802.1x using System Mode

dlondon
Valued Contributor

Hi,

Just wondering if there is a way to do 802.1x to Wifi using Jamf in System Mode

System Mode: Used for computer authentication and occurs even when a user isn’t logged in to the Mac

See https://support.apple.com/en-au/guide/deployment-reference-macos/apd7b6d34790/web

I have it configured currently to a different mode to those listed – we have a machine cert provided by Active Directory, A CA cert for the directory and a ICA cert for the directory. In addition I have a Wifi Config profile that forces the machine to use WPA 2 Enterprise as the security and EAP-TLS as the protocol for a particular SSID that the 802.1x is enabled on. With the way I have it set up, the connection works but only when the user logs in. The Network Team is asking if I can make it connect before logon so that new users can use the machine (they are all AD connected)

13 REPLIES 13

bishopz
New Contributor III

In the general tab on your Wifi configuration profile, is at set at computer level?

dlondon
Valued Contributor

Thanks @bishopz Yes - set to Computer level. Here are some screen shots

a8054f41396b402e86c30bcd5873ac63

701713fcc2df47b786140f6c8fb55cae

bwoods
Valued Contributor

You most likely need to configure the ADCS Connector so that Jamf can distribute a certificate on behalf of your Root CA.

dlondon
Valued Contributor

Thanks @bwoods - yes we have a certificate from AD with the machine name that is used. Also the root and ICA cert for AD.

bwoods
Valued Contributor

@dlondon are you using ADCS or a SCEP Configuration Profile though?

snowfox
Contributor III
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<!-- Root Payload -->
<dict>
<key>PayloadUUID</key><string>ignored.A4209626-CB70-4F38-B204-2C426A1A6B04</string>
<key>PayloadType</key><string>SystemConfiguration</string>
<key>PayloadOrganization</key><string>YOURCOMPANY</string>
<key>PayloadIdentifier</key><string>ignored.A4209626-CB70-4F38-B204-2C426A1A6B04</string>
<key>PayloadDisplayName</key><string>802.1x Wi-Fi</string>
<key>PayloadDescription</key><string>802.1x Wi-Fi</string>
<key>PayloadVersion</key><integer>1</integer>
<key>PayloadEnabled</key><true/>
<key>PayloadRemovalDisallowed</key><true/>
<key>PayloadScope</key><string>System</string>
<key>PayloadContent</key>
    <array>
        <!-- Certificate Payload -->

        <!-- Ethernet or Wi-Fi Payload -->
        <dict>
            <key>PayloadUUID</key><string>EB130048-4296-449F-B364-F61AE96B60B8</string>
            <key>PayloadType</key><string>com.apple.wifi.managed</string>
            <key>PayloadOrganization</key><string>YOURCOMPANY</string>
            <key>PayloadIdentifier</key><string>com.apple.wifi.managed.EB130048-4296-449F-B364-F61AE96B60B8</string>
            <key>PayloadDisplayName</key><string>802.1x Wi-Fi</string>
            <key>PayloadDescription</key><string/>
            <key>PayloadVersion</key><integer>1</integer>
            <key>PayloadEnabled</key><true/>
            <key>PayloadScope</key><string>System</string>
            <key>HIDDEN_NETWORK</key><false/>
            <key>EncryptionType</key><string>Any</string>
            <key>AutoJoin</key><true/>
            <key>CaptiveBypass</key><false/>
            <key>ProxyType</key><string>None</string>
            <key>SSID_STR</key><string>NETWORK_SSID_GOES_HERE</string>
            <key>SetupModes</key>
                <array>
                    <string>Loginwindow</string>
                    <string>System</string>
                </array>
            <key>AuthenticationMethod</key><string>directory</string>
            <key>Interface</key><string>BuiltInWireless</string>

            <!-- Enterprise Profile -->
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key><array><integer>25</integer></array>
                <key>SystemModeCredentialsSource</key><string>ActiveDirectory</string>
                <key>TTLSInnerAuthentication</key><string>MSCHAPv2</string>
                <!-- <key>OneTimePassword</key><true/> -->
                <!-- <key>OneTimeUser</key><true/> -->
                <!-- <key>TLSAllowTrustExceptions</key><true/> -->
                <key>UserName</key><string></string>
                <key>UserPassword</key><string></string>

                <key>TLSTrustedServerNames</key>
                <array>
                    <string>*.YOUR.DOMAIN</string>
                </array>

                <key>PayloadCertificateAnchorUUID</key>
                <array>
                    <string>CERTIFICATE ID GOES HERE</string><!-- Certificate Payload To Trust -->
                    <string>CERTIFICATE ID GOES HERE</string><!-- Certificate Payload To Trust -->
                </array>
            </dict>           
        </dict>
    </array>
</dict>
</plist>

snowfox
Contributor III

This is one I created manually. It's not exactly the same as what you are doing as it uses PEAP and MSCHAPv2 but it works at the login screen (i.e. wi-fi icon top right is enabled and user will authenticate to the pre-chosen SSID network when they enter their username and password.). I had to enable this for a lab of iMacs that didn't have ethernet wall ports, wif-fi only. The main difference between one that works when the user is logged in and one that works at the login screen is:

<key>PayloadType</key><string>SystemConfiguration</string>

I don't think Jamf Pro can do this natively. If you upload a manually created one without signing it, it will work but if you try to edit any settings there after, jamf will eat it for breakfast and it will stop working.

