tag:blogger.com,1999:blog-1988432060681510848.post2091752718986898789..comments2024-03-25T23:51:47.067-05:00Comments on Revolution Wi-Fi: Mac OS X Lion Creating Wi-Fi 802.1X ProfilesAndrew von Nagyhttp://www.blogger.com/profile/12658799453646609565noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-1988432060681510848.post-2638206906352167062014-05-10T10:27:08.871-05:002014-05-10T10:27:08.871-05:00hello people, i have a same problem with 802.1x, a...hello people, i have a same problem with 802.1x, and i have installed iPCU and i followed the instructions, but it profile installation failed - some required information is missing... i have no problem with internet in coffee shops or at friends apartments, but i live in student dorm, and i can't solve this problem... the only access to internet in the dorm is cable one, we don't have wi-fi. Bye the way i guess i'm the only one with mac in the dorm :/ thanks for your help<br />monikanohttps://www.blogger.com/profile/14051383714922650383noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-54032014809950979792013-04-03T16:09:47.192-05:002013-04-03T16:09:47.192-05:00Hey folks,
Quick update: to hack the .mobileconfi...Hey folks, <br />Quick update: to hack the .mobileconfig file manually to create a LoginWindow mode profile is nearly identical to the instructions for a System mode profile except you change the the first instance of "System" to "LoginWindow" (but don't change the second instance).<br /><br />For reference here is the complete modification for a LoginWindow profile:<br /><br />Starting the line immediately below the SSID_STR key’s <string> value, add this:<br /><br /><key>SetupModes</key><br /><array><br /><string>LoginWindow</string><br /></array><br /><br />Insert these lines immediately above the bottom-most PayloadType key line:<br /><br /><key>PayloadScope</key><br /><string>System</string><br /><br />And to re-iterate, you can't sign the .mobileconfig profile since you will invalidate the digital signature once you hack the file and clients can't verify it and thus will not install it.<br /><br />To accomplish this in an easier fashion, use an OS X Server with Profile Manager to create a Device profile, embed the Wi-Fi payload and credentials to create a System mode profile, and optionally check the box for LoginWindow profile to make it a dual System plus LoginWindow profile.<br /><br />Cheers,<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-78963608700227342582012-10-31T21:52:38.193-05:002012-10-31T21:52:38.193-05:00Tried the top-level mod to the .mobileconfig file ...Tried the top-level mod to the .mobileconfig file to make it a System-level change (i.e., available at the login screen), but no change. If I login locally first and enable the profile, then log out, the wi-fi icon flickers twice then "goes gray". <br /><br />Intererstingly, if iPhone Configuration Utility is supposed to up to date on these sorts of things, why isn't it adding the System-level changes itself via a GUI similar to what we saw in Snow Leopard where System and Login Window were available options? If you attempt to reopen the modified .mobileconfig file, the iPCU throws a "The profile contains entries that cannot be managed by iPCU" warning at you. <br /><br />We will be upgrading to from OS X Server Snow Leopard to Mountain Lion shortly so perhaps the new iteration of Profile Manager will offer enhanced configuration above and beyond the iPCU? (Hopefully it'll allow backwards compatibility as well so we can manage both devices on Lion as well as Mountain Lion at the same time).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-74686555596426338972012-10-19T18:31:56.230-05:002012-10-19T18:31:56.230-05:00Looks like the new version doesn't have the op...Looks like the new version doesn't have the option to "Use as a login window configuration", like the server version.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-4739430456983833752012-10-19T13:44:52.685-05:002012-10-19T13:44:52.685-05:00Looks like the latest IPhone Configuration Utility...Looks like the latest IPhone Configuration Utility adds this functionality, without using ML server, or hacking the file.<br /><br />iPhone Configuration Utility lets you easily create, maintain, encrypt, and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs.<br /><br /><br />Configuration profiles are XML files that contain device security policies, VPN configuration information, Wi-Fi settings, APN settings, Exchange account settings, mail settings, and certificates that permit iPhone and iPod touch to work with your enterprise systems.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-12799203708810153772012-09-24T09:17:26.614-05:002012-09-24T09:17:26.614-05:00So, if you want identify to a AD domain thought a ...So, if you want identify to a AD domain thought a Wi-fi connection, there is no way except aquier ML Server, isn't it?<br />This is the only way to enable the wi-fi BEFORE the login, no? <br />Sorry for my bad english, but I need to logon on AD with MB Air and the only way I have is to use a USB-RJ45 adapter... Not very user frendly! <br />Hervénoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-32763187155736014312012-09-11T16:45:53.098-05:002012-09-11T16:45:53.098-05:00Round 2....I did the config file, exported it with...Round 2....I did the config file, exported it with no security. Edited the config file with the above instructions. I installed the file and it loaded with no problems. I am able to authenticate fine, but it is still a "user" profile. It did not change to a "system" profile that I desperately need it to be. Seems like I am close...VERY close. But I've been working on this issue for several days now. I did try the profile manager on one of my Lion servers, but talk about convoluted!! It is WAY confusing compared to Snow Loepard's Workgroup Manager which I currently use. Any help would be greatly appreciated. Thanks everyone<br /> <br />s824https://www.blogger.com/profile/15149653420841738787noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-92144731641101082852012-09-10T09:28:41.522-05:002012-09-10T09:28:41.522-05:00Andrew,
