Posted on 02-23-2022 06:54 AM
Our SOP dictates that we need to have DUO running on all of our client machines. This is no problem for our iMacs that are connected via ethernet, but I have not figured out how to do this on MacBooks that only connect to WIFI. We are using Nomad to authenticate to mobile accounts on our domain. Is anyone aware of a way to set WIFI up to be available before login? If possible, I would like for it to use the primary users WIFI credentials to connect, but I understand that this is more than likely not possible as they have not authenticated yet. If we need to use a special account to store the credentials I believe we could make that work in our environment.
Posted on 02-23-2022 07:40 AM
a service account or using certificate services for wifi authentication are pretty much your options .. since SIP implementation it does not seem like any of our wifi certs are applying system wide. Meaning they seem to be in the user space that would not be active at log in screen. This could be something in our certs specifically so maybe your milage will very.
Posted on 02-23-2022 07:59 AM
To expand on @jpeters21 comment, you'll need a System Mode profile (Jamf calls this "Computer Level") using a supported credential for WiFi.
https://support.apple.com/guide/deployment/wi-fi-settings-dep168e876c9/1/web/1.0
It is not uncommon for orgs to use user certificates for authentication but you'll need a System Mode profile to be active at Login Window.
There is a Login Window Mode that can be used in this scenario but it require AD binding and as of right now that is hard stop going to break this summer.
Posted on 02-23-2022 12:55 PM
@Kaltsas if Jamf with Azure and AD CS I think it could be accomplished with out binding.. well I should say I hope so as that is the road I am currently traveling down right now.
Posted on 02-23-2022 01:38 PM
Yeah, you can build a system mode network profile to use a certificate obtained via the ADCS connector. That would be my recommendation. Plus then you've got a cert in the system keychain you could leverage for other services if required (VPN perhaps).