Enrolling iPads into the JAMF Casper MDM solution is done through Apple Configurator, messages or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper MDM when they are set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll start there:
Obtain the Certificate for the JSS Server
To obtain the trust certificate from the JSS Server:
Download the Enrollment Profile
To download an enrollment profile from Casper MDM:
You have now downloaded the .mobileconfig file that will enroll devices into Casper MDM.
Add the Profile To Apple Configurator:
To deploy the profile through Apple Configurator:
Deploy The Casper MDM Enrollment Profile Through Apple Configurator
Once the profile is installed in Apple Configurator, let’s deploy it. In this example, don’t configure any other options. To deploy:
If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point, so expect this will happen occasionally, even if only by accident.
krypted August 8th, 2012
Tags: Apple Configurator, automate enrollment, CA, Casper, casper suite, enroll, export certificate, iPad, iPhone, ipod touch, JAMF, JSS, keychain utility, mass enrollment, mdm, mobile device management, trust
Recently, I did an article for afp548.com where I explained that you can import a pkcs12 file into an 802.1x profile using networksetup. In that type of environment you would be leveraging TLS or TTLS with the Mac OS X client acting as the supplicant and the certificate required to establish authentication with the authenticator. So you need the certificate to get started, but how do you get the pkcs12 and dish it out to clients programatically?
We’re going to start out with a new keychain where we’ve imported the certificate into that keychain (or skip this step if you already have a p12 file). First, find the certificate and verify the name, as this is very important to networksetup. For this, I like to use the security command’s find-certificate option. Here we’re going to look for radius.krypted.com:
security find-certificate -c radius.krypted.com
Now we’ll use the export verb of the security command to dump a .p12 file from the specially created keychain called 8021xkey,keychain to my desktop:
security export -k 8021xkey.keychain -t certs -f pkcs12 -o ~/Desktop/krypted.p12
When run you’ll be asked for a password to give the new p12 for decryption. Once we have the keychain it can easily be imported, as we will do from the desktop of a client system:
security import ~/Desktop/krypted.p12 -f pkcs12
Now we can use the p12 along with the -settlsidentityonsystemprofile or -settlsidentityonuserprofile. For example (using the default AirPort as the service and mysecretpassword as the password to decrypt the p12):
networksetup -settlsidentityonsystemprofile AirPort ~/Desktop/krypted.p12 mysecretpassword
Overall, at this point you can finally automate the process of setting up the 802.1x aspect of a deployment using a script or a package. Simply setup profiles at the GUI, import them into the new computer (assuming you have setup the service names before hand) and if need be import the certificate. Much testing required though…
krypted September 9th, 2009