Trusting WiFi certs for iPhones



I'm being asked by my networking team to push a cert to our iPhones so our end users don't have to select allow/etc when joining the network. I have never done this before, but I'm willing to learn so I ask him to send me the cert, to which I upload it to a config profile in Jamf, pushed it to my iPhone, and my phone still asks me to trust the cert. 

I don't know anything about certificates and my networking guy isn't much help here - so bear with me. How are you all accomplishing this? Is there more than one cert that needs to get pushed? 

And setting this SSID to auto-join is a whole other obstacle. As best as he could describe our environment, he thinks we're WPA/WPA2 enterprise, he can't tell me what authentication protocol we use, and otherwise had no insight into any of the settings available in Jamf Pro. I'm basically down to clicking and testing at this point.


Honored Contributor

In the spirit of clicking and testing, here's what I'd try. Create a single config profile that contains both the Certificate and WiFi payloads. First upload the cert to the profile, then when you configure WiFi, click on Security Type and choose WPA/WPA2 Enterprise (or which ever type you're using, then you should see the Protocols/Trust tabs. Click on Trust and you should see the cert you uploaded. That's where you can establish the trust. As for the Protocol, you may just have to start with TLS and experiment from there if your network guy isn't helpful.

Valued Contributor

@MikaelDez I didn't know much about certificates either about a year ago until I was tasked with configuring the ADCS connector for 802.1x wireless. I'm going to assume that you all are using 802.1x wireless so I strongly suggest configuring this. Look at all of the guides online and It will all come together. It will be a project that you have to lead though.

Valued Contributor

1. Request a server to host the ADCS Connector.

2. Make a firewall request for bi directional communication between your ADCS Server, your CA (internal certificate server) and your Jamf Pro instance.

3. Install the ADCS connector software on your host server.

4. Import the ADCS connector CA as a trusted PKI cert in your Jamf Pro instance.

5. Deploy certs to your machines with a Network+Certificate configuration profile.

I'm not going to lie. This is a very difficult project, but it is the best decision I've made for easy network access. Read every blog post and every bit of Jamf documentation until you understand enough to run this project.

New Contributor III

I'd consider using SCEP as an enrollment alternative instead, as it's probably used by other device types as well, unless you're strictly using fruit hardware managed by JAMF. Even Chromebooks can now use SCEP to request certificates!