We use 802.1x certificates to connect our Macs (10.12) to our WiFi network. Although there is no user information in the certificate (just the workstation name), we store them in the user's login keychain. Works well so far, however, we want to protect the certificates from being exported and used on another (not entitled) device.
We tried to store the certificate in the system keychain instead of the user's login keychain. But it turned out that the user is asked for admin credentials whenever he tries to connect to the WiFi network, so that is not a useable solution.
Is there any best practice how to handle 802.1x WiFi certificates?