and it is working. I am running into issues trying to get the WiFi profile to trust the certificate the it pushes out. Everything that I try and configure still prompts for username and password. Any help is appreciated!



Thanks.

@UbiquitousChris did you ever find a solution to this? We are running into the same issue with enrollment triggers failing to kick in when our wireless 802.1x profile is deployed in the prestage or scoped to all computer at provisioning time.

I’m curious as well on this. Our desktop team has one open port that they use to enroll our Mac’s. it would be nice to use our guest network to enroll, so they can enroll Mac’s at their desk if needed. We can’t have any open ports except for in locked room.

Why not scope the profile to a smart group that is dependent upon a receipt or EA that can be populated after enrolment is complete?

We leverage SCEP with a system configuration profile at enrolling that works most of the time.  However if that methods fail if you want you could just write a script that leverages jamf API to put computers to a group during your setup process.  I just put a long sleep to give it time to connect. We do this for a subset of devices that don’t get the normal network profile.

Terms & ConditionsCookie settings