Networking

How to create a system-based 802.1x compliant Wi-Fi profile for macOS

Creating 802.1x-enabled wireless network provides additional security for organizations by protecting against unauthorized access.

istock-668224090macos.jpg
Image: Rawpixel, Getty Images/iStockphoto

Prior to OS X 10.11, admins could deploy wireless network configurations to Macs with 802.1x compliance, yet still allow end users to modify the Wi-Fi networks they could connect to directly from the login screen on-the-fly. This allowed mobile devices to remain connected to enterprise network resources while still permitting the devices to be used by multiple users without ever disconnecting them. This was especially beneficial for lab environments, where a set of devices may be accessed by hundreds of users weekly, each with their own unique domain accounts.

Since El Capitan, however, Apple stored the credentials of manually created 802.1x-based connections as a per-user setting, meaning the wireless network would be accessible only by the user account that made the initial connection—all other sessions would be effectively disconnected until that user account created its own unique connection.

This shift left many admins and end users scratching their heads as the network seemingly worked intermittently for some users but not others. Adding to the frustration, since these credentials were moved to the user's individual keychain, changing networks from the login window (something that users were capable of doing) was disabled as well, forcing IT to rethink their wireless network deployments.

SEE: Admin spotlight: Saving time with PowerShell (Tech Pro Research)

Though this feature was removed from manually created wireless network profiles by default, it is alive and well, and can be configured by IT with some minor tweaks to bring back this functionality. Before getting to the steps however, there are a few requirements to get this to work properly:

  • Apple computer running OS X 10.11 (or newer)
  • OS X Server with Profile Manager configured
  • Administrative privileges
  • Method to deploy .mobileconfig files (Network, USB, manual installation)
  • Wireless network configuration details

Creating a system-based wireless profile

Visit the Profile Manager (PM) URL and login with admin credentials. Once authenticated, create a new device profile or select an existing one to modify. Click the Edit button to access the payloads. By default, the General payload must be included, so enter the organization name and security details for the setting (Figure A).

Figure A

201841-figure-a.jpg

Next, Select the Network payload and click the Configure button to begin adding our wireless network settings (Figure B).

Figure B

201841-figure-b.jpg

Enter the key details of the wireless network, such as the SSID, Security Type, and the EAP Types that will be used with 802.1x authentication (Figure C).

Figure C

201841-figure-c.jpg

Depending on your organization's setup, the network configuration information can vary. However, two settings that will allow the profile to be applied at the system-level and allow end users to change wireless networks as necessary are the checkbox next to Use as a Login Window configuration and Use Per-Connection Password.

Respectively, these settings allow the wireless network to be changed from the login window and will allow end user's to use their domain accounts as a means of authenticating before wireless access is granted (Figure D).

Figure D

201841-figure-d.jpg

Once the payload has been configured and the settings are verified to be correct, click the OK button to close the payload editor. But remember the settings are not saved yet. To do so, click the Save button. This will trigger Profile Manager to deploy the changes to all devices to which the profile is attached to.

If you wish you manually deploy these settings, click the Download button instead to download the payload as a .mobileconfig file. Simply execute this file on each machine you wish to configure, and the settings will be imported to those devices (Figure E).

Figure E

201841-figure-e.jpg

Note: Remember when deploying over the network that the server must be trusted for the settings to be applicable to each device. Prior to pushing the settings payload, click on the drop-down menu to the top-right of PM, and select Download Trust Profile to download its .mobileconfig profile that must be installed before any other payloads are applied.

Also see

About Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...

Editor's Picks

Free Newsletters, In your Inbox