AppleTV 6.0 has anyone manage to manage (802.1x)

Chris_Hafner
Valued Contributor II

I am hoping that my brain has just run away from me on this, but I am trying to get some brand new AppleTVs up and running, enrolled in the JSS with 802.1x auth and I am just having the damnedest time (mostly with Apple Configurator). Has any one else gotten this to work? Here's my basic process.

1) Get AppleTV turned on and updated (6.0)
2) Plug AppleTV into ethernet (as 802.1x cannot be setup without a proper date and time, which the AppleTV can only get from the web
3) Connect to computer with Apple Configurator via USB
(My most successful settings are as follows)
"Under Settings"
- Set name to "Building. Rm. ### AppleTV"
- Supervise "off"
- Update iOS "Never update device"
- erase before installing "grey" and unchecked
- Restore "Dont' restore backup"

"Under Setup" (once again, most successful configuration so far)
-Skip Language (checked)
-Skip Diagnostics (checked)
-1 WiFi Payload as described below
-3 Certificates described below
-I've tried device enrollment in a variety of fashions but I have to have it OFF to get anywhere really
(This results in non functional profiles as well as AppleConfigurator becoming completely stuck Configuring the AppleTV which is second to last in the chain"

-Testing has caused the following to vary wildly- but is referenced above

In AppleConfigurator I can load a wireless profile created either by the JSS or AppleConfigurator that simply doesn't seem to work. I use PEAP with a preset username and password. I've used the three certificate method (we're on go daddy so we need the added trust chain). I cannot load the MDM profile No matter how I try loading it. Since it's associated with a test server I used the built in CA not a verified SSL on that server. I'm wondering if this is giving me issues as I get a rejection every time I try loading it (DNS is fully qualified and runs everything else just fine for our testing purposes including other managed iOS devices). In the end, I end up playing with profiles so much that Apple COnfigurator will no longer recognize the AppleTV and I have to reset all settings.

For the most part I'm lucky to get the profiles loaded onto the unit (Though the name becomes the unit's "Organization" name and the AppleTV itself remains named 'Apple TV'. The wireless profile will load and attempt to connect to the network but will not pass authentication. And under NO circumstance can I get the unit to enroll (even over ethernet). I'm sure there are a great many things I'm leaving out as I've slowly bashed my head on this for three days amongst other far more important projects.

I'm hoping that someone has already had success here and can give me a couple of basic pointers. I'm also hoping that I am a complete idiot and have missed something super basic.

P.S. I know I can't "supervise" the AppleTVs AND I have tried this on three separate band new Apple TVs as well as one that's a year old and in good working order.

1 ACCEPTED SOLUTION

clthomp
New Contributor

The trick to get this working with our 802.1x was to export the key chain from the a the macbook we were using to configure the ATV's. Connect to the wireless SSID in question, authenticate to it, then export the keychain and import that into the ATV Apple Configurator. Trust the certificate, in Trusts and thats it. The ATV must be at the home screen and activated.

View solution in original post

16 REPLIES 16

gachowski
Valued Contributor II

Well,

Good to know it's not just me!!! I was able to get one enrolled in the JSS and send it a wifi profile, but it was just name and password of the wifi network not 802.1x. Sounds you are doing exactly what i had to do!!

It took all day and phone call to Jamf about the "trust profile" in the directions ( it's built in to the enrollment profile)

However I was not able to set the airplay password, and that stopped my testing as we have to be able to control that to get security approval : )

On the second Apple TV I was not bale to do anything, 5 restores and 7 or 8 failed to load profile from AppleConfigurator or the enrollment profile, I gave up on that Apple TV asuming it's bad.

Both ATV were new out of box, all I did was restore 6.0 in turned.

Sorry not a lot of help, but at least you are not alone. ( we kinda said ok it's possible do able but we are not putting any more time in it)

C

jbmiller
New Contributor III

Same here in regards to successfully enrolling an APTV into casper. It took me all day and 7 or 8 tries to successfully enroll a 3rd gen. I did not try out the 802.1x configuration yet but hope to try that in a few days. I was able however to use iOS7 and casper 9 to scope access to the airplay function of the apple tv using a set password by silently installing config profiles with the airplay payloads. It works well and hints at future support opportunities for our college deployments. I too encountered the enrollment problems with the second apple tv I attempted to enroll. If it matters the model i had success enrolling was a 3rd gen while the one that after 6 or 7 attempts would not enroll was a 2nd gen apple tv. It almost seemed from the number of failed attempts when I tried to enroll that something was causing issues with the devices activating after being updated to the newest iOS version.

apple4ever
New Contributor

I'm having similar problems. I can't even get it supervised. Keeps telling me it can't check supervision.

Chris_Hafner
Valued Contributor II

Yep, from what I've read you cannot supervise AppleTV's

kevin_ramos
New Contributor

@ apple4ever, AppleTV's cannot be supervised.
I have managed to enroll 30 Apple TV's 3rd gen with the latest 6.0 software with a wireless profile.

bentoms
Release Candidate Programs Tester

Me 2.

