Distributing 802.1X Settings to Mobile Devices

You can use configuration profiles in Jamf Pro to distribute 802.1X settings to mobile devices in your environment. This allows users to authenticate to a network using their credentials or through certificate-based authentication.

General Requirements

To distribute 802.1X settings to mobile devices, you must complete the setup in 802.1X Environment Setup.

Enabling Users to Authenticate Using Credentials

Mobile devices use the PEAP protocol for 802.1X configurations when you want users to authenticate using a username and password. To use this protocol, you must distribute a configuration profile to mobile devices with the Wi-Fi and Certificate payloads configured.

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Configuration Profiles.

  4. Click New images/docs.jamf.com/10.26.0/jamf-pro/administrator-guide/images/download/thumbnails/81922824/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the profile, including the level at which to apply the profile and the distribution method. If you chose to make the profile available in Jamf Self Service, choose a Security setting.

  6. Use the Certificates payload to configure information about the certificate:

    1. Enter a display name for the certificate in the Certificate Name field.

    2. Choose "Upload" from the Select Certificate Option pop-up menu.

    3. Click Upload Certificate and upload the Root CA certificate.

    4. (Optional) If you uploaded a .p12 or pfx certificate, enter a password in the Password field and then verify the password.

  7. Use the Wi-Fi payload to configure information about the network:

    1. Enter your SSID in the Service Set Identifier (SSID) field.

    2. (Optional) To ensure the network is not displayed as an available network in Settings, select the Hidden Network checkbox.

    3. (Optional) To ensure devices automatically connect to the network, select the Auto Join checkbox.

    4. Configure the Proxy Setup setting as needed if your environment uses a proxy.

    5. Choose "WPA2 Enterprise" from the Security Type pop-up menu.

    6. Click the Protocols tab.

    7. Select the PEAP checkbox.

    8. Enter one of the following in the Username field:

      • If usernames are configured using the User and Location settings and you are using individual user accounts to connect to Wi-Fi, enter $USERNAME in the Username field.

      • If you are using one LDAP account for all users to connect to Wi-Fi, enter the LDAP account username in the Username field.

    9. To require users to enter the LDAP account password when their device reconnects to Wi-Fi, select the Use Per-Connection Password checkbox.

    10. Enter one of the following in the Password field:

      • If you entered $USERNAME in the Username field previously, leave the Password field blank.

      • If you entered an LDAP account username in the Username field previously, enter the password for that account in the Password field.

    11. Leave the Outer Identity field blank.

    12. Click the Trust tab.

    13. Select the checkboxes of the certificates you uploaded.

    14. Click +Add for the Certificate Common Name field and enter the name of the RADIUS certificate.

      Important: The Certificate Common Name field is case sensitive.

  8. Click the Scope tab and configure the scope of the profile.
    To distribute user-level profiles, ensure you add iPads to the scope that have Shared iPad enabled. This allows the profile to be installed on the device for each potential user of that device. When each user logs in, the profile is then installed on the device.

    Note: If a user is logged in to an iPad prior to a profile being saved in Jamf Pro, the user must log out and log back in to the iPad for the profile to be installed on the device.

    Note: For limitations or exclusions to be based on LDAP users or LDAP user groups, the Username field must be populated in the mobile device's inventory information.

    For more information, see the Scope section in the Jamf Pro Administrator's Guide.

  9. (Optional) If you chose to make the profile available in Self Service, click the Self Service tab to configure Self Service settings for the profile.

  10. Click Save images/docs.jamf.com/10.26.0/jamf-pro/administrator-guide/images/download/thumbnails/81531754/floppy-disk.png .

The profile is distributed to deployment targets in the scope the next time they check in with Jamf Pro. Users must enter their credentials on their mobile device before they can join the network.

Enabling User to Authenticate Using a Certificate

Mobile devices use the TLS protocol for 802.1X configurations when you want users to authenticate using a certificate. To use this protocol, you must distribute a configuration profile to mobile devices with the Wi-Fi, SCEP, and Certificate payloads configured.

Requirements

To configure 802.1X settings on mobile devices authenticating using a certificate, you need a SCEP server with either a user or device certificate. If you are using a user certificate, the devices must be assigned to a user in Jamf Pro. For more information, see User Assignments in the Jamf Pro Administrator's Guide.