Great info here. I've been trying to ...Andrew,<br /><br />Great info here. I've been trying to "hack" the config file, but everything I edit the file, it errors out on me. Guess it is because it is signed with a digital signature? Without the signature, our MACS on campus will not authenticate. Any ideas on how I can get this going without upgrading our server to Lion or Mountain Lion? Wouldn't be a big deal if we weren't already 2 weeks into a school year. Thanks<br />s824https://www.blogger.com/profile/15149653420841738787noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-41379548463679828802012-08-01T15:58:35.988-05:002012-08-01T15:58:35.988-05:00Are you signing the profile when you export it? If...Are you signing the profile when you export it? If so, make sure the other machines trust the certificate with which the profile is signed, or stop signing it altogether.<br /><br />There are other options from MDM providers, and multiple ways to deploy profiles to devices, ranging from simply publishing it on a website, sending it via email, or leveraging Aerohive's MDM integration (such as JAMF) to automatically identify devices joining the WLAN, redirect them for enrollment with MDM (which can include profile deployment), and then allowing them network access. This can be a user self-enrollment process without IT involvement if you want it to be. See this blog post and video for more information:<br /><a href="http://blogs.aerohive.com/blog/the-enterprise-wireless-networking-blog/simpli-fi-apple-device-management" rel="nofollow">http://blogs.aerohive.com/blog/the-enterprise-wireless-networking-blog/simpli-fi-apple-device-management</a><br /><br />Cheers,<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-77022862877495224812012-07-25T18:41:08.111-05:002012-07-25T18:41:08.111-05:00I work for a private school. We just bought a boat...I work for a private school. We just bought a boatload of Aerohive APs. This Lion thing is killing me. If anyone has a fix other than installing a Lion server I'd appreciate help. I'm not a Mac guy. I had a profile working that was created using the iPhone CU but that seems to not work once moved to a different machine. We are all Macs here.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-24926298944847073512012-06-26T13:44:40.573-05:002012-06-26T13:44:40.573-05:00That little mobileconfig hack worked perfectly. Th...That little mobileconfig hack worked perfectly. Thanks Andrew.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-21930803452873429932012-06-26T00:12:08.263-05:002012-06-26T00:12:08.263-05:00I believe what you want to do is integrate Mac OS ...I believe what you want to do is integrate Mac OS X machines into Active Directory (Apple calls this Dual Directory), then create an 802.1X profile in Lion Server - Profile Manager and configure the profile with "Use as a Login Window configuration (Mac OS X only)". This will instruct the MacBooks to connect to the Wi-Fi using the same username and password entered into the workstation's login screen.<br /><br />https://discussions.apple.com/servlet/JiveServlet/showImage/2-17782093-95302/Screen+Shot+2012-03-07+at+12.55.27+PM.png<br /><br />Also, the login window should display as "Name and Password" (not "List of Users"):<br />http://support.apple.com/kb/HT4541<br /><br />Users may also need to include the domain name with their username when they login:<br />http://support.apple.com/kb/HT4542#<br /><br />Best of luck!<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-2944334203220614402012-06-25T21:58:59.960-05:002012-06-25T21:58:59.960-05:00Andrew this was a great article to find. Thanks fo...Andrew this was a great article to find. Thanks for posting. I work for a large company that mainly uses Windows machines but are slowly moving to Macs. Last November we had roughly 40 and now we are over 230. I used the JAMF Casper Suit and love it but I'm stuck trying to figure out how to take this .mobile profile created with your instructions and have it set to when a user is near the wireless have it automatically log them in using the cached credentials on the machine since to log in and create a profile they have to authenticate with a Windows AD. I hope to start deploying this mobile config during the imaging process and the boss wants little to no user interacting if possible (Example - them typing in their username/password to join wireless) Any links or search terms would be greatly appreciated as I've exhausted my Googleing for the last few days and feel burnt out from not finding a straight answer). Thanks again for the post and any help you might could offer to me.Snickasaurushttps://www.blogger.com/profile/02353669678604585207noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-18732447794984126352012-06-19T22:09:18.936-05:002012-06-19T22:09:18.936-05:00Manually hacking the IPCU .mobileconfig profile is...Manually hacking the IPCU .mobileconfig profile is not ideal and leaves room for error. Also, newer versions of the IPCU may change the syntax and make previous workarounds fail. I'm not sure what you're experiencing.<br /><br />I would suggest using the Profile Manager in Lion Server, which is the only Apple supported method that I know of.<br /><br />Best of luck!<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-24835269944569028672012-06-19T18:40:19.319-05:002012-06-19T18:40:19.319-05:00I have altered the xml file as stated above and am...I have altered the xml file as stated above and am not able to gain access thru the login window...no yellow jelly dot. I created the config file using IPCU configuring the general and wifi payloads only. Username and password left blank, exported with no signatures, altered in Text Edit. Saved and installed on a machine that was already connected to the network via Ethernet. Authentication went fine until restart after which I could not connect and strangely did not see the red dot. Logged in as admin, and was connected immediately. Frustrating!