We are looking into securing our wifi access with certificates (802.1x). From my reading I believe I am prepared for this on the Mac side, but am trying to figure out how I am going to do the iOS side of things.
Today on our Macs each one has the root CA installed on it to recognize our Windows Enterprise CA. I then use NoMAD with the AD username and password to request a certificate from the CA. This seems to work fine and we are using it today for VPN access. From what I have read on the subject this should work for WiFi as well as long as the user is logged in, which the user has to be to decrypt the drive anyways. We are not using any of the Jamf config profiles/policies to do any of this besides push the root CA since our Macs are not domain bound.
I am a little confused on iOS on how to do this. I have read various things about setting up a SCEP proxy, SCEP configuration profile, wifi certificates, etc. within Jamf, but really was unable to find a best practices document on how to best accomplish this. I did read some things about using Jamf as a SCEP proxy, which might be fine, but we have the Jamf cloud so there is no access into our network to the Windows CA server. My plan is to get all of our corporate devices(iOS) in a supervised state and enrolled in Jamf so we are able to push any type of config profile needed. Does anyone have experience with this on the iOS side and how to best do this?
I would look into embedding all three certificates into the WiFi configuration profile. CA, Trust, and 802.1x. Then on the WiFi payload you need to check the boxes to Trust these three certs. That is how the network person has it set up here for our iOS devices. We do not have a SCEP server. Users are prompted for their AD logins when they choose the WiFi profile.