Jamf Nation Community

sgoetz · ‎04-27-2015

So i've been working on this script for a little over a year lol. I can't get it to work quite right and was hoping someone might have more experience. The script will take the user cert that was deployed to the machine via config profile SCEP and assign it to the identity for our Wireless. The part that doesn't work when ran from JAMF is the following:

echo "Setting Identity to user $currentUser cert"
sudo -u "$currentUser" -i /usr/bin/security set-identity-preference -s com.apple.network.eap.user.identity.wlan.ssid.Earth -c "$currentUser" /Library/Keychains/System.keychain

also tried as this:

su -l "$currentUser" -c '/usr/bin/security set-identity-preference -v -s com.apple.network.eap.user.identity.wlan.ssid.Earth -c "'"$currentUser"'" /Library/Keychains/System.keychain'

This script works great when ran locally as both myself and when I run it from root. IE sudo -s

Why doesn't it work the same when ran as a script from JAMF, or as a script that is copied to the machine and than ran using the process option.

When JAMF logs in as root is it restricted to what it can do?

joshuasee · ‎04-27-2015

If it works in Terminal locally, but not over SSH or Casper, one problem that comes to mind is that it is running into some of the increased OS X restrictions on running processes in different contexts. To test you could see if the command works on 10.7.x as is, or in newer OS version try more thoroughly emulating a launch by the user:

launchctl bsexec `who -u | sed -n 's/.*.console.*.[ 	]//p'` security set-identity-preference yada yada yada

The who line gets the PID of the WindowServer instance of the GUI user. launchctl bsexec has functionality overlapping the su username command, but does a much more thorough job running the process under conditions the user would have, while doing a less thorough job of setting environment variables, so it will need more testing.

jarednichols · ‎04-28-2015

~~try~~

sudo -u $currentUser

~~instead~~

Try reading the OP's post, Jared.

sgoetz · ‎04-28-2015

@joshuasee Okay so I tried what you said with the launchctl and Im getting a little closer I think. It still fails when run through JAMF, but works when ran via terminal as the root user. The exit status from when JAMF runs it is 154 and I get a keychain pop up saying no keychain item found to insert "sgoetz" into. And ask me to reset my keychain.

Also to note, if com.apple.network.eap.user.identity.ssid.Earth already exist than su -l works just fine. However if the keychain item does NOT exist than all the commands i've tried fail with a different exit code for each. lol.

Basically when we first set up wireless we used PEAP for the same SSID. We have sense switched over to use EAP-TLS. Im trying to script out removing the PEAP keychain (already done and works great) than setup the EAP-TLS identity (this is the part that only works if the keychain is already there). And we are trying to do this in a automated fashion cause our company is HUGE on automation (no user interaction).

Thanks for the help so far!

joshuasee · ‎04-28-2015

Unfortunately, my experience with the security command is quite limited and likely inferior to yours. Is there any chance to create the identity with a config profile, even with invalid credentials, and then update it with security?

sgoetz · ‎04-28-2015

Im not sure how to do that via config profile

defiler · ‎04-29-2015

We were able to import x509 certificates and set eap identities for our users login keychains using the technic described below, hope this helps:

0) make a script/app that do security command stuff and drop it somewhere in user's mac;
1) make a launch agent that runs this script/app and drop it into ~/Library/LaunchAgents/ (don't forget to mkdir it, if it not exists), something like this

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>ru.whatever.certget_user_agent</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/open</string>
        <string>/var/tmp/crtgt/bin/CertGet.app</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

2) load launch agent in user's context using this hack:

FINDER_PID=`ps aux | grep "/System/Library/CoreServices/Finder.app/" | grep -v grep | grep $LOGGED_IN_USER | awk '{print $2}'`

launchctl bsexec "${FINDER_PID}" osascript -e '
tell app "Finder"
    do shell script "
    launchctl unload -S Aqua -w '$AGENTSDIR'/ru.whatever.certget_user_agent.plist
    launchctl load -S Aqua -w '$AGENTSDIR'/ru.whatever.certget_user_agent.plist
    "
end tell
'

we did it in a single package with post/preinstall scripts and our app as payload.

joshuasee · ‎04-29-2015

Shorter and hopefully faster way to get the Finder process ID:

FINDER_PID=`ps -aU $LOGGED_IN_USER -o pid,comm | sed -n s/.System.*.Finder$//p`

You could add more of the path to the Finder back depending on how exact a match you are comfortable with.

sgoetz · ‎04-29-2015

Thank you guys for all your input and Ideas! I have found a way to get the security command to work by using the file and process portion of a policy!

joshuasee · ‎04-30-2015

If feasible, please post the successful command as a reference for others facing this predicament.

sgoetz · ‎04-30-2015

Hey guys,

Its the same command basically only difference is instead of running it from the script portion of a policy I put it in the "Files and Process" portion of the policy as follows:

currentUser=$(stat -f%Su /dev/console) && security set-identity-preference -s com.apple.network.eap.user.identity.wlan.ssid.Earth -c $currentUser /Library/Keychains/System.keychain

aemregursu · ‎03-30-2017

Hello,
Has anyone been able to find a resolution for the problem. We have the exact same problem with Shawn, we want to be able to use computer certificate authentication in the Wifi when user is logged off and switched to user certificate authentication when the user is logged in. That being said there are two problems with this manner:
1-)User Certificate not being deployed via JAMF because the jamf manage user is not seeing logged in user's kerberos certificate so user has to install it via Self Service
2-)We cannot make the necessary wifi configuration and identity preference to login keychain remotely as Shawn stated.@sgoetz

So any ideas and thought are welcome to solve these problems.
Thanks a lot in advance,
Regards,

abrahamT · ‎04-03-2017

@aemregursu 1) issue, you could setup a Policy that runs a recon at login and populates an Extension Attribute that your SCEP cert profile would be scoped to depending on the result.

2) you CAN make the changes to the identity preference remotely, but it all depends on how you will identify the certificate you want to set to. For example, are you setting to a cert with a specific common name or SAN name?

aemregursu · ‎04-04-2017

Thanks a lot for the reply @abrahamT . I did not explained clearly we are deploying the usercertificates with a mobileconfig profile and running a script on the locale that specifies a user for the profile commandlet. But the root user has no permission to access the client's login keychain so the script fails. That's why we put the script in the self service there it prompts the user for the password of the keychain. To be exact the script we use is:
loggedInUser=/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'
/usr/bin/sudo -u $loggedInUser /usr/bin/profiles -I -F /Private/tmp/UserCert.mobileconfig

I understand you are offering us to use SCEP for the solution.

Jamf Nation Community

security command to set up Identity