Jamf Nation Community

Initially Apple’s suggestion to use PEAP or TTLS protocols to connect Macs to corporate WIFI. Unfortunately we have a Cisco ACS server doesn’t handle TTLS and PEAP option is not on the cards due to computer cert method has been chosen for the entire site.

We wanted to implement EAP-TLS 802.1x for Mac OS 10.6.8 clients with Corporate Build (AD bound Macs) with zero user interaction. So we have automated the below actions:

On Windows Server;

Create cert request Issue cert
Export cert
Place on ftp server

On Mac Client;

Install CA Root cert
Install CA chain certs
Install machine cert
Set trust level on certs
Create 802.1x system profile
Set trusted certs for 802.1x
Set machine cert for 802.1x
Set username for 802.1x

Broken command line (confirmed by Apple this command doesn't work after 10.6.4)
"networksetup -settlsidentityonsystemprofile" (sample as below) was a show stopper.

networksetup -settlsidentityonsystemprofile AirPort /$computername.yourcompany.com.pfx somepassword

“BTW I have managed to automate in user level 802.1x User Profile and all seems to work rather smooth. But we have experienced unstable connection and required users to click connect every now and then (not ideal user experience). So we went back to drawing board again to use system level (802.1x System Profile).”

I want to automate pfx (same as p.12) formatted computer cert to be assigned to 802.1x system profile. It only works in GUI. Here are the buttons I have to click to get this to work:
Open Network Preferences => Airport => Advanced => 802.1x => Select System Profile => Select TLS => click to "Configure..." radio button
After clicking "Configure..." radio button it prompts for admin username and password. Then all works.

I had to use Apple Script UI function as in CorpWifiConnect.scpt to over come this issue. I had to create a temporary admin account for this too. Surely temp account will be deleted after the process.

Here are the steps to get Mac clients to be automated with using Casper login policy with “Once Per Computer” flag. Scoped to smart group “Mac Laptops – AD bound”.

Step1: Create 802.1x System Profile then export it as CorporateWIFI.networkConnect
Export the 802.1x system profile
in Configure Trust… select + button and choose Select Certificate From System.keychain

Step2: Package the 802.1x System Profile (CorporateWIFI.networkConnect XML file) to be imported in to Network Preferences – Airport. Then add the username with host/fqdn.company.com to authenticate to AD through ACS.
Add XML File on the package (I have positioned in /private/tmp). Named the pavkage CorporateWIFI.networkConnect.pkg

Postflight script within package

#!/bin/sh
## postflight

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

##Set some variables
computername=`networksetup -getcomputername`
EAPSystemProfiles=/Library/Preferences/SystemConfiguration/preferences.plist
setuuid=`cat /Library/Preferences/SystemConfiguration/preferences.plist | grep /Sets/ | cut -c 16-51`

##Delete any previous TLS 802.1x entry to SystemConfiguration/preferences.plist
/usr/libexec/PlistBuddy -c "Delete :Sets:$setuuid:Network:Interface:en1:EAPOL:UserName" $EAPSystemProfiles

##Import 802.1x System Profile
networksetup -import8021xProfiles AirPort /private/tmp/CorporateWIFI.networkConnect
/bin/sleep 3 #allow some time

##Do a backup copy of the preferences.plist with the date stamp
cp /Library/Preferences/SystemConfiguration/preferences.plist /Library/Preferences/SystemConfiguration/preferences.plist_original_`date +%M-%H-%m-%d-%y`

##Edit preferences.plist file to add the host/fqdn to allow ACS / AD comms for authentication 
/usr/libexec/PlistBuddy -c "Add :Sets:$setuuid:Network:Interface:en1:EAPOL:UserName string host/$computername.company.com" $EAPSystemProfiles

##Enable 802.1x System Profile
networksetup -enablesystemprofile AirPort CorporateWIFI
/bin/sleep 5 #allow some time

networksetup -setairportpower airport on
/bin/sleep 5 #allow some time

exit 0      ## Success
exit 1      ## Failure

Postinstall script within package

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3


sudo rm -R /private/tmp/CorporateWIFI.networkConnect

computername=`networksetup -getcomputername`
sudo rm /$computername.company.com.pfx

exit 0      ## Success
exit 1      ## Failure

**
Step3: Set up a Casper Smart Group with AD Macs

Step4: Set up a Casper Policy at login – Once per computer

Scope it to Casper Smart Group “Laptops with New Build AD bound”

