Jamf Nation Community

Any suggestions on how to do this with out putting my wifi passkey in a script?

does it even matter at that point?

if you're injecting it in the user's keychain, presumably that user can unlock the keychain and see it anyway.

otherwise, you could jump through another hoop and either weakly encrypt it in the script or use curl to read it from a remote server or something.

weigh the overall security requirement of this exercise before you make it harder for yourself.

Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good.

I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible.

I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha

Thanks in advance as always.

-Tom

Hi Tom,

Certificate method is the one Apple recommends. Using EAP-TTLS or PEAP
with RADIUS.
All you have to do then import your certs into key chain. Ie package them
in /tmp script to import then delete the certs from /tmp.

sudo security add-trusted-cert -d -p basic -k
/Library/Keychains/System.keychain /private/tmp/rootCA.cer
sudo rm /private/tmp/rootCA.cer

Surely no need sudo if its used with Casper Suite

OR

Apple recommends;

Lion client also supports both EAP-TTLS and PEAP.

--missing content--

configuration profiles in a manner similar to iOS. This gives a lot of
flexibility in deploying .1x config among other things, and offers new
client certificate enrolment possibilities compared to 10.6. Have a look
at the Profile Manager docs for more details:

http://www.apple.com/support/lionserver/profilemanager/

I hope this helps

Cem

On 28/09/2011 14:58, "casper-request at list.jamfsoftware.com" <casper-request at list.jamfsoftware.com> wrote:

Date: Tue, 27 Sep 2011 15:39:41 -0500 From: "Thomas Larkin" <tlarki at kckps.org> Subject: Re: [Casper] add login keychain item to user To: "Nate St. Germain" <nate at techsuperpowers.com> Cc: William Smith <William.Smith at merrillcorp.com>, Casper Mailing list <casper at list.jamfsoftware.com> Message-ID: <4E81EE3D0200003900031F37 at pop.kckps.k12.ks.us> Content-Type: text/plain; charset"us-ascii" Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good. I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible.

I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha Thanks in advance as always. -Tom

Well,

Working on getting either RADIUS or some form of 802.1x set up, but for the mean time this is how I am deploying login keychians

here goes my script

#!/bin/bash

/usr/bin/security find-generic-password -a usd500_wpa

if [[ $? -eq 0 ]]; then # Found it - Update passkey without authorizing more apps /usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -U
else # Not found - Create passkey from scratch /usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -U -T /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -T /usr/libexec/airportd -T /usr/bin/security
fi

# script is now done, exiting

exit 0

Here goes my launch agent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.kckps.wireless</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Scripts/add_wifi.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Then I packaged it up and deployed in in Casper, tossed the scripts in a folder in /Library/Application Support/Scripts so for future reference I will put my third party scripts in there that need to be kicked off at various times for various reasons.

-Tom

--missing content--

configuration profiles in a manner similar to iOS. This gives a lot of
flexibility in deploying .1x config among other things, and offers new
client certificate enrolment possibilities compared to 10.6. Have a look
at the Profile Manager docs for more details:

http://www.apple.com/support/lionserver/profilemanager/

I hope this helps

Cem

On 28/09/2011 14:58, "casper-request at list.jamfsoftware.com" <casper-request at list.jamfsoftware.com> wrote:

Date: Tue, 27 Sep 2011 15:39:41 -0500 From: "Thomas Larkin" <tlarki at kckps.org> Subject: Re: [Casper] add login keychain item to user To: "Nate St. Germain" <nate at techsuperpowers.com> Cc: William Smith <William.Smith at merrillcorp.com>,Casper Mailing list <casper at list.jamfsoftware.com> Message-ID: <4E81EE3D0200003900031F37 at pop.kckps.k12.ks.us> Content-Type: text/plain; charset"us-ascii" Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good. I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible. I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha Thanks in advance as always. -Tom

Wow, sorry for that crappy formatting, I copy/pasted the scripts from a web template and I guess the formatting wasn't right...

Lesson learned there

-Tom

--missing content--

configuration profiles in a manner similar to iOS. This gives a lot of
flexibility in deploying .1x config among other things, and offers new
client certificate enrolment possibilities compared to 10.6. Have a look
at the Profile Manager docs for more details:

http://www.apple.com/support/lionserver/profilemanager/

I hope this helps

Cem

On 28/09/2011 14:58, "casper-request at list.jamfsoftware.com" <casper-request at list.jamfsoftware.com> wrote:

Date: Tue, 27 Sep 2011 15:39:41 -0500 From: "Thomas Larkin" <tlarki at kckps.org> Subject: Re: [Casper] add login keychain item to user To: "Nate St. Germain" <nate at techsuperpowers.com> Cc: William Smith <William.Smith at merrillcorp.com>,Casper Mailing list <casper at list.jamfsoftware.com> Message-ID: <4E81EE3D0200003900031F37 at pop.kckps.k12.ks.us> Content-Type: text/plain; charset"us-ascii" Well, needless to say I am slightly confused on how this works. The wifi passkey is added post image to the system keychain via post image script. However, I guess in 10.6 (we just upgraded to 10.6 over the summer, older machines only had 1gig of RAM so we kept 10.5) now anytime the user interacts with anything that involves saved passwords it uses their login.keychain. You are totally right they can unmask the password if they can access their keychain, which as of right now that app is restricted (keychain access.app). I requested documentation on this from Apple direct, our enterprise support, and they cannot give me any. The developer page has a really nice and methodical keychain access page, but it is for xcode and objC. I am not even attempting to write an app to control this, so that is useful but overall not really. So I have spent basically the last 3 to 5 days trying different methods of doing this. Where as before I could just set the system keychain and all was good. I was trying to export the keychain from the system keychain to the user's login.keychain and also make it so there is zero user interaction, so I ended up with the solution I posted. I am just trying to get feedback from anyone who is using this to deploy login.keychains, or a different method is welcome. I also want to be as secure as possible. I am not sure if my method I came up with is the best method. Looking for feedback, suggestions, or someone to say that is how they do it too, hahaha Thanks in advance as always. -Tom