Wireless Access

Hi! I'm working with my Active Directory team to try and push a computer certificate to an OSX machine along with a system (not user) profile. With such a configuration, the laptop should be able to authenticate upon booting up before a user logs into the machine.

 

Has anyone successfully done this? If so, can you be specific and explain how you did this and what tools were required to make it happen?

 

Much appreciated!

You can do this with Apple Configurator or Profile Manager.

Profile Manager can't distribute the computer certificates though, right?

I'm also looking for folks that have not only built this but have also sustained operations of it successfully and happily, fwiw.

Profile Manager pushes the profiledown(s) to the client or user profile. The profile can have a certificate enrollment configuration.

I believe that is based on a user enrollment, no? We need to have no tie-in with the user account.

Are the machines joined to the domain?

Take a look at this:

http://kevinbecker.org/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

Closing the loop, we ended up using Centrify to manage group policy on our OSX machines. The mobileconfig profile sent to the device was set for EAP-TLS and also included *all* the certificates, including the root (marked as trusted). Doing it this way auto-associated the device's certificate (also received via Centrify) with the mobileconfig profile.