Skip to main content

Afternoon, all!

My organisation is managing the majority of it's mac estate via Jamf, which is of course, wonderful. We have a few that aren't under management currently, and i've been asked the following question:

'We need to get a certificate from our enterprise CA onto (the aforementioned unmanaged) macs to allow them to continue using VPN. Without the cert, the VPN will cease to function. Is there a command we can use for this?'

I'm now scouring the web searching for the commands to accomplish this and suspected the fine folk here might be able to point me in the right direction. Many thanks for any and all advice!!

Note: Yes i have suggested that they enrol the macs in Jamf and use this to push the certs, it doesn't seem to be a path they want to go down.

You could create a configuration profile with the cert, export it as a .mobileconfig file, then package it up and copy this to a location on the devices via Apple Remote Desktop or suchlike.

Then the following script to install the C/P (This can be added as a post install script in the .mobileconfig package

#!/bin/sh
/usr/bin/profiles -I -F "/path to your .mobileconfig file location"

If you want to delete the .mobileconfig file after installation, just add the line : rm "/path to your .mobileconfig file location"

That'll do it...

G'LUCK!

Is it the same cert for all Macs, or does each Mac get its own certificate?

In case it is the same cert for all Macs you can download that cert using curl and use "security add-certificates ..." to add the cert to the keychain.

So, macOS uses the Keychain as its built in trust store. You really just want to deploy certs over MDM config profiles to be honest. Otherwise laying a cert down via PKG and scripting installing it via the security command is not only crunchy, it doesn't scale.

Terms & ConditionsCookie settingsAccessibility statement