Enrolling iPads into the JAMF Casper MDM solution is done through Apple Configurator, messages or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper MDM when they are set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll start there:
Obtain the Certificate for the JSS Server
To obtain the trust certificate from the JSS Server:
Download the Enrollment Profile
- Open the web interface for the JSS.
- When prompted to trust the certificate, click on the disclosure triangle and then the checkbox to trust the cert, providing the administrative credentials when prompted.
- Open Keychain Utility.
- Click in the search field.
- Search for JSS.
- Control-click on the name of your server’s “Built-in Certificate Authority” entry.
- Choose the option to Export.
- When prompted, provide a name for the certificate in the Save As fiel.
- Choose a location to save the certificate to using the Where field.
- The .cer format is sufficient for our purposes.
- Click Save.
To download an enrollment profile from Casper MDM:
- Log into the web interface of the JSS.
- Click on the link for Mobile Device Enrollment
- At the Mobile Device Enrollment Invitations screen, click on the Enrollment Profiles tab.
- At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one)
- Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
- Click on Cancel.
- Click on the downloads link in Safari.
- Click on the magnifying glass icon to see the .mobileconfig file.
You have now downloaded the .mobileconfig file that will enroll devices into Casper MDM.
Add the Profile To Apple Configurator:
To deploy the profile through Apple Configurator:
Deploy The Casper MDM Enrollment Profile Through Apple Configurator
- Open Apple Configurator on the client computer.
- Click on Prepare in the row of icons along the top of the screen.
- Drag the profile (by default currently called MDM-iOS5.mobileconfig) from the Finder into the list of Profiles.
- The profile then appears in Apple Configurator (in this example, called MDM-iOS5).
Once the profile is installed in Apple Configurator, let’s deploy it. In this example, don’t configure any other options. To deploy:
- Set the name to be blank, numbering should be disabled, Supervision should be off, iOS should be set to No Change, “Erase before installing” should be unchecked, Don’t Restore Backup should be set in the Restore field.
- Check the box for the newly added profile (MDM-iOS5 in this example).
- Click on the Prepare button.
- At the “Are you sure you want to apply these settings to all USB-connected devices?” screen, click on the Apply button.
- The subsequent screen shows when devices are being configured. Here, dock the device to receive the profile (note, all docked iOS devices are going to be configured with this profile).
- Once the device is connected, the profile will begin to install. You are then prompted to “Tap device to install profile”.
- On the device, tap on the Install button.
- At the Warning screen, tap Install.
- Once the Profile is installed, tap Done.
- You have now been enrolled.
If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point, so expect this will happen occasionally, even if only by accident.
Recently, I did an article for afp548.com
where I explained that you can import a pkcs12 file into an 802.1x profile using networksetup. In that type of environment you would be leveraging TLS or TTLS with the Mac OS X client acting as the supplicant and the certificate required to establish authentication with the authenticator. So you need the certificate to get started, but how do you get the pkcs12 and dish it out to clients programatically?
We’re going to start out with a new keychain where we’ve imported the certificate into that keychain (or skip this step if you already have a p12 file). First, find the certificate and verify the name, as this is very important to networksetup. For this, I like to use the security command’s find-certificate option. Here we’re going to look for radius.krypted.com:
security find-certificate -c radius.krypted.com
Now we’ll use the export verb of the security command to dump a .p12 file from the specially created keychain called 8021xkey,keychain to my desktop:
security export -k 8021xkey.keychain -t certs -f pkcs12 -o ~/Desktop/krypted.p12
When run you’ll be asked for a password to give the new p12 for decryption. Once we have the keychain it can easily be imported, as we will do from the desktop of a client system:
security import ~/Desktop/krypted.p12 -f pkcs12
Now we can use the p12 along with the -settlsidentityonsystemprofile or -settlsidentityonuserprofile. For example (using the default AirPort as the service and mysecretpassword as the password to decrypt the p12):
networksetup -settlsidentityonsystemprofile AirPort ~/Desktop/krypted.p12 mysecretpassword
Overall, at this point you can finally automate the process of setting up the 802.1x aspect of a deployment using a script or a package. Simply setup profiles at the GUI, import them into the new computer (assuming you have setup the service names before hand) and if need be import the certificate. Much testing required though…