We are using Cloud Extender to push Symantec PKI user certificates to Windows and macOS devices for 802.1x authentication on a wireless network (RADIUS checks user certificate for validity). A Windows MDM Policy performs the necessary configuration to successfully allow a Windows device to connect to the wireless network, but we are struggling with macOS.
- macOS device is added to an IBM MaaS360 Device Group that has a policy attached including an EAP-TLS certificate-based WiFi profile
- The profile is delivered to the macOS device along with a certificate created by Symantec Managed PKI, requested through the IBM MaaS360 Cloud Extender. The relevant SSID is added to the Preferred Networks on the macOS device, at the bottom of the list (not ideal).
- The SSID is displayed as an 802.1x profile in the Network settings, which won't connect automatically or even manually until the SSID is removed from Preferred Networks
- To successfully connect using the new user certificate, the relevant SSID must be manually selected from the list of available WiFi networks, which generates an applet requesting the mode. Once the mode is changed from Automatic to EAP-TLS, the option to add an Identity is displayed from which the new certificate may be selected and EAP-TLS WiFi connectivity is established.
- Adding the Managed PKI root certificate as a "Trusted Certificate" causes even manual connection attempts to fail.
Here are some of the fields that are configured in the MDM policy: Configuration > WiFi
- Service Set Identifier (SSID) Test
- Auto Join Yes
- Hidden Network No
- Network Type Standard
- Encryption Type WPA
- Accepted EAP types TLS
- Inner Authentication Protocol (for TTLS) {blank}
- Always Prompt User for Password No
- Authentication Username {blank}
- Use Per Connection Password No
- Outer Identity Username {blank}
- Trusted Certificates {blank}
- Trusted Certificate Name {blank}
- Allow Trust Exceptions No
- Identity Certificate DigiCert Managed PKI - User Certificate
- Proxy Type None
- Disable Captive Network Detection No
- Enable QoS Marking for Apps No
Does anyone have any ideas on how to get 802.1x authentication working through pushing a macOS MDM policy? Adding an Authentication Username causes problems when using either %username% or %user_name%. I have even tried matching the username on the macOS device to the certificate Common Name to no avail.
------------------------------
[Scott] [Shackleton] [CISSP]
[Security Architect]
[Unison]
[San Francisco] [CA]
------------------------------