I am currently trying to get EAP-TLS working on our non-bound Macbooks.
I have setup the JAMF ADCS Connector and am able to push certificates to each Mac. I have a certificate template for Jamf that pushes a certificate with the CN being the username. I created the 802.1x profile, just listing TLS as the Accepted EAP Type. I select the JAMF ADCS generated certificate as the "Identity Certificate" and Username as $USERNAME.
What ends up happening is that the profile and the certificate get pushed to the machine; however, I cannot guarantee that only that $USERNAME will be used for connection. If someone removes the wireless network and then tries to reauthenticate a pop-up will allow them to choose EAP-TLS, the Identity certificate, and put in a username (which at this point will authorize them based on that username in AD to various vlans based on permission).
Is there a way to force the user to always have to use the $USERNAME when connecting via EAP-TLS when the Macs aren't bound to AD?
Where did you make the profile, in Jamf Pro? If so, I would try making it in profile manager, making sure system mode is checked off, sign it which makes it read-only and then upload to Jamf. Once uploaded, scope it and push it to a Mac for testing.