Automatic Deployment of 802.1x profile for Wi-Fi

Question

I am wondering if there is a process that people use here to deploy 802.1x profiles in a Windows AD environment on Apple hardware specifically MacBook Pros?

Specifically when the Root CA is renewed and profiles need to be deployed. I have read up on some techniques here:

• https://www.reddit.com/r/macsysadmin/comments/9ugsq9/macos_8021x_authentication/

• https://community.cisco.com/t5/identity-services-engine-ise/how-to-automate-process-when-deploying-dot1x-between-ise-and-mac/td-p/3749868

• https://support.apple.com/kb/HT4784

These either mention a third party or the information is outdated. I may be missing something but any help would be greatly appreciated.

Answer 1

So the solution I came up with isn't perfect but it beats a lot of the stuff I was reading online. I decided to use Ansible to remotely config the mac computers. Ansible uses ssh which most macs in our environment have turned on by default. I would recommend deploying an Ansible service account user to macbooks in order to do the following tasks. I want to iterate that this task is because we are using a Windows CA and the profiles need to be reloaded IF the Windows CA cert expires. The issue that we have had is that the laptops will not connect to 802.1x without said mobile config. The solution here is to have the macbooks connect to the network through a guest wifi and then vpn into the network. Preferably a guest network that your company has that is separate from internal resources.

We will use the following Ansible playbook to make sure we remove the old profile and then transfer over the old profile. Apple does allow you to install mobile configs via the command line but I could not get it to work so a manual install of the profile is necessary post transfer but the hard steps are done.

Here is the playbook and the remove profile script.

# Remove mac Profile

- name: Transfer and execute a script
  hosts: all
  user: USER
  sudo: true
  tasks:

     - name: Execute the script
       script: /home/USER/ansbile-play/removeProfile.sh

     - name: Execute transfer of mobile config
       copy:
         src: /home/USER/MacMobile.mobileconfig
         dest: /Users/Shared/
         mode: 0644


 #!/bin/bash
sudo /usr/bin/profiles -P | grep com.apple.mdm | awk -F'profileIdentifier:' '{print $2}' | awk '{sub(/^[ \t]+/, ""); print}' > test
testvar=$(cat test)
sudo /usr/bin/profiles -R -p $testvar
sudo rm test

After having this config you will need to have a hosts file with the hosts you would like to deploy to. Manually doing this is a pain so I suggest dynamically creating it off Active directory or however you manage computers.

Here are some resources I used to solve this proble https://docs.ansible.com/ansible/latest/index.html https://serversforhackers.com/

This is not a perfect solution and my code is also not perfect. Feel free to edit or change in anyway you see fit but this worked for me and was a pretty good quick fix to an issue.