Posted on 04-14-2023 09:45 AM
We are retooling our 802.1x and Network profiles in response to some forthcoming network changes in ISE/RADIUS. We are reevaluating all our payloads and settings.
When configuring SCEP payloads, one of the options for both iOS and Mac is the Subject Alternative Name.
Jamf recommends the RFC 822 type on Mac (not the DNS type), and they recommend leaving the RFC 822 Subject Alt Name BLANK on iOS. See links below.
However, we have been using DNS type on both platforms for a couple of years - per a Jamf tech’s recommendation when we first set up 802.1x. We dont recall why. Examples: $COMPUTERNAME.my.domain and $DEVICENAME.my.domain.
Any ideas on why Jamf recommends RFC 822 type?
Thus far, using DNS type doesn’t seem to affect us in production, How do you all have your SCEP Subject Alt Name set?
Any ideas on why the Subject Alt Name should be blank on iOS?
Background: We are using our on-prem JSS as a SCEP proxy to our MS Windows NDES server. We use Cisco ISE for RADIUS.
For Reference, Jamf says “Important: Do not configure the iOS Subject Name Alternative Value field.” here: https://docs.jamf.com/technical-papers/jamf-pro/8021x/10.0.0/Distributing_802.1X_Settings_to_Mobile_...
And Jamf recommends 822 type on Macs here:
https://docs.jamf.com/technical-papers/jamf-pro/8021x/10.0.0/Distributing_802.1X_Settings_to_Compute...