Certificate Based WI-FI Configuration Profile Troubles :-(

Mhomar
Contributor

Hi JAMF Nation! I am developing my first Configuration Profile outside of the JSS (as my infrastructure is not ready to support this YET) and ran in to some issues. So using Apple Configurator I was able to configure and export a .mobilconfig file.

1) When I went to install the configuration profile (CP) on a test computer I did not have a Profile pane in the System preferences. I double clicked on the file /System/Library/PreferencePanes/Profiles.prefPane and it loaded. This Profile pane will not stay in the System preferences after a reboot. Any ideas why it was not there in the first place or what needs to be done to get it to stay?

I then installed the CP (double clicked the file and authenticated). This is when things really got messed up

2) All my network service icons (Wi-Fi, Firewire, Bluetooth etc.) changed to Ethernet icons and each services window looked like/contained the Ethernet window settings. Plus, even though this was a Wi-Fi setting, it added the 802.1x Wifi connect button to the ethernet service and consequently to all the other services? I had to blow all those services away and rebuild them. Hmmm.....

3) Even though I believe I added a correctly configured Certificate payload to the CP which is using the EAP-TLS protocol, I believe I have an error in the "Identify Certificate" as the configuration says there is "No applicable Certificate payload is configured" and does not allow me to choose anything else.

Dang not a good start to Configuration Profiles hey! On the bright side, this appears to be an excellent and in-depth learning opportunity! Thanks all in advance.......

4 REPLIES 4

davidacland
Honored Contributor II

Hi @Mhomar, for the first issue, if you don't have any profiles installed, the profiles system preference pane isn't visible. If its disappearing when there are profiles installed, it might be a restriction set somewhere else.

For point 2, thats definitely a broken profile :) My guess would be something wrong with the network interface it is targeting.

For point 3, I've had this work ok in the past with a .p12 certificate file. You need to add the .p12 file to the Certificate payload so it can be selected when configuring the network payload.

Hope this helps.

Mhomar
Contributor

@davidacland Thank you for your response.

Your comment on issue 1 leads me to believe this is my doing as I removed the bad profile after it blew up the Network services. I fixed them and rebooted so that explains why the Profiles pane was gone. I will be able to confirm once I have a Configuration profile that I want to keep. (I might consider creating one that is not quite so complicated to test this). A few minute later..... after selecting the appropriate cert in the Keychain I went to export it and the .p12 format was greyed out. All I have to choose is .cer, .pem, and .p7b. formats. Are .pem and .p7b reasonable alternatives? Else, any ideas why .p12 would not be available to export?

Issue 3) that seems like a good answer as well because I exported a .cer file and exporting and replacing the the Certificate payload should be and easy test.

On Issue 2) this one still has me baffled. I will work to get redacted screen shots of the CP soon and post back

davidacland
Honored Contributor II

Hi, I'm not entirely sure everything in a .p12 is actually needed. It's an archive format that can contain everything related to that certificate, including keys and intermediate certs.

.pem is a form of encoding for certificates in general but when used as a file extension (AFAIK) it is referring to a .cer so is just the certificate on its own.

.p7b is similar to .p12 but can't contain any private keys.

It might be that just the cert on its own is needed, in which case a .pem or .cer should be ok, but I guess the best way is to test.

bcchrimit
New Contributor

Found this post when I was having issues trusting a certificate while creating a Configuration Policy and configuring the Network options. Specifically, I went to "Network->Network Security Settings->Changed Protocols to Trust tab->Trusted Certificates" and didn't see a p12 certificate bundle (cert, privatekey, intermediate/root CA) I'd uploaded via the "Certificate" options pane. I figured out that in order to be able to explicitly trust a certificate, I had to upload the certificate again as a seperate DER encoded .cer file payload. This meant having both the p12 certificate bundle and DER encoded .cer as Certificate payloads within the Configuration Policy. Not sure if this would work for your situation as well.