Skip to main content
Question

How to protect 802.1x certificates from being exported and used on another device?

  • May 19, 2017
  • 3 replies
  • 63 views
M
Forum|alt.badge.img+3

Hi,

We use 802.1x certificates to connect our Macs (10.12) to our WiFi network. Although there is no user information in the certificate (just the workstation name), we store them in the user's login keychain. Works well so far, however, we want to protect the certificates from being exported and used on another (not entitled) device.

We tried to store the certificate in the system keychain instead of the user's login keychain. But it turned out that the user is asked for admin credentials whenever he tries to connect to the WiFi network, so that is not a useable solution.

Is there any best practice how to handle 802.1x WiFi certificates?

Thanks
bye
Marcus.

3 replies

A
Forum|alt.badge.img+8
  • al_platt
  • Contributor
  • May 19, 2017

If you're using the AD cert template in the JSS there's a tick box to allow/not allow exporting from the keychain.

If it's not ticked then you can't export.

Al

M
Forum|alt.badge.img+3
  • merber
  • Author
  • New Contributor
  • May 19, 2017

Hi,

We don't plan to bind the Macs to AD, so we have an independent CA issuing the certificates. Can I use the AD cert template for any certificate?

Marcus.

M
Forum|alt.badge.img+7

+1 on Marcus' question

Terms & ConditionsCookie settingsAccessibility statement