Preparing for JAMF and radius clients with 90 day (then 10 day) certificates coming

chlaird
Contributor

Hello, I'm hoping someone else can guide me towards a better workflow for wireless radius certificates and JAMF. Our current process is that once a year, we renew our radius certificate (publicly signed) and add it to a certificate payload configuration profile a week before the old one expires. We email all our employees and students to let them know that at some point, their phones and some Macs will prompt with a popup to trust the new certificate.

But, with it being a near certainty that Google will soon require 90 day max certificates, followed by probably 10 day certificates, we'll need to find a way to full automate the process so that wireless continues to work. We should be able to ACME to renew the radius certificate itself, and then presumably use the JAMF API to move the certificate to JAMF and configure anything that needs it.

Does anyone already have this running in a non-painful way? If so, will your process work for 90 day certs, and are you willing to share it? Or, does it sound like I'm doing something wrong already, and are you willing to share what I'm doing wrong? I'm still trying to wrap my head around how this will impact wireless for both managed and unmanaged Apple devices in a BYOD environment.

1 REPLY 1

bwoods
Valued Contributor

We put the root of the radius server in our network payload so that we don't have to do this every year. It gives us a nice 12 years. Our root is a digiCert though.

Take a look at the issuer of your radius cert to find this information.