Add Package CorporateWIFI.networkConnect.pkg to the policy

Add Scripts to the policy
**

Run below script Priority Before (this will get the computer cert from FTP and set the Mac for Apple Script, also will lock the screen to prevent user interaction)

#!/bin/bash

/bin/sleep 30 #allow some time for login properly

# Set some variables
#
# Grab hostname
computername=`networksetup -getcomputername`
# check for jamf binary
jamfbinary="/usr/sbin/jamf"
#
# jamf binary required to run this script
#
# check if jamf exists

if [[ -e $jamfbinary ]]

    then /bin/echo "Jamf binary present, continue”

    else /bin/echo "Jamf binary is not present, stop"

    exit 55

fi  

##Grab the unique computer cert from FTP
/usr/bin/ftp -i ftp://username:password@serverurl <<ENDOFCOMMANDS
get ${computername}.company.com.pfx
quit
ENDOFCOMMANDS

##Airport off
networksetup -setairportpower airport off

##Import the Cert to login keychain
security import /$computername.company.com.pfx -k /Library/Keychains/System.keychain -f pkcs12 -P mypassword
/bin/sleep 3 #allow some time

##MUST Turn on Assistive Devices for AppleScript to run properly
sudo touch /private/var/db/.AccessibilityAPIEnabled

##Create local temporary admin account to assign cert to Airport 802.1x System Profile trust

/usr/sbin/jamf createAccount -username tempadmin -realname TempAdmin -password temppassword –home /Users/tempadmin –shell “/bin/bash” -admin

/bin/sleep 15 #allow some time between accounts to ensure they create properly

/bin/echo "done creating local TemAdmin account"

# 
# Lets lock the screen while the process is taking place to prevent user interruption.
#

/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -heading " Corporate WIFI configuration!" -description "***IMPORTANT*** Configuration action MUST NOT BE INTERRUPTED! Please leave your MAC ON with POWER SOURCE and NETWORK CABLE attached. Process will take a MINUTE TO COMPLETE. Your Mac will RESTART" -icon /System/Library/CoreServices/Network Setup Assistant.app/Contents/Resources/Assistant.icns &

exit 0

Run CorpWifiConnect.scpt script Priority After (this will use UI with Apple Script to get around the broken Apple command line to assign the computer cert to 802.1x system profile)

tell application "System Preferences"
    activate
    set the current pane to pane id "com.apple.preference.network"
    get the name of every anchor of pane id "com.apple.preference.network"
    reveal anchor "Advanced Airport" of pane id "com.apple.preference.network"
    tell application "System Events"
        tell application process "System Preferences"
            delay 1
            click radio button 5 of tab group 1 of sheet 1 of window "Network"
            select row 2 of outline 1 of scroll area 1 of tab group 1 of sheet 1 of window "Network"
            select row 1 of table 1 of scroll area 1 of group 1 of tab group 1 of sheet 1 of window "Network"
            click button "Configure…" of group 1 of tab group 1 of sheet 1 of window "Network"
            click button "Continue" of group 2 of window "Choose An Identity"
        end tell

        tell application "System Events"
            delay 5.0
            set value of text field 1 of window 1 of application process "SecurityAgent" to "tempadmin"
            delay 5.0

            set value of text field 2 of window 1 of application process "SecurityAgent" to "temppassword"
            delay 5.0

            click button 2 of group 1 of window 1 of application process "SecurityAgent"

        end tell
        tell application "System Preferences"
            activate
            set the current pane to pane id "com.apple.preference.network"
            get the name of every anchor of pane id "com.apple.preference.network"
            reveal anchor "Advanced Airport" of pane id "com.apple.preference.network"
            tell application "System Events"
                tell application process "System Preferences"
                    delay 1
                    click button "OK" of sheet 1 of window "Network"
                    click button "Apply" of window "Network"
                    delay 2
                    click menu item "Quit System Preferences" of menu 1 of menu bar item "System Preferences" of menu bar 1
                end tell
            end tell
        end tell
    end tell
end tell
do shell script "networksetup -setairportpower airport off"
do shell script "networksetup -setairportpower airport on"

Set Mac to reboot to avoid keyboard and mouse malfunction created by jamf screen lock (this happens some times, so we don’t want to take a chance)

Type the following in Run Command section in Advance section of the policy to delete the temp account and kill the screen lock
/usr/sbin/jamf deleteAccount -username tempadmin -deleteHomeDirectory && killall jamfHelper