Pushing 802.1x profiles at imaging

rlandgraf
Contributor

This summer we are switching our wireless network over to 802.1x that requires a certificate to connect. I am wondering if anyone out there has a way that I can push out a wireless profile to these machines at imaging time. We have a bunch of Macbook Airs that we are imaging using thunderbolt and need them to just be able to connect to the wireless when rebooted after imaging, without connecting them to a wired first. I have created a Configuration profile that works fine but only if they are on the network already to see this.

Any suggestions would be greatly appreciated. Thanks for your help.
Rob

2 ACCEPTED SOLUTIONS

cbrewer
Valued Contributor II

I'm doing this for both 10.6 and 10.7. For Lion, I have a package that drops the the mobileconfig profile file into /var/tmp. After that, I run the following script...

#!/bin/sh

wifiport=`/usr/sbin/networksetup -listallhardwareports | grep -A 1 Wi-Fi | grep Device | awk '{print $2}'`
powerstatus=`/usr/sbin/networksetup -getairportpower $wifiport | awk '{print $4}'`

/usr/sbin/networksetup -setairportpower $wifiport off
/usr/bin/profiles -I -F /var/tmp/802.1x_Profile.mobileconfig
/usr/sbin/networksetup -setairportpower $wifiport $powerstatus

As you can see, profiles -I does the importing of the profile. The rest is just for turning wireless off and back on.

View solution in original post

cbrewer
Valued Contributor II

Taken from a previous post...

If you want system or login mode profiles, you must create them with Profile Manager from 10.7 Server or manually hack up an IPCU mobileconfig file.

To get system to work with an IPCU mobileconfig, create a working “user” profile and add the following items:

Starting with the line immediately below the SSID_STR key’s "<string>" value, add this:

<key>SetupModes</key>
<array>
<string>System</string>
</array>

Insert these lines immediately above the bottom-most "<key>PayloadType</key>" line:

<key>PayloadScope</key>
<string>System</string>

View solution in original post

8 REPLIES 8

mm2270
Legendary Contributor III

I can't give you the specifics, but you can script it to install the profiles after initial imaging.
Two options you should look at are the 'profiles' command (man profiles in Terminal) or 'networksetup' (networksetup -import8021xProfiles)

One of those should allow you to install your profile. Just have the config profile dropped to the Mac to a specific location at imaging, then on reboot run a script to install it. No need for a network connection to be active to do that.
We do something similar to this with our systems and our 802.1x Wi-Fi profile.

Does that help?

cbrewer
Valued Contributor II

I'm doing this for both 10.6 and 10.7. For Lion, I have a package that drops the the mobileconfig profile file into /var/tmp. After that, I run the following script...

#!/bin/sh

wifiport=`/usr/sbin/networksetup -listallhardwareports | grep -A 1 Wi-Fi | grep Device | awk '{print $2}'`
powerstatus=`/usr/sbin/networksetup -getairportpower $wifiport | awk '{print $4}'`

/usr/sbin/networksetup -setairportpower $wifiport off
/usr/bin/profiles -I -F /var/tmp/802.1x_Profile.mobileconfig
/usr/sbin/networksetup -setairportpower $wifiport $powerstatus

As you can see, profiles -I does the importing of the profile. The rest is just for turning wireless off and back on.

GabeShack
Valued Contributor III

Why not just use a Configuration Profile for the lion clients? You can attach the certificate to the profile, set the 802.11x settings and then you can make scope the Configuration Profile to the desired machines. However this only works on Lion clients.

In 10.6 we made an automator app that installs a saved (exported) profile config for our 802.11x network and then clicks on the ok buttons(system buttons) after selecting wi-fi(airport) and then throws itself out and deletes the trash when complete.

Gabe Shackney
Princeton Public Schools

rlandgraf
Contributor

@cbrewer that works for the most part but what did you use to create the .mobileconfig file. I need it to be a system setting not a user setting and configurator, and ipcu will only let you set it as a user setting? Thanks again.

@gshackney I can't do it as a configuration profile because in order to get that setting you must already be on the network.

cbrewer
Valued Contributor II

Taken from a previous post...

If you want system or login mode profiles, you must create them with Profile Manager from 10.7 Server or manually hack up an IPCU mobileconfig file.

To get system to work with an IPCU mobileconfig, create a working “user” profile and add the following items:

Starting with the line immediately below the SSID_STR key’s "<string>" value, add this:

<key>SetupModes</key>
<array>
<string>System</string>
</array>

Insert these lines immediately above the bottom-most "<key>PayloadType</key>" line:

<key>PayloadScope</key>
<string>System</string>

rlandgraf
Contributor

@cbrewer Thank you for the help it works great now!

bentoms
Release Candidate Programs Tester

GabeShack
Valued Contributor III

Sorry we had a way to do this with physical connections for those machines by setting up a specific internal network, then plugging in and then waiting for the profile to push. MIght work with thunderbolt to gigabit adapters or the thunderbolt display also connected, since then the profile pushes and then joins the 802.11x network automatically based on the profile that pushed through the wired connection.

Gabe Shackney
Princeton Public Schools