- Jamf Nation Community
- Products
- Jamf Pro
- Re: Installing a certificate on MacOS with trust +...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2019 03:21 PM
All,
I'd like to install our wireless certificate on a group of managed Macbooks. The certificate is a valid third-party certificate and is required to connect to our 802.1x wi-fi. I'd also like to set the trust settings so the user doesn't get prompted (The users will not be admins on the machine so they can't trust the cert.)
I tried using Configuration profiles in JAMF and deliver the certificate, the intermediate, and the root. that works, but the user gets prompted each time they connect as the trust settings are default.
I found some articles on this site suggesting to do this task with a Composer package instead and using the 'add-trusted-cert' command.
My question is:
1. Is using a package still the best way to install a certificate with trust? Or is there a better way. I've never used Composer so I'll have to gain some skills.
2. Is this normal behavior for a Mac to not trust a trusted third-party certificate? I've always thought this was odd as we are already using this certificate for our BYOD Wi-Fi and users (who own their device and have admin rights) get prompted to change the trust setting when they first connect.
Thanks.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 02:15 PM
So I ended up using a script with cURL and applied it in policy. Works great.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2019 08:44 PM
make sure in your network payload - Trust - under trusted certificates - tick your intermediate, root etc.
obviously, before you do this, you need to also have the certificate payload with your certificate chain
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 02:31 AM
We download the certificate with 'curl ...', and then install it with '/usr/bin/security add-trusted-cert ...'.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 05:03 AM
Is the root cert part of the default trust store (is there a copy of it in the System keychain folder)? If so, all you should need to deploy via a config profile is the cert...the rest should take care of itself.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 10:09 AM
make sure in your network payload - Trust - under trusted certificates - tick your intermediate, root etc. obviously, before you do this, you need to also have the certificate payload with your certificate chain
Thanks for all the replies. I tried this and it's working, but the problem I'm having is the Wi-Fi Network name gets put on the bottom of the Wi-Fi list on the computer. That won't work in my environment because I want these users to use the Wi-Fi I'm adding by default.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 10:22 AM
Is the root cert part of the default trust store (is there a copy of it in the System keychain folder)? If so, all you should need to deploy via a config profile is the cert...the rest should take care of itself.
I noticed that, the certificates I'm installing (cert, int, and root) via Configuration profiles are all going into the system container. It's a Digicert RapidSSL and it's not in the root by default. I tried to manually add it and got a message that you can't add root certs you can only change trust levels.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 10:41 AM
We download the certificate with 'curl ...', and then install it with '/usr/bin/security add-trusted-cert ...'.
I tried this manually. I logged in to the Macbook as an admin. Added the certificate and trusted it. I logged back in as a standard user and was able to connect to the Wi-Fi perfectly.
I'm just going to have to get some more skills, as I've never made a package.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 02:15 PM
So I ended up using a script with cURL and applied it in policy. Works great.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2019 06:28 PM
i would rather download the certificate and upload it to jamf as part of the certificate payload than curl.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2019 01:33 PM
I'm working with this and wondering why I can't set trust settings right in the Certificate Payload section? That seems like the best place for it.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2019 08:18 PM
Is this the only way to trust the certificate on Mac OS (using a script), other than actually pushing out a Wireless Payload? (which I dont want to do)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-08-2021 10:27 PM
Can anyone share the script to do this. Im having some trouble with Compose
Reply
