Best practices for deploying 802.1x WiFi profile at enrollment


We just got the Jamf AD CS Connector set up for our environment. It's awesome considering we were using an ancient, user-initiated script through Self Service for a long time to accomplish the same thing.

However, I am wondering what the best practice is for pushing the wireless config during or after enrollment is. As part of our zero touch efforts, we have the user enroll using our guest wifi network when on site. I'd like to get the wifi profile installed as close to enrollment time as possible so when it does its post-enrollment tasks (installing security software, settings, etc) it will pull from on-site distribution points rather than our Internet facing distribution point.

Has anyone had success with this? I seem to find myself getting railroaded installing this profile as it either interrupts the enrollment or post enrollment when it automatically switches from our guest network to the corporate network.

Thanks in advance for any thoughts.


New Contributor III

I am also looking for the Best Practice method of of deploying our 802.1x WiFi. I am at the beginning stages of the testing process of the PreStage. The advice would be much appreciated.

Contributor II

After going through several iterations of this I would recommend running an NDES server and setting up jamf as a SCEP proxy. This will allow you to deploy certificates over less secure networks to allow them to jump onto the private network,

New Contributor III

I have tried convincing my team to do a SCEP Proxy but no one wants to do it. In order to provision our devices they need to wired and configured prior to giving them to the user. At this time I am adding the wireless configuration profile in the PreStage. This wireless profile is a device authenticated profile, the device then is named then added to the domain and when the user logs on with their user account it gives them access to resources. Any better suggestions to step through this process smoothly? Order/Sequence...

New Contributor III

@a.stonham Could you give more detail on how you configured the Wifi Profile. I have SCEP proxy and NDES setup and it is working. I am running into issues trying to get the WiFi profile to trust the certificate the it pushes out. Everything that I try and configure still prompts for username and password. Any help is appreciated!