Hi All,I've been spending the last few days testing how to connect my users to the Wi-Fi in a more efficient way. My goal is to get a large group of people connected, with the least amount of SSID. Like many organizations we have different people who will fall under different roles. The biggest roles are MDM-managed Employees, MDM-managed students, unmanaged-BYOD users, and guests. Our managed devices are mostly macOS and iOS devices, but we also have some Windows and Chrome devices. Users have Google Workspace and Active directory accounts. For Infrastructure we use Clearpass, Aruba wireless, Active directory and AD CS.I'd also like to point out that the roles users will receive is mostly VLAN-based for web content filtering for students vs. employees. We are really just providing Internet access as most of our services are cloud-based. We will use some ACLs in the Aruba wireless, but we are not protecting much Intranet data.I know how to enroll macOS and iOS devices with 'computer' certificates. I can do this in the MDM using SCEP. The certificate the device received really only has the CN which we assign the computer name or serial number. Windows devices on the other hand can easily get computer and user certificates via Active directory.So with just a machine certificate I'm having a hard time differentiating between a student MDM-managed MacBook and an employee MDM-managed MacBook. Since the only attribute I get back in Clearpass is the Common name.How would you handle this? I've been working on making one SSID for MDM-managed Employee and student devices. I was thinking the service could have a default role of "Student" when the device is machine authenticated only. That way students wouldn't have to worry about Wi-Fi at all. Employees might have to do some kind of additional authentication to get other roles.
Do you have the MDM integrated with ClearPass? This should be able to pass a group attribute into ClearPass you can use.
I'm reading about this now. https://support.hpe.com/hpesc/public/docDisplay?docId=a00126745en_us. This looks promising as I can download Jamf Pro MDM attributes into the Clearpass Endpoint database. Then I can do role mapping. Then I could connect both the Employee and Students to one SSID.
Hey that Clearpass Jamf Pro Extension works great. I've got all sorts of attributes in my endpoints now. I've got it working with Employee and Student TIPS roles now. Could easily add more with Jamf groups or departments. Problem solved!
Rats, I have to disable Private MAC address in iOS if I want to be able to use the endpoint attributes. It still works but there is a privacy warning on the iPad.
Thanks I hadn't heard of that I'll take a look
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.