Skip to main content
Question

Enroll macOS and iOS user with Active Directory CS user certificate


Forum|alt.badge.img+7

We have been using EAP-TLS wi-fi with our iOS and macOS devices for some time.  I use a Jamf pro configuration profile with 3 parts:

1) install the wi-fi profile

2) install the root and intermediate certificate for our internal AD CA

3) use SCEP to request a machine certificate

But I'm looking to expand this so the wi-fi user also gets a user certificate.  I can utilize more Wi-Fi roles and place users into different VLANs and ACLs, etc.

So my question is anyone installing AD CS user certificates on your macOS and iOS devices?  Are you doing it in an automated way using SCEP?  Or are the users going to a web site and enrolling themselves?

If you can help, please provide as much detail as possible.

2 replies

danlaw777
Forum|alt.badge.img+17
  • Valued Contributor
  • 159 replies
  • May 17, 2023

when you integrated with scep, how did you go about hitting your CA server? do you use a netscaler at all? trying to figure that part out....


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 33 replies
  • May 17, 2023
danlaw777 wrote:

when you integrated with scep, how did you go about hitting your CA server? do you use a netscaler at all? trying to figure that part out....


I'm using a Jamf Pro Configuration profile with three payloads:

1. Certificate payload you should be installing all the root and intermediate certificates the client will need to connect to your Wi-Fi NAS and Certificate server and trust the connections. 

2. SCEP payload where you put in the instance of your SCEP server.  For me it's https://server name/certsrv/mscep/mscep.dll.  Also include your SCEP server instance name and what the certificate common name will be.  e.g. CN=$COMPUTERNAME. You may also need to put in credentials for your server or

3. Network payload to give the client the Wi-Fi profile.  There are section you have to setup the security WPA2 Enterprise, EAP type to TLS, and in the trust section your link to your SCEP and certificates so the client will trust them.

So no integration or Netscaler.  For Microsoft CA using SCEP it's just a URL.  I have a wildcard certificate installed on the CA, so the client doesn't have any issues hitting it.   This took me about a week or two to get right.  lots of trial and error.  Let me know if you want some screen shots of the settings I use.  But then you will also need a CA with certificate templates available which is a whole new can of worms.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings