ADCS Connector issues when clients update to 12.4/12.5

jguz
New Contributor III

Seeing an issue when clients with ADCS generated certs update to 12.4 or 12.5, their wifi connection breaks, prompting them to select a certificate. Even if they select the correct cert it doesn't connect to the wireless. The only fix is to unscope and rescope them into the configuration policy. Anyone out there running into this?

1 REPLY 1

jguz
New Contributor III

FYI, in case anyone else runs into this, I believe it might be an issue with the client trying to connect in user mode after an update. The following script creates a user level identity/wipes out any existing user level identity which will hopefully fix this issue though i'm still in the process of testing.

 

#!/bin/bash
#
# Prerequisites
#

wifi="Name"

# Machine certificate common name - change accordingly
cert="$(hostname).domain.com"

# Grab hash - macOS 10.14 and earlier use SHA-1 hashes
osVersion=$(sw_vers -productVersion)
if [[ "$osVersion" =~ ^10.15.* ]] || [[ "$osVersion" =~ ^11.* ]]; then
	# Use SHA-256
	hash=$(security find-certificate -a -c "$cert" -Z "/Library/Keychains/System.keychain" | awk '/SHA-256/{print $NF}')
else
	# Use SHA-1
	hash=$(security find-certificate -a -c "$cert" -Z "/Library/Keychains/System.keychain" | awk '/SHA-1/{print $NF}')
fi
# Exit if no hash is found
if [[ "$hash" == "" ]]; then
	echo "No certificate found matching computer name. Exiting..."
	exit 1
fi
#
# Action
#
# com.apple.network.eap.user.identity.wlan.ssid.$wifi must exist in the System keychain
# Use root and default-keychain to access the System keychain
su root -c "security default-keychain -d user -s /Library/Keychains/System.keychain"
# Clear existing identity preference
su root -c "security set-identity-preference -n -s 'com.apple.network.eap.user.identity.wlan.ssid.$wifi'"
su root -c "security delete-generic-password -s 'com.apple.network.eap.user.item.wlan.ssid.$wifi'"

# Set identity preference
su root -c "security set-identity-preference -c '$cert' -Z '$hash' -s 'com.apple.network.eap.user.identity.wlan.ssid.$wifi'"
su root -c "security add-generic-password -A -a 'host/$cert' -D '802.1X Password' -l '$wifi' -s 'com.apple.network.eap.user.item.wlan.ssid.$wifi'"

exit 0