Skip to main content

We have been pushing out wifi certificates to a small group of machines using the Guest account. It works as expected (not prompting the user to accept the certs) in El Cap but in Sierra, users are still getting prompted. All of the certificates in the chain are being issued in the same configuration profile.

Normally this wouldn't be an issue but with the Guest account not having a password, they are not allowed to accept the cert.

Did something change in Sierra (or in some recent .x release or security update) that no longer allows certs installed at the System level to be trusted?

We are issuing them through Configuration Profiles.

We are having the same issue. Any fix for this?

You might be seeing this: SHA-1 Certificate Warning

We install our root/chain certs with JSS scripts instead of profiles. Echo the cert to a temp folder then use the "security" command to install them to the system keychain with explicit trust for EAP.

Something happened in I think 10.12.5 that interfered with trust settings for certs installed by config profiles.

UPDATE:

I was able to get them working but had to also create a wifi payload in the same config profile with the certs being installed for a specific SSID (no credentials specified since we have users authenticate) and then selected certs and trusted them. This, however, only works for ONE SSID. If you create another SSID with those same trusted certs, it de-trusts (or something) then for the first SSID.

-Dan

Terms & ConditionsCookie settingsAccessibility statement