Posted on 04-07-2016 09:15 AM
Hello!
I'm still a beginner at bash and have been struggling to find the commands I need to write a script.
The script needs to add a SSID to Preferred Network lists using WPA2 Enterprise with Mode: EAP-TLS and Identity: User Name.
I can get the SSID on the list with WPA2 Enterprise using
networksetup -addpreferredwirelessnetworkatindex <device name> <network> <index> <security type>
What do I need to get Mode: EAP-TLS and select a certificate previously loaded in the Keychain with a standard format of "User Name" ?
Solved! Go to Solution.
Posted on 04-07-2016 12:32 PM
Hi @cassielevett You need to use the security set-identity-preference
function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.
Here's a snippet of the code we use.
security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain
The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.
Hopefully that helps get you on the right track.
Posted on 04-07-2016 11:10 AM
We are using a config profile with a network payload. It specifies the SSID, EAP/TLS, and to use the AD certificate. In the username field I am using $Username
Posted on 04-07-2016 12:12 PM
Appreciate the reply. Are using machine certs instead of user certs?
You can only pick the AD option on the Network area if you have the AD Certificate option on. The AD Certificate for user certs have to have user name and password but this option isn't viable for us as we have hundreds of users. We prompt the person for credentials. When you prompt user for credentials it can't be pushed but has to be downloaded. Built in JAMF options do not appear to be an option for User Certs.
Posted on 04-07-2016 12:32 PM
Hi @cassielevett You need to use the security set-identity-preference
function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.
Here's a snippet of the code we use.
security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain
The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.
Hopefully that helps get you on the right track.
Posted on 04-07-2016 01:04 PM
That worked perfect for what I was trying to do! I'm super excited to go flesh out the script now. Thanks mm2270!
Posted on 04-08-2016 05:17 PM
Posted on 04-12-2017 01:44 PM
@cassielevett
I am looking into doing something very similar to what you did. Could you share what you got working?
Posted on 12-19-2018 04:29 PM
@mm2270 Have you had to update your script to allow the security preference to be written to the login keychain in 10.13.x or greater. Regardless of using sudo -iu; or launchctl asuser; there has been little success in writing to the login keychain. Writing to the system keychain is not a problem and works but it bugs me since that preference should be in the login keychain.