AD computer certificates via configuration profile...

AARP
New Contributor III

I created a configuration profile to install an Active Directory computer certificate in users' workstations. The profile works. But when the certificate is installed, it is placed in the System keychain. So upon first launch of the app using the certificate (Cisco AnyConnect VPN) , the user is prompted to provide credentials for an admin account so the app can check the certificate. Since we don't give users admin accounts, I have to change this behavior.

I have found that if I go into Keychain Access after the config profile has run, two items have been added to the System keychain: the machine cert and a private key from the certificate server. If I manually change the access to that private key to "Allow all applications to access this item." then the AnyConnect client will run without prompting for admin credentials.

Changing access to the private key is easy in the GUI, but I have not found a way to do it in terminal. There seems to be a way to do when you import the cert, but not after the fact. And since the config profile is importing the cert, I have no way to tell it to allow access to all apps. Has anyone run into this issue? And did you find a solution?

Bob Reed

3 REPLIES 3

AVmcclint
Honored Contributor

bump

I'd like a solution to this as well. Our AD certs are required for Pulse VPN and for 802.1x authentication for ethernet and WiFi. I just witnessed a cert nudge a user that it was about to expire, so they clicked the Update button in Sys Prefs>Profiles. When the new cert was installed it needed me to manually check the box to "allow all applications..." The option in JSS 9.81 to pull AD certs in Config Profiles has an option to "Allow access to all applications" but when I choose that option, 802.1x authentication fails for ethernet connections.

mm2270
Legendary Contributor III

As far as I know in doing similar research, its not possible to add ACLs or change the access to a certificate after its imported in a script or from command line tools. It can be done for regular saved passwords in the keychain, but the security command has no functionality to do the same thing for certificates. I imagine the reason is to maintain security, since certs are arguably more security related items in the keychain, so being able to inject access control items into them with a script without user interaction and approval could be an issue.

Taking a step back, is it possible to install the config profile as a user level profile and not a system one? Will that even work? Because it will go into the System.keychain if the profile installing the certificate is set to system level I believe.

AVmcclint
Honored Contributor

It needs to be a computer level profile because it's an AD computer certificate used for getting on the network. It needs to get on the network even when there is no user logged in.