We have a hybrid environment of Windows and Mac devices. For the windows devices, we set up a GPO, push it out to the machines and everything is great. They’re domain members, they talk to the certificate server and generate their client certificates, the profile enables wired and wireless dot1x, sets them to use their certificate, trust the certificates presented by clearpass, etc. So far, the Windows side is great. But Mac…
We’ve tried “Profile Configurator 2” and Ivanti (LanDesk) to mimic the settings the Windows machines use onto the Macs but have had no luck. I setup OnBoard in ClearPass, with an intermediary CA, and set up the profiles through OnBoard, and it seems to work almost perfectly. It authenticates using EAP-TLS for wired and wireless, and it connects before the user logs in so they can login to the domain properly. The oddness, though, is that on reboot, before the user logs in, it appears to be logging in as the user that enrolled the certificate, not as the machine. After the user logs in, it authenticates again, but this time as the computer.
Our key concern is to keep unauthorized (non-company) devices off of the network, so the only thing I really want to authenticate and authorize is the device, ideally using the computer account against AD.
Is there a way to have the certificate request be for the computer account rather than a user? Is there a way to configure things so that the certificate/profile is only presenting the computer rather than the user that enrolled it if not?
Alternatively, is anyone familiar with all the changes in Profile Configurator 2/Ivanti and Mac OS X 10.14.6 (Mojave) to help create a profile that would allow the computer to authenticate with the computer account in AD on startup for both wired and wireless, preferably using a certificate issued from an AD CA without activating SCEP?