We are in the process of setting up 802.1x, using EAP-TLS wifi authentication.
We deploy a configuration profile with SCEP/Network/Certificate payload at a computer-level, since we use Jamf Connect and recently found out that we cannot push configuration profiles at a user-level as we were initially planning (the solution of re-enrolling all devices is a no-go).
Everything seems to be working, but our cyber security team challenged this configuration because Macs use that certificate to authenticate to the wifi regardless of the user logged in (for example a user could create a local account and authenticate to the wifi, which apparently it's not something they like).
My question is: is there any way to manage which user accounts are allowed to use that certificate? Example: only specific users, or only domain accounts?
One thing we have been discussing is utilizing the SSO plugin for JAMF Self-Service to allow for "self-enrollment" of device authentication certificates via a SCEP challenge/response which you can do via a device level scep configuration but you would have to utilize the $USER variable (or create individuals which, from experience, is not the way to go for scaling)
Otherwise the solution is a captive portal after connecting to the wireless network which utilizes a distinct User Certificate.