Pushing Profiles to Macintosh to do AD computer authentication

aravikumar
New Contributor

Hi All,

Can we use Jamf Pro to do computer authentication (PEAP) with ISE using Active Directory for Macintosh Endpoints? Is there any KB or article to perform this?

Thanks,

Aravind.

5 REPLIES 5

cnorrisAdmin
New Contributor III

Hi Aravind,
These might be helpful:
OS X Mavericks: Using advanced Active Directory options in a configuration profile
https://support.apple.com/en-us/HT202834

Working for Apples: A Windows Administrator's Guide to Serving Macs
http://www.peachpit.com/articles/article.aspx?p=430214&seqNum=2

Best Practices for Integrating OS X with Active Directory
http://www.enpointe.com/images/pdf/Integrating-OS-X-with-Active-Directory.pdf

Chris

aravikumar
New Contributor

Hi Chris,

Thank you for your response. Can you please provide an article to push network config profile to Macs to do PEAP computer authentication using JAMF? I could not find any articles. In this pdf http://www.enpointe.com/images/pdf/Integrating-OS-X-with-Active-Directory.pdf
it says that there is a way to do this using JAMF software.

Thanks and Regards,

Aravind Ravikumar.

KSchroeder
Contributor

Yes, this can be done. Where it can get complicated is if you need to use per-computer certificates (complicated), or a single certificate (easier). If you have a .PFX file, you can upload it into a "Certificate" payload in a Configuration Profile (set to Computer scoping), then configure the Network payload with the TLS Protocol, and select the Certificate uploaded in the Identity Certificate selection.

If you need per-computer certificates, it is a bit more complicated as you need to configure the AD Certificate payload, and set the Username to $COMPUTERNAME (err, something like that).

Please use the search here in JN; there are other posts about how to do this that explain it in more of a step-by-step process.

KSchroeder
Contributor

https://www.jamf.com/jamf-nation/discussions/27058/eap-tls-certificate-based-wifi-authentication#responseChild160581 for one example.

cleverleys
Contributor

Hi, I agree with @KSchroeder this is exactly what we have done, with a single certificate.
Mac devices are bound to AD and the AD object is added to a Wireless security group that is part of our radius setup.

Then in Jamf, create a wireless profile, specify the SSID and use computer based authentication, specifying PEAP / TLS etc, making sure that WPA2 Enterprise, or Enterprise ANY is used. Then specify your uploaded certificate, scope it out and you should be good to go.