Procedure

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Configuration Profiles.

  4. Click New images/docs.jamf.com/10.26.0/jamf-pro/administrator-guide/images/download/thumbnails/81922824/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the profile, including the level at which to apply the profile and the distribution method. If you chose to make the profile available in Jamf Self Service, choose a Security setting.
    Only payloads and settings that apply to the selected level are displayed for the profile.

  6. Use the Certificates payload to configure information about the certificate:

    1. Enter a display name for the certificate in the Certificate Name field.

    2. Choose "Upload" from the Select Certificate Option pop-up menu.

    3. Click Upload Certificate and upload the Root CA certificate.

    4. (Optional) If you uploaded a .p12 or pfx certificate, enter a password in the Password field and then verify the password.

  7. Use the SCEP payload to configure information about the SCEP server:

    1. Enter the URL for your SCEP server appended with "/certsrv/mscep/mscep.dll" in the URL field.

      Example: http://SCEP.Hostname/certsrv/mscep/mscep.dll

    2. Enter the name of the instance in the Name field. Typically, this is the name of the Root CA.

    3. Enter one of the following in the Subject field:

      • If you are using user certificates to identify users using the network, enter "CN=$USERNAME" or "CN=$FULLNAME" depending on your organization's needs.

      • If you are using device certificates to identify devices using the network, enter "CN=$DEVICENAME" or "CN=$SERIALNUMBER" depending on your organization's needs.

    4. Choose "RFC 822 Name" from the Subject Alternative Name Type pop-up menu.

      Important: Do not configure the Subject Name Alternative Value field.

    5. Enter one of the following user principal names (UPN) in the NT Principal Name field.

      • If you are using a user certificate, the UPN is "$USERNAME" followed by the SCEP domain.

        Example: $USERNAME@scep.domain

      • If you are using a device certificate, the UPN is "$DEVICENAME$" followed by the SCEP domain.

        Example: $DEVICENAME$@scep.domain

    6. Choose one of the following from the Challenge Type pop-up menu:

      • If you are using "Static" for the Challenge Type, enter and verify the pre-shared secret challenge name.

      • If you are using "Dynamic-Microsoft CA" for the Challenge Type, enter the URL for your SCEP server appended with "/certsrv/mscep_admin/" and the SCEP server username and password.

        Example:http://SCEP.Hostname/certsrv/mscep_admin/

  8. Use the Wi-Fi payload to configure information about the network:

    1. Enter your SSID in the Service Set Identifier (SSID) field.

    2. (Optional) To ensure the network is not displayed as an available network in Settings, select the Hidden Network checkbox.

    3. (Optional) To ensure devices automatically connect to the network, select the Auto Join checkbox.

    4. Configure the Proxy Setup setting as needed.

    5. Choose "WPA2 Enterprise" from the Security Type pop-up menu.

    6. Click the Protocols tab.

    7. Select the TLS checkbox.

    8. Choose the certificate configured in the SCEP payload from the Identity Certificate pop-up menu.

    9. Click the Trust tab.

    10. Select the checkboxes of the certificates you uploaded.

    11. Click +Add for the Certificate Common Name setting and enter the name of the RADIUS certificate.

      Important: The Certificate Common Name field is case sensitive.

  9. Click the Scope tab and configure the scope of the profile.
    To distribute user-level profiles, ensure you add iPads to the scope that have Shared iPad enabled. This allows the profile to be installed on the device for each potential user of that device. When each user logs in, the profile is then installed on the device.

    Note: If a user is logged in to an iPad prior to a profile being saved in Jamf Pro, the user must log out and log back in to the iPad for the profile to be installed on the device.

    Note: For limitations or exclusions to be based on LDAP users or LDAP user groups, the Username field must be populated in the mobile device's inventory information.

    For more information, see the Scope section in the Jamf Pro Administrator's Guide.

  10. (Optional) If you chose to make the profile available in Self Service, click the Self Service tab to configure Self Service settings for the profile.

  11. Click Save images/docs.jamf.com/10.26.0/jamf-pro/administrator-guide/images/download/thumbnails/81531754/floppy-disk.png .

The profile is distributed to deployment targets in the scope the next time they check in with Jamf Pro. Users join the network seamlessly because they authenticate using the certificate.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.