Install User Certificates

New Contributor

Hi all,

I ahve been asked to deploy user certificates to all the mac users and i have no idea how to achive this. I tried creating a configuration profile with AD playload and it wont get installed at all. If i download and installs that manually it works fine. I tried creating a PKG but that won't install the configuration profile, assuming it is getting installed with local account and not user accout.

Any help would be greatly appreciated.



New Contributor III

Configuration Profiles > Your Cert Profile > General > Level .. Is that set to user level?

Also the user may need a Domain Kerberos ticket to authenticate against the domain CA.

Hope that helps.

Contributor III

Hi @sumit.batra

A user level configuration profile as @Key1 said will work,
one downside of that approach is that the user needs to login before it will to happen,
please correct me if i'm wrong, i may be !

I opted to package the certificate then install it using a script at the user level as it can be deployed quicker.

username=$( stat -f%Su /dev/console )

if [ $username == "root" ]; then

echo "Non AD user - $username - stopping script"


echo "attempting to install certificate to $username keychain"

security add-trusted-cert -d -r trustAsRoot -k "/Users/$username/Library/Keychains/login.keychain" "/private/var/tmp/"

#Check cert is installed


if [[ `security find-certificate -c "$cert_name" $desired_keychain 2>/dev/null` ]]; then

echo "installed $cert_name to $username keychain"


echo "certificate not installed"

    exit 1


New Contributor


We are trying to deploy user certificate. Which means each and every user would have its own certificate not just installing a common caertificate in user profile. Hope this makes this clear.


New Contributor III

@May Yup i made mine local as well but as i need a enrolment per user i used a standalone mobileconfig profile which has a bunch of benefits, not tied to a MDM profile, checking for expiry by script, checking for profile by script, checking for pre-req by script (CA contactable etc.).

Also installing it as a launchagent runs it as the logged in user and you can install .mobileconfig using the Profiles binary (i.e. Profiles -I -F <path to file>.

New Contributor


As i am a newbie, need some more guidance. I am able to manualy run the downloaded .mobileconfig but when i try to deploy thru casper it fails. You wrote : "Also installing it as a launchagent runs it as the logged in user and you can install .mobileconfig using the Profiles binary (i.e. Profiles -I -F <path to file>."

Would appreciate if you can guide me thru how to deploy .mobileconfig file with logged in user.

Thanks in Anticipation.

Contributor III

Thanks @Key1, yours sounds like a good approach,
is it the profiles -I -F command that installs the cert into the users keychain or is it something set in the .mobileconfig that makes it user level ?

Contributor III


The approach i use to install .mobileconfig profiles is:

• Create the .mobileconfig See what @Key1 response is, i'm assuming that you set it to install at the user level when creating the mobileconfig, not with the profiles command
(if you create it on the JSS from a downloaded configuration profile you will get errors in the JSS inventory logs to do with the configuration not being recognized, this does not stop it working, it's just extra noise on the JSS)
If you do take this approach you can stop the error logs by deleting the record from the JSS database See the steps at the bottom of this page

• Put the .mobileconfig in a location to package it from, i use /private/var/tmp and change the permissions to match, then drag it to Composer
• Add a postinstall script in Composer, this will use the profile command to instal the .mobileconfig (you could also include a check before to exit if the .mobileconfig is already installed)
• Create the pkg and upload to the JSS
• Create your policy to install the pkg on your machines

Here's my postinstall script for a vpn settings mobileconfig, it has a check to see if the network connection already exists before the install.

## postinstall


#Check if VPN connection already exists, delete config and exit if it does
vpn=$( system_profiler SPNetworkLocationDataType | grep RemoteAddress: )

if [[ $vpn == *""* ]]; then

echo "connection already exists"

rm /private/var/tmp/VPN_Connection.mobileconfig

exit 0


#install then delete config from /tmp
echo "no VPN connection - installing connection profile"

/usr/bin/profiles -I -F /private/var/tmp/VPN_Connection.mobileconfig

rm /private/var/tmp/SonicWALL_VPN_Connection.mobileconfig


exit 0      ## Success
exit 1      ## Failure

Or you can use the script approach instead of mobileconfigs, the first script i posted has the command for installing a certificate at the user level, you could combine this with an EA to make sure all users have the cert installed.

Release Candidate Programs Tester

@sumit.batra You should be able to do this via a user profile, if the certs are being requested from something like a windows CA.

You can then use variables in the profile payload to get a profile unique to that user.

New Contributor III

Hi guys,

I was also trying to install profile manually and using the terminal command.
I exported the conf. profile from Casper, packaged it and the used the command "/usr/bin/profiles -I -F /private/var/tmp/profile.mobileconfig"

When checking the error logs the script always tries to gather AD certificate from PKI server with root user and fails. If I use command like "sudo su - $3 -c "profiles -I -F /private/var/tmp/profile.mobileconfig" " then Configuration Manager Tool will prompt the user for the password. Even if I put the policy to run at Log-in it is always the same.

Is it possible to install the Profile in user context without the prompt for user's password? I am not much in launch agents so i would not know how to even start with configuring that out.


New Contributor II

Hi everyone,

I'm tasked with something similar. This is related to VPN. Ideally what's requested is that a user certificate be pulled/fetched and stored in keychain.

The end goal is that when a user VPNs to the network, the network recognizes the user cert and populates the user's network ID in the username field.

Here's my ask. What script would I use to pull this off. Second, how would I set up a user profile to confirm or verify each user against the user certificate, pending it can be pulled from the AD and stored in keychain.

Any help that anyone can provide would be a huge help.

Thanks all. WMJ