Help with script that configure 802.1x wifi

bbot
Contributor

Hi, I'm looking to build a Self Service wifi fix. There have been times where keychains get corrupted and it requires generating new certificates.

The current fix has been to use the .mobileconfig and install the profile using /usr/bin/profiles command and authenticating with our local admin.

In our environment, users do not have local admin access. What's the best way of creating a self service option that will execute the profiles command without requiring admin access?

4 REPLIES 4

mm2270
Legendary Contributor III

Self Service policies should not require admin credentials. That's actually the primary point of Self Service. It allows non admin users to run policies that have commands, installers and such that would normally require them to type in an admin password.
So in your case, you could deploy the profile into a location like /private/tmp/ in a package, then have a script run set to "After" that would install it with the profiles command.

But backing up a moment, I have a feeling there's a better way to address your primary issue without needing to always re-install a profile. Can you provide any more details on the issue?

bbot
Contributor

Hi @mm2270 The primary issue we've been is users changing their passwords, and their keychain gets corrupted or passwords not updating to the newly changed password. (It happens a few times a month). We wipe their keychain, which also wipes the certificates needed to connect to our wifi. I've been able to quickly re-add it by using the profiles command, but I want to make a simpler solution for our junior desktop techs.

Would making a script that has "/usr/bin/profiles -I -F /path/to/mobileconfig" bypass the admin prompt and re-add the certificates?

alexjdale
Valued Contributor III

I'm confused, why are the certificates on the user's keychain? Shouldn't you be storing them on the System keychain? Are they computer or user certificates?

Our (computer) certificates and wifi configuration are installed at the system level, so the system authenticates with 802.1x independent from any user account.

bbot
Contributor

@alexjdale Ours are being stored under the login keychain as user certificates. Every user has a different wifi certificate generated, we don't have a generic one for every machine.