Skip to main content
Question

Deploy Certificate to OSX with full permissions

  • April 5, 2016
  • 3 replies
  • 6 views
M
Forum|alt.badge.img+13

I am trying to reply a certificate for WPA2 enterprise PEAP Wifi Authentication with forced login to wifi window, so that it connects to wifi before the user logs in.

Through profile manager and through jamf I have always had a mixed result with its implementation
basically the certificate wouldn't get the permissions needed for authentication, and as a result reject the connection upon login.

Has anyone else had this problem, and resolved it? in the past I have had to manually fix the permissions, cause I'm still new and haven't picked up some of the basic scripting knowledge, but seeing its keychain I figure there probably isn't much that can be scripted with keychain.

    3 replies

    M
    Forum|alt.badge.img+9
    • merps
    • Contributor
    • April 8, 2016

    @Malcolm Can't necessarily help with the PEAP issue, but is EAP-TLS an option for you?
    If you have an internal CA it might be worth a look.

    We're using a config profile with an AD Certificate payload "Machine" certificate template and the Network payload is referencing the AD Cert being obtained with the same config profile. Haven't had any issues yet, and the machine connects at the login window as soon as Wi-Fi is powered on.

    N
    Forum|alt.badge.img+13
    • Nix4Life
    • Honored Contributor
    • April 9, 2016

    @Malcolm I just did this. what I ended up doing was to manually connect a machine, then go to the keychain and get those certs. since I'm still on 9.65 I had to change the extension from .cer to .der ( known bug but was fixed in later releases). I then uploaded them to the profile in the JSS and pushed it out. @merps I envy you, I have been trying for the past few months to get machine authentication to work

    Larry

    dan-snelson
    Forum|alt.badge.img+30
    • dan-snelson
    • Honored Contributor
    • April 9, 2016

    After having copied our certificates to a local temporary directory, we've had success using the following to establish trust for our root certificate:

    /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /local/path/to/rootCertificate.cer

    For our internal non-root certificates, we use the following:

    /usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /local/path/to/nonRootCertificate.cer
    Terms & ConditionsCookie settingsAccessibility statement