Posted on 06-28-2023 11:42 AM
Is there an application out there that lets you connect to WiFi before logging in? We have Jamf Connect, but I'm looking for a standalone app to use until it's rolled out completely. We would like to mimic our Windows environment where you connect to WiFi then VPN and can login with AD creds so our techs don't need to reset a user's password when building a new device.
Posted on 06-28-2023 12:34 PM
@PhillyPhoto Are you enforcing FileVault on your Macs? If so there is no network functionality until a user enters their FileVault enabled login to unlock the drive.
Posted on 06-28-2023 02:00 PM
Yes, so the workflow would be:
06-28-2023 02:06 PM - edited 06-28-2023 02:11 PM
@PhillyPhoto It sounds like you're not utilizing Automated Device Enrollment to set up your Macs. Any particular reason for that? It really makes the deployment process easier.
Our deployment process using ADE is like this:
Posted on 06-28-2023 02:25 PM
One word; security. As in our security team micromanages everything. We've been trying to get to the point were we can deliver machine certificates to our devices while off network and now they're reviewing Azure App Proxy. And even if we get that, our security team still requires us to join the devices to AD (I know, I know...). I've been screaming the ADE/DEP method for years and finally got the Jamf Connect buy in at least. Even with that, we have conditional access which would block users from being able to auth for the first time since the device isn't in a state where it could even be registered with Intune to pass compliance. That's why we're still building 100% of devices on-prem and shipping to end users.
Posted on 06-29-2023 08:12 AM
@PhillyPhoto Sadly it sounds like your "Security" team is one that operates under the principle "This is how we've always done things, and we don't care what modern best practices are for Mac deployments".
There's no technical reason you can't enroll a device in Jamf Pro via ADE and then configure it per your organizational requirements. I would categorize my org's Security teams as very conservative (once breached, twice shy) but the process I described above is one that is acceptable to them after working with them to identify and address concerns. We're in the process of integrating with Intune to provide Device Compliance based access to M365 services so users will no longer require VPN connectivity for those services, but that will have no impact on the initial enrollment process.
If your org is large enough to have a support contract with Apple you probably have an assigned Systems Engineer. I'd recommend you contact them and see if it's possible to arrange a meeting between your security team and Apple's Mac Solutions Architects to see if they can help you get to an ADE/DEP world.
Posted on 06-28-2023 02:38 PM
Giving this a Kudo solely for the U*******r Gnomes reference.
Posted on 06-28-2023 02:06 PM
The frustrating part is that there is an option to have a WiFi dropdown if you configure an enterprise network config profile:
Posted on 06-28-2023 06:15 PM
@PhillyPhoto You may refer this post of JamfNation, see if this helps https://community.jamf.com/t5/jamf-pro/802-1x-not-authenticating-machine-based-to-freeradius-but-win...
Posted on 06-29-2023 07:21 AM
I'm looking to let users connect to their personal WiFi networks at home, not 802.1x networks. I was just showing that their is precedence to connecting to WiFi at the login screen.
Posted on 06-29-2023 01:22 PM
May not be a good solution for your environment as it seems like you are AD binding. However, JAMF Connect provides this as it puts an icon in the upper right of the screen to pick a WiFi network.