Install Configuration Profile (.mobileconfig) WITHOUT Admin Rights

haircut
Contributor

My institution is getting ready to deploy XpressConnect for configuration of our Wi-Fi network. XpressConnect for Macs requires installation of a Configuration Profile, which requires local admin rights. We don't provide local admin to most of our users.

I can't deploy the profile at imaging or via policy because our setup is using XpressConnect's "full enrollment" feature which generates a per-user X.509 certificate, so each user/computer would require a completely different payload.

I already monkey around with /etc/authorization to grant elevated privileges to a custom "Power Users" group, but can't find a way to allow Configuration Profile installation.

Is this possible or am I just hosed?

3 REPLIES 3

mscottblake
Valued Contributor

Disclaimer: I don't know anything about XpressConnect, so I'm just shooting blind here.

This sounds like a great place to use Self Service. The program will elevate its privileges to root in order to perform the installation. The catch is that I don't know any specifics about how to do it in your case. How are the certificates generated? If the certificate is generated on the client machine and you know where to look for it, a simple script could pull in the file since it's being triggered on that same machine. If it's done on a server, I would place it into /private/tmp/ and then trigger your installation.

If Self Service is not an option, the same options are likely still available, but you would need to setup some Extension Attributes looking for the existence of the certificate on the machine before it tries to run the policy that performs the Config Profile installation.

I hope this helps, or at least guides you in the right direction.

luke_j_nelson
New Contributor II

Is the certificate per-user or per-computer? Could you have a script that looks for the specific variable, insert that into the payload, and deploy from there?

Another thing you can try is this:

sudo -u $( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' ) profiles -I -F /path/to/file.configprofile

This would install the profile as the current logged in user. Is this what you're asking for? I don't know if this will work, since even though it will be from a policy or Self Service it will be sudo-ing as the current user, and profiles require admin privileges to install. Though, you could grant admin privileges before that line and revoke them, like this:

#!/bin/bash

cur_user=`/bin/ls -l /dev/console | /usr/bin/awk '/ / { print $3}'`

dseditgroup -o edit -a $cur_user -t user admin

sudo -u $cur_user profiles -I -F /path/to/file.configprofile

dseditgroup -o edit -d $cur_user -t user admin

Without more details on XpressConnect and the "full enrollment", I'm afraid this is all I can help with.

JPDyson
Valued Contributor

My guess is that this app is actually using SCEP to get a user cert from the server and use it for auth (802.1X) in the WiFi payload. Can you use the SCEP payload to pull the user cert?