Security

We have a hybrid environment of Windows and Mac devices. For the windows devices, we set up a GPO, push it out to the machines and everything is great. They’re domain members, they talk to the certificate server and generate their client certificates, the profile enables wired and wireless dot1x, sets them to use their certificate, trust the certificates presented by clearpass, etc. So far, the Windows side is great. But Mac…

We’ve tried “Profile Configurator 2” and Ivanti (LanDesk) to mimic the settings the Windows machines use onto the Macs but have had no luck. I setup OnBoard in ClearPass, with an intermediary CA, and set up the profiles through OnBoard, and it seems to work almost perfectly. It authenticates using EAP-TLS for wired and wireless, and it connects before the user logs in so they can login to the domain properly. The oddness, though, is that on reboot, before the user logs in, it appears to be logging in as the user that enrolled the certificate, not as the machine. After the user logs in, it authenticates again, but this time as the computer.

Our key concern is to keep unauthorized (non-company) devices off of the network, so the only thing I really want to authenticate and authorize is the device, ideally using the computer account against AD.

Is there a way to have the certificate request be for the computer account rather than a user? Is there a way to configure things so that the certificate/profile is only presenting the computer rather than the user that enrolled it if not?

Alternatively, is anyone familiar with all the changes in Profile Configurator 2/Ivanti and Mac OS X 10.14.6 (Mojave) to help create a profile that would allow the computer to authenticate with the computer account in AD on startup for both wired and wireless, preferably using a certificate issued from an AD CA without activating SCEP?

Which EMM solution are you using to manage the Macs? 

You would normally just add an AD Certificate payload to your management profile and it will automatically reuqest a cert.

For the domain devices we use Ivanti (formerly LanDesk). It has the functionality from Apple's Profile Configurator 2 and a similar layout, but it looks like some of the functions may have simply been removed in the newer versions of Mac OS (or at least no longer appear in PC2, they still show in LanDesk).

For example, I've found write ups of how to set up the profile to do RPC based certificate requests, but that seems to be missing now, and only lists SCEP certificate request options. Also, the newer version of Profile Configurator doesn't appear to have anything for wired 802.1x. Ivanti still shows it, but as far as we can tell the Mac doesn't seem to respect the settings. 

The AD Certificate and Wired 802.1X payloads are still completely valid. They were removed from Configurator as that tool is designed for iOS, iPad OS and tvOS.

You can still configure these profiles from Profile Manager, an EMM solution or you can use this open source tool > https://github.com/ProfileCreator/ProfileCreator

I'll try that tool and see if it will do what we need, thank you!