AD Certificate - Computer level certs for WiFi

bbot
Contributor

We're in the process of creating a new CA server and making new certs. A part of this change includes moving away from AD user based certificates to AD computer level certificate authentication. Can someone review my configuration profile before I implement this change to all of our Macs to ensure I'm following best practices?

We have the following:
1 configuration profile that includes the Root and Sub certificates
1 configuration profile that has the AD certificate settings and configurable wifi settings

Am I correct in thinking that both of these configuration profiles need to be combined into one?

In the past with user based certificates, we found that machines were randomly requesting new user certificates every so often, and sometimes would fail causing their machines to lose wifi. Has anyone had experience with the computer certificate above configuration and has had similar issues?

10 REPLIES 10

seann
Contributor

We have yet to integrate cert based Wifi access, but as part of that process I've gotten the machine certs working on the Macs.
Computer level profile
Certificate payload - Has root cert
AD Cert payload - Has certificate server (http://YOURSERVERNAME/certsrv), Certificate Authority name, and a Certificate Template.

Most of these settings would come from your AD server guys.

bbot
Contributor

Thanks. I'm also the AD server guy in my company. All the settings are correct and I am able to generate computer certificates through Casper. I'm more concerned if I'm following best practices. As mentioned in the original post, we've had some issue with user based wifi certificates managed through Jamf Configuration Profiles with user's being randomly dropped off wifi, and I'm afraid we're going to run into similar issues.

jzeles
New Contributor II

While I can't confirm if that is considered best practice, it is exactly what we are doing for our machine issued AD certificates. With that said, we also still have occasional issues with machines randomly no longer connecting to wifi (which we can't seem to really pinpoint the root cause). We have created a self service item to repush the wifi profile and the certificate, and also an automated task to clean up any old certificates that may still be in the keychain.

bbot
Contributor

@jzeles Thanks. Would you be able to share the process of creating the self service repush and the automated task to cleanup?

So you have 1 policy that is set to automatically install, then another policy that's identical set to "available for self service"?

bbot
Contributor

.

bbot
Contributor

.

bbot
Contributor

@jzeles On the configuration profile that you use to push the wifi settings, do you include all the necessary certs in the same profile? I've found that including the certificates in the profile while over wifi causes the wifi to drop off.

If I deploy the certs in a separate profile, then deploy the AD certificate request / wifi settings, it works 100%.

a_stonham
Contributor II

@bbot

We use 2 separate config profiles:
One for the ROOT CA's and another for Computer Cert and Wifi Config.

Our CA Cert profile is scoped to all machines. The combined AD Cert and Wifi Profile is scoped to machines with the correct CAs installed and that were imaged more than 30 mins ago.

We have a rather large AD environment and computer object propagation can take up to 30 minutes. So I also have an additional extension attribute that checks to see if the machine was imaged more than 30 minutes ago. (Checks the mtime of .AppleSetupDone).

Machines that were imaged less than 30 minutes ago are reconed every 15 minutes ongoing.

Ash

bbot
Contributor

Ash, you're a genius. I'll look into using a smart group to determine machines with the proper certs, then use it as a scope for the wifi config profile.

I'll have to test my computer object propagation, but our environment is not that large, so my assumption is the computer object will show up shortly after imaging. If it doesn't, i may come bugging you for that ea. :)

Thanks!

a_stonham
Contributor II

@bbot Here is the EA for Config Profiles. I think this is not necessary if you are 9.98 but we have not updated yet.

EA for Configuration Profiles Installed:

#!/bin/sh

PROFILES=`profiles -C -v | grep attribute | awk '/name/{$1=$2=$3=""; print $0}'`
if [[  -n "$PROFILES" ]]; then
    echo "<result>$PROFILES</result>"
else
    echo "<result>Not Installed</result>"
fi


exit 0

Here is the extension attribute for setup 30 mins ago:

#!/bin/bash
TESTFILE="/var/db/.AppleSetupDone"

if [ ! -f "$TESTFILE" ]; then
        echo "<result>No File Found</result>";
        exit 0;
fi

if test `find "$TESTFILE" -mmin +30`
then
    echo "<result>Yes</result>"
else
    echo "<result>No</result>"
fi

exit 0;