AD Certificate - Computer level certs for WiFi

We have yet to integrate cert based Wifi access, but as part of that process I've gotten the machine certs working on the Macs.
Computer level profile
Certificate payload - Has root cert
AD Cert payload - Has certificate server (http://YOURSERVERNAME/certsrv), Certificate Authority name, and a Certificate Template.

Most of these settings would come from your AD server guys.

Thanks. I'm also the AD server guy in my company. All the settings are correct and I am able to generate computer certificates through Casper. I'm more concerned if I'm following best practices. As mentioned in the original post, we've had some issue with user based wifi certificates managed through Jamf Configuration Profiles with user's being randomly dropped off wifi, and I'm afraid we're going to run into similar issues.

While I can't confirm if that is considered best practice, it is exactly what we are doing for our machine issued AD certificates. With that said, we also still have occasional issues with machines randomly no longer connecting to wifi (which we can't seem to really pinpoint the root cause). We have created a self service item to repush the wifi profile and the certificate, and also an automated task to clean up any old certificates that may still be in the keychain.

@jzeles Thanks. Would you be able to share the process of creating the self service repush and the automated task to cleanup?

So you have 1 policy that is set to automatically install, then another policy that's identical set to "available for self service"?

.

.

@jzeles On the configuration profile that you use to push the wifi settings, do you include all the necessary certs in the same profile? I've found that including the certificates in the profile while over wifi causes the wifi to drop off.

If I deploy the certs in a separate profile, then deploy the AD certificate request / wifi settings, it works 100%.

@bbot

We use 2 separate config profiles:
One for the ROOT CA's and another for Computer Cert and Wifi Config.

Our CA Cert profile is scoped to all machines.
The combined AD Cert and Wifi Profile is scoped to machines with the correct CAs installed and that were imaged more than 30 mins ago.

We have a rather large AD environment and computer object propagation can take up to 30 minutes. So I also have an additional extension attribute that checks to see if the machine was imaged more than 30 minutes ago. (Checks the mtime of .AppleSetupDone).

Machines that were imaged less than 30 minutes ago are reconed every 15 minutes ongoing.

Ash

Ash, you're a genius. I'll look into using a smart group to determine machines with the proper certs, then use it as a scope for the wifi config profile.

I'll have to test my computer object propagation, but our environment is not that large, so my assumption is the computer object will show up shortly after imaging. If it doesn't, i may come bugging you for that ea.

Thanks!

@bbot
Here is the EA for Config Profiles. I think this is not necessary if you are 9.98 but we have not updated yet.

EA for Configuration Profiles Installed:

#!/bin/sh



PROFILES=`profiles -C -v | grep attribute | awk '/name/{$1=$2=$3=""; print $0}'`

if [[  -n "$PROFILES" ]]; then

    echo "<result>$PROFILES</result>"

else

    echo "<result>Not Installed</result>"

fi





exit 0

Here is the extension attribute for setup 30 mins ago:

#!/bin/bash

TESTFILE="/var/db/.AppleSetupDone"



if [ ! -f "$TESTFILE" ]; then

        echo "<result>No File Found</result>";

        exit 0;

fi



if test `find "$TESTFILE" -mmin +30`

then

    echo "<result>Yes</result>"

else

    echo "<result>No</result>"

fi



exit 0;