Disable Ethernet 802.1X

rcoleman
New Contributor II

Hi folks,

Some parts of our network have recently been upgraded, and we've noticed with our Lab Macs that are on the upgraded network, when logging in, every user is met with the prompt below:

Screenshot 2022-09-07 at 14.01.55.png

To clarify, authentication isn't required to have a working network connection - devices are already connected and able to access the network / internet. 

Each user can go into System Preferences and disable this, however this isn't viable with a Lab setup as multiple different users will use multiple different devices each day, with any accounts created on the devices cleared overnight.

I've had a look online at some resources to see if there is a way to disable this. There are some proposed scripted solutions:

https://community.jamf.com/t5/jamf-pro/get-802-1x-authentication-status-for-ethernet-via-script/m-p/...

However, unfortunately the prompt appears immediately after logging in, before any login scripts can start. I have also attempted to see what process is kicking off this prompt to see if it can be halted / stopped in anyway but not had any luck.

I also found the following proposed profile solution:

https://github.com/vmiller/profiles/blob/master/8021xDisable.mobileconfig

For some reason, this profile seems to work when manually installing, but when attempting to distribute through Jamf Pro it just will not disable the setting - even though I can see that the profile is installed. I've tried scoping to computer level and user level but no difference. The preference domain I have attempted to use is "com.apple.network.eapolcontrol.ByHost".

Apple disabled the option to script profile installations when Big Sur was released, and the thought of having to manually login to hundreds of devices and manually install this profile is slowly chipping away at my soul....

I have contacted our network team and they cannot switch it off at their end.

Does anyone have any idea why a configuration profile will work when manually installed, but not when deployed through Jamf Pro? Alternatively, does anyone else have any ideas on how to disable this setting?

Any help would be greatly appreciated!

 

 

1 ACCEPTED SOLUTION

dkucmierz
Contributor

You probably need to sign the profile and upload it so that jamf doesn't strip out content that it doesn't recognize internally when it is deployed via mdm

View solution in original post

8 REPLIES 8

sdagley
Honored Contributor III

@rcoleman It might be easier to have your network team disable 802.1x on the switch ports for your lab

rcoleman
New Contributor II

Unfortunately we have already been in touch with our network team and they cannot (or won't) disable it switch side.

Just don't understand why a config profile would work when manually installed but not when deployed through Jamf Pro. :(

AJPinto
Valued Contributor

The best path would be to have JAMF bless the 802.1x network. That way it just connects without any popups to the users. Getting this configured can be tricky with a configuration profile though, and you will need a lot of information from your network team.

 

Honestly, escalate. There is always someone above whoever told you "no" that does not want to hear from you or your users, and they will force adjustments to the change or backing out the change all together. This was probably because of a security need, which is well and good. Now they need to adjust the changes so macOS functions with them, or assist in adjusting the Mac environment so they function with the changes that were made.

 

Your network team implemented a change without validating against your Mac environment. Said change is adversely impacting your Mac environment. Call a bridge line, and make them assist with creating the configuration profile to bless this. Be very clear, and vocal that they should have contact you BEFORE implementing these changes to get the configuration setup. IF you are unable to get the Configuration Profile working correctly, escalate and being very loud is how you start to twist their arm at backing out their authentication changes or providing a separate solution for Macs.

rcoleman
New Contributor II

Many thanks @AJPinto - although I won't hold my breath I'll try and push it up the chain again. I think because not all networks within the institution have been upgraded yet they are probably not receiving as much flak as they should - if this was happening to more departments there would probably be more pressure on them - but if I emphasise what is likely to occur once the upgrade is complete then it might shake more trees.

dkucmierz
Contributor

You probably need to sign the profile and upload it so that jamf doesn't strip out content that it doesn't recognize internally when it is deployed via mdm

rcoleman
New Contributor II

Just getting around to this just now and this actually seemed to resolve the issue! Many thanks @dkucmierz! Although probably not the ideal solution it certainly provides a temporary workaround at the moment. I'll certainly get onto our network team for a more long-term viable solution though. Many thanks to everyone

for all the suggestions.

SCCM
Contributor II

@rcoleman have your network team given you information about the accepted eap type for 802.1x? if no creds are needed, what happens if you create a network config profile "network interface: Any Ethernet" select the correct EAP type and just type in a random username and password? try it on a test machine to see it it just authenticates, or comes back witha failed message. Normally you would need a cert or creds for 802.1x they wouldnt enable it, and not have it block devices. Ask your network team if they can whitelist your devices (mac addresses) in order to not get prompts (that should be possible)

rcoleman
New Contributor II

Thanks for the recommendations folks. I'll certainly give them a try and let you know where we get to with this.