I ahve been asked to deploy user certificates to all the mac users and i have no idea how to achive this. I tried creating a configuration profile with AD playload and it wont get installed at all. If i download and installs that manually it works fine. I tried creating a PKG but that won't install the configuration profile, assuming it is getting installed with local account and not user accout.
Any help would be greatly appreciated.
Configuration Profiles > Your Cert Profile > General > Level .. Is that set to user level?
Also the user may need a Domain Kerberos ticket to authenticate against the domain CA.
Hope that helps.
A user level configuration profile as @Key1 said will work,
one downside of that approach is that the user needs to login before it will to happen,
please correct me if i'm wrong, i may be !
I opted to package the certificate then install it using a script at the user level as it can be deployed quicker.
#!/bin/sh username=$( stat -f%Su /dev/console ) if [ $username == "root" ]; then echo "Non AD user - $username - stopping script" exit else echo "attempting to install certificate to $username keychain" security add-trusted-cert -d -r trustAsRoot -k "/Users/$username/Library/Keychains/login.keychain" "/private/var/tmp/YOURSERVER.domain.com.cer" #Check cert is installed cert_name="YOURSERVER.domain.com" desired_keychain="/Users/$username/Library/Keychains/login.keychain" if [[ `security find-certificate -c "$cert_name" $desired_keychain 2>/dev/null` ]]; then echo "installed $cert_name to $username keychain" else echo "certificate not installed" exit 1 fi fi
@May Yup i made mine local as well but as i need a enrolment per user i used a standalone mobileconfig profile which has a bunch of benefits, not tied to a MDM profile, checking for expiry by script, checking for profile by script, checking for pre-req by script (CA contactable etc.).
Also installing it as a launchagent runs it as the logged in user and you can install .mobileconfig using the Profiles binary (i.e. Profiles -I -F <path to file>.
As i am a newbie, need some more guidance. I am able to manualy run the downloaded .mobileconfig but when i try to deploy thru casper it fails. You wrote : "Also installing it as a launchagent runs it as the logged in user and you can install .mobileconfig using the Profiles binary (i.e. Profiles -I -F <path to file>."
Would appreciate if you can guide me thru how to deploy .mobileconfig file with logged in user.
Thanks in Anticipation.
The approach i use to install .mobileconfig profiles is:
• Create the .mobileconfig
See what @Key1 response is, i'm assuming that you set it to install at the user level when creating the mobileconfig, not with the profiles command
(if you create it on the JSS from a downloaded configuration profile you will get errors in the JSS inventory logs to do with the configuration not being recognized, this does not stop it working, it's just extra noise on the JSS)
If you do take this approach you can stop the error logs by deleting the record from the JSS database See the steps at the bottom of this page
• Put the .mobileconfig in a location to package it from, i use /private/var/tmp and change the permissions to match, then drag it to Composer
• Add a postinstall script in Composer, this will use the profile command to instal the .mobileconfig (you could also include a check before to exit if the .mobileconfig is already installed)
• Create the pkg and upload to the JSS
• Create your policy to install the pkg on your machines
Here's my postinstall script for a vpn settings mobileconfig, it has a check to see if the network connection already exists before the install.
#!/bin/sh ## postinstall pathToScript=$0 pathToPackage=$1 targetLocation=$2 targetVolume=$3 #Check if VPN connection already exists, delete config and exit if it does vpn=$( system_profiler SPNetworkLocationDataType | grep RemoteAddress: ) if [[ $vpn == *"vpn.ourcompany.com"* ]]; then echo "connection already exists" rm /private/var/tmp/VPN_Connection.mobileconfig exit 0 else #install then delete config from /tmp echo "no VPN connection - installing connection profile" /usr/bin/profiles -I -F /private/var/tmp/VPN_Connection.mobileconfig rm /private/var/tmp/SonicWALL_VPN_Connection.mobileconfig fi exit 0 ## Success exit 1 ## Failure
Or you can use the script approach instead of mobileconfigs, the first script i posted has the command for installing a certificate at the user level, you could combine this with an EA to make sure all users have the cert installed.
I was also trying to install profile manually and using the terminal command.
I exported the conf. profile from Casper, packaged it and the used the command "/usr/bin/profiles -I -F /private/var/tmp/profile.mobileconfig"
When checking the error logs the script always tries to gather AD certificate from PKI server with root user and fails. If I use command like "sudo su - $3 -c "profiles -I -F /private/var/tmp/profile.mobileconfig" " then Configuration Manager Tool will prompt the user for the password. Even if I put the policy to run at Log-in it is always the same.
Is it possible to install the Profile in user context without the prompt for user's password? I am not much in launch agents so i would not know how to even start with configuring that out.
I'm tasked with something similar. This is related to VPN. Ideally what's requested is that a user certificate be pulled/fetched and stored in keychain.
The end goal is that when a user VPNs to the network, the network recognizes the user cert and populates the user's network ID in the username field.
Here's my ask. What script would I use to pull this off. Second, how would I set up a user profile to confirm or verify each user against the user certificate, pending it can be pulled from the AD and stored in keychain.
Any help that anyone can provide would be a huge help.
Thanks all. WMJ