<br /><br />My setting is an all mac school, about 400 snow leopard,50, Lion. Running on SN servers using aruba wireless system. SL computers connect via Login Window profile created in 802.1X tab in Network system preference.<br /><br />Thanks in advanceAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-23995840035925275152012-05-18T15:38:00.197-05:002012-05-18T15:38:00.197-05:00You're likely exporting the mobileconfig file ...You're likely exporting the mobileconfig file with a digital signature, which makes editing the file after export impossible without invalidating the signature (signed hash using a public key from a certificate).<br /><br />When exporting it, try setting the security to "None" instead of "Sign configuration profile."<br /><br />Cheers,<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-31324438610974519662012-05-15T17:13:31.383-05:002012-05-15T17:13:31.383-05:00I created the mobileconfig file, and it works on i...I created the mobileconfig file, and it works on its own, but when I edit the file (through text edit), it no longer works, saying that there was an error. Remove the added code, and it works again. Any ideas? We're running a Windows AD server and bind to it just for authentication, so we're not running a Lion server to load up profile manager. <br /><br />Thanks for the great info!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-87330380851192347342012-03-26T13:59:30.120-05:002012-03-26T13:59:30.120-05:00Correct, I noted this limitation in my article:
&...Correct, I noted this limitation in my article:<br /><br />"Additionally, user-created 802.1X profiles only work under their own user context, and do not work for pre-login or system level network connections which are of great benefit in enterprise environments..."<br /><br />To create system level profiles that can activate prior to user login with Mac OS X Lion, you need to create them from Profile Manager within Lion Server or manually hack an IPCU .mobileconfig file (as detailed in a previous comment). <br /><br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-17915949750975345722012-03-16T14:21:40.792-05:002012-03-16T14:21:40.792-05:00Profile created. Cool. But when I reboot it stills...Profile created. Cool. But when I reboot it stills does not find it prior to login. No networks connections... On the top right I can tell that there is no connections. Any clues?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-42433252734518376802012-03-08T09:22:57.087-06:002012-03-08T09:22:57.087-06:00Hi,
Can you verify that the profiles that you inst...Hi,<br />Can you verify that the profiles that you installed include 802.1X/EAP settings for the Wi-Fi network? If they do not, then they will not show up under the Network > Wi-Fi > Advanced > 802.1X section.<br /><br />If it is not an 802.1X/EAP network, but you have defined a proxy, then try connecting to the network and see what shows up under the Network > Wi-Fi > Advanced > Proxies tab.<br /><br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-81279260805635639162012-03-07T07:18:24.773-06:002012-03-07T07:18:24.773-06:00I have a problem that my profiles install and I ca...I have a problem that my profiles install and I can see them under the profiles window in system preferences. But they don't show under 802.1X on the Advanced items for the network. I have 2 profiles. One for home that does not use a proxy server, and one for work that does. So I'm trying to get my MacBook Pro to connect to the work network and set the proxy when I'm at work, and remove the proxy stuff when it connects to my home network. Like my iphone does.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-40648671356715412902012-02-07T21:49:29.963-06:002012-02-07T21:49:29.963-06:00One other note for readers. If you want to create ...One other note for readers. If you want to create either LoginWindow mode or System mode profiles, you must create them with Profile Manager from Lion Server. Alternatively, you can manually hack an iPCU .mobileconfig file.<br /><br />To create a System mode profile instead of the User mode profile, do the following:<br /><br />1. Create a User mode profile using the iPCU as described in this article.<br /><br />2. Manually edit the .mobileconfig file and add the following items:<br /><br />Starting the line immediately below the SSID_STR key’s ‘<string>’ value, add this:<br /><key>SetupModes</key> <array> <string>System</string> </array><br /><br />Then, insert these lines immediately above the bottom-most PayloadType key line:<br /><key>PayloadScope</key> <string>System</string><br /><br />Cheers,<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-73130582750610586242012-02-07T21:08:07.687-06:002012-02-07T21:08:07.687-06:00Thanks Damien.
For readers, here is the link to m...Thanks Damien.<br /><br />For readers, here is the link to more detail on <a href="http://d4mo.dyndns.org/wiki/pages/W4c0Q3k/Lion_8021x_LoginWindow_Profile.html" rel="nofollow">creating a LoginWindow Profile</a>.<br /><br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-91679099143708939512012-02-07T16:31:18.936-06:002012-02-07T16:31:18.936-06:00HI Andrew
If you need to add a Login Window Profil...HI Andrew<br />If you need to add a Login Window Profile you can edit the .mobileconfig file and add the following:<br /><br />SetupModes<br />LoginWindow<br /><br />Below the Do this straight after the <br />SSID_STR<br />MySSID<br /><br />And<br /><br />PayloadScopeLoginWindow<br /><br />Above the lowest PayloadScope field<br /><br />@d4mo1337Anonymousnoreply@blogger.com