You should be able to find the parts you need in this config file to get your own working at the login screen.
But as I said above, you may have to create it manually and possibly sign it with a certificate if you want it to remain read-only from Jamf Pro.

(Jamf Pro's 802.1x options are 'not fully featured' in what it can do natively and it may have some bugs here and there regarding 'directory authentication' - according to my past experience with it.)

dlondon
Valued Contributor

Thanks @snowfox - much appreciated.

@bwoods we are using ADCS and created a custom template in the Issuing Certificate Authority server. Cisco ISE (which controls access) is happy with the cert when the machine is configured. I have another post regarding the fact that the user is having to choose the cert but I think that may have been answered. See https://www.jamf.com/jamf-nation/discussions/38549/802-1x-wifi-using-machine-certificates

teodle
Contributor II

@snowfox  we are struggling with getting a wifi config profile for our wifi computer labs that won't drop the connection at the login window (after a student logs off) and thus prevent the Macs from communicating with the MDM. I was hoping to simply copy your xml into a text file, name it with .mobileconfig and then use imazing profile editor to edit it with the stuff we need to make it work in our environment, since apparently the built-in JAMF Config Profile editor has a lot of limitations. However, no GUI profile editor will open the file. I just pasted the code into a plaintext editor and saved the file as .mobileconfig. But every app I try to use (iMazing; Configurator2) crashes or errors on trying to open the file. It's just xml. Is there something I'm missing? 

 

 

snowfox
Contributor III

They wont because those programs don't support the SystemConfiguration string in the payload type.

All programs that I've used to generate a Wi-Fi payload (Jamf, iMazing, Configurator 2) whether its a simple one to connect to a WPA2 network or a more complicated one to connect to an 802.1x network, they all create payloads using:

 

<key>PayloadType</key><string>System</string>

 

This will only turn on the Wi-Fi adapter once the user logs into macOS (and turns it off when they log out).

You have to customise it after file creation in a text editor such as BBEdit or SublimeText and change it to:

 

<key>PayloadType</key><string>SystemConfiguration</string>

 

Then the wi-Fi adapter will auto power on at the login screen when the machine boots and the Wi-Fi icon will turn white.

Likewise when a user logs out, you need the above in your configuration profile so the wi-fi adapter stays powered on when no user is logged in.

This is a non-standard undocumented setting (but it works).  I tore my hair out trying to get Wi-Fi working at the login screen for ages and had to compare other peoples example files to my own to spot what the difference was.

What I normally do if I'm starting from scratch is, I will create the payload the way I want it configured first in Jamf or iMazing etc.  Then I will download it (sanitise it if its Jamf) and open it in BBEdit or SublimeText (to look at the code).  Change the payload type to SystemConfiguration and then manually install it on a test machine to see if it works correctly.  If it works I upload it to Jamf and test deploy it to a machine.

Also be careful copying and pasting code off websites.  Sometimes quote marks are substituted for another character that looks like a quote mark but leans to the right instead of vertical.  Replacing the fake quote marks with actual quote marks can solve the problem.

Its also possible the above xml example has settings in it, that the GUI wizards don't support by default.

Also, make sure your document is saved with UTF-8 encoding and hasn't been substituted with another character encoding automatically by your text editor.

Screenshot 2023-02-24 at 19.25.18.png

<?xml version="1.0" encoding="UTF-8"?>

Thanks.  It's crazy that there are all these undocumented keys that one just has to somehow figure out. I just have one question. What's the recommended method to "sanitize" a config profile that has been downloaded from JAMF for manual editing? 

I do understand the need to sign custom mobileconfig files FIRST before uploading to jamf. (not let JAMF sign them because they won't work. I would rather have them work and be read-only in JAMF than have them not work and be editable in JAMF.

 

 

snowfox
Contributor III

I just do it by hand using BBedit as I rarely have to do it.  (any code in red with strange non english characters gets deleted and anything after the last 'plist' bracket.  Don't delete the DOCTYPE line, its also in red) I'm sure there's a better way.  Rich Trouton may have had a blog post about it too as I recall.  I never delved deep into it. 

Any Jamf experts out there know the best way to remove the encryption code from a downloaded Jamf Configuration Profile?

Hi, what is the purpose of sanitizing a profile downloaded from Jamf?