Wired 802.1X Authentication Configuration Profiles Fails

mks007
New Contributor II

The JSS is sending the configuration profile to the mac but no Identity preference or 802.1x Password is being generated in keychain

We have the same configuration for Wifi and this is working fine we are running 9.61 in our live environment but I have upgraded the test pallor to 9.65 and 9.7 without success

Our config is using TLS and a machine certificate generated dynamically by our MS SCEP server so adding this manually makes this a little difficult.

5 REPLIES 5

davidacland
Honored Contributor II
Honored Contributor II

Hi, does the machine cert get created ok and added to the keychain? Could you add a screenshot of your profile, perhaps with sensitive info removed?

mks007
New Contributor II

Hi @davidacland

Cert is created fine just missing the Identity preference and 802.1x Password in the system keychain

mks007
New Contributor II


)

Jedberg
New Contributor III

To get around the JSS issues we were having with 802.1x Ethernet Profiles, we just make our Profiles the Server app and import into the JSS. Make sure to sign them so they are read only before importing into the JSS. For some reason when we did not sign them they would get modified by the JSS and not work anymore.

I hope this helps.

Josh_S
Contributor III

Configuration profiles are just xml documents that specify preferences. I found, when creating them on the JSS, that many more preferences were specified than I actually wanted to control. Basically, if you want to set one preference contained on a "page" of preferences, all of them get set. That is true if you create them in the JSS or upload them unless, as @Jedberg points out, they are signed before uploading.

If you don't need to use payload variables within your configuration profiles, which I believe are parsed, signed and delivered per device, I would suggest creating custom configuration profiles using Apple's Server application or hand-modifying them using a text editor. Sign them, and then upload them into your JSS infrastructure for delivering. This ensures that you won't start accidentally delivering configuration settings to your fleet that you weren't intending to. On the other hand, you are taking a degree of control over from the Casper Suite so you might not get added benefits as things change "automatically".