But I had it on an open wireless, then disconnected it from that, restarted & it connected to our 802.1x SSID

Chris_Hafner
Valued Contributor II

Great! Personally I had mine connected via ethernet. What was your work flow? I'm obviously missing something. I'm not passing auth one way or another (802.1x) so perhaps I need some certificate work or need to verify the PEAP settings with my NE. However, I still haven't even gotten mine to enroll even over ethernet.

apple4ever
New Contributor

Oh okay! Well that's good to know. Strange because Configurator seems to allow it. I skipped that but still can't get it to enroll.

Chris_Hafner
Valued Contributor II

I figured that I would jump back in here now. I've finally sorted out (OK, a week ago) the best 'dance' with Apple Configurator to get the profiles loaded. If only we could send info to these things and fully manage them (I'm look at you Apple!).

clthomp
New Contributor

The trick to get this working with our 802.1x was to export the key chain from the a the macbook we were using to configure the ATV's. Connect to the wireless SSID in question, authenticate to it, then export the keychain and import that into the ATV Apple Configurator. Trust the certificate, in Trusts and thats it. The ATV must be at the home screen and activated.

Andrew_wright
New Contributor

Has anyone had better luck with installation of profiles over ethernet? I've had minimal success with AppleTV Gen 2's, and so far no success at all for AppleTV Gen 3's with the exact same method, profiles, and settings on both. Every time it loads the most recent iOS, I restart it, and it works until the loading of the profiles. It hangs at the profiles giving the error that the "Server certificate for (my company address) is invalid".

robii
New Contributor III

Chris,

What is that "best dance" you speak of? We still can't get ours working. Any process you can share would be greatly appreciated.

bentoms
Release Candidate Programs Tester

Something i've found is;

The AppleTV resets it's time on a power off & then needs to update it's time with Apple's NTP servers to update.

Else your cert will not be trusted as the AppleTV's time will be reset to 1970.

Try connecting to another SSID or cabled network that has access to Apple's NTP before configrating it.

Chris_Hafner
Valued Contributor II

Ahh... now-a-days the process is boiled down to the following. Now, I generally use a freshly imaged loaner laptop to install the profiles onto the AppleTVs just in case.

Pre-P.S.: I DO NOT connect these devices to my 802.1x network. We've established a completely separate devices SSID that only allows specific MAC addresses. Yes, I know this will not work for most, but it's A-OK for us given the highly restricted nature of said SSID.

Here are two items to prep on your JSS:

1) I prep and update the AppleTV. I do this physically and keep a small HDTV on my bench for the purpose. This includes connecting it to our network, giving it a name, a time zone and whatever basic security settings I wish it to have. I've been doing this manually as opposed to using Configurator for it, but I've seen that work.

2) Create your enrollment profile (mine has nothing but a name really "Apple TV Enrollment Profile") and download your profiles
-The one from the "Trust profile" (named "Trust Profile.mobileconfig") and "download" (named "Apple TV Enrollment Profile.mobileconfig" in my case)

Now to the process.

- On the computer, open Apple Configurator.
- Go to your JSS from said computer and download the two items I've mentioned in JSS setup step 2
- You will be prompted to install these on the computer you downloaded them with. This is NOT necessary.
- On the AppleTV make sure you are on the main screen. The one with all the pretty icons (Unless you've removed them)
- Disconnect the AppleTV from HDMI (BUT NOT POWER) and connect it to the computer with Apple Configurator via USB
- Launch Apple Configurator
- Click "Prepare" at the top of the Apple Configurator window
- Ignoring any other settings or fields, select "Install Profiles"
- The wizard will see the Apple TV and ask you if you want to enroll the device or continue. I select "Cancel"
- Behind that window is the profile install wizard. Click "Next"
- You will need to import those two profiles that you've saved from the JSS. - Once you've import those into Configurator, select them (check boxes) and click next.

That should be it. Again, this is my process for this location. Using 802.1x or managed profiles are a bit different. I ONLY use Configurator to install these profiles.

Andrew_wright
New Contributor

@bentoms: Thank you for the advice, we didn't know that the device reset its time when turned off, but we had it connected through ethernet on the outside of our firewall so SSL wasn't an issue.

@Chris_Hafner: Thank you for the workflow. Following your steps our process now works flawlessly every time, though we use ethernet instead of an SSID. I was going through the AppleTV Install Wizard every time, but after trying your way of canceling out of that and going through the main Apple Configurator, as well as turning Supervision off, I was able to successfully install the profiles and replicate that success across multiple devices and multiple generations of AppleTV's. Again, thank you for that help and for laying out your workflow for all of us.

Chris_Hafner
Valued Contributor II

Good to hear! I was half wondering if a new complication was going to arise that I haven't seen yet. Regardless these things keep getting more and more manageable. One day, Apple might even let us enroll them remotely!