MAC OSX Clients - Post Deployment - Part 11

The Client Certificate will be generated on Deploy via OSX Server.

Buy a Mac Server Hardware and License. The license is only about 29 dollar.

Install the server > login and:

Go to the Profile Manager.

osx.server.profile.manager

 

Add the Mac OSX Machines via above screenshot to My Devices. (First Second Tab for registering the device, then first tab, download and install the MDM Configuration and the configuration changes get's pushed, depending on belonging to beneath groups.

 

Go back and open Profile Manager. Make sure your AD Authenticated and can see All Computer and User Accounts from AD.

 

Create the appropriate groups. And

Edit the Network and AD Certificate Payload.

 

osx.server.device.group

 

osx.server.ad.payload

 

osx.server.certificate.configuration

 

osx.server.network.payload

 

osx.server.ethernet.tls

 

osx.server.wifi.tls.certificate

 

After Clicking OK > APPLY the configuration get's pushed.

At this point you have a computer certificate rolled-out to that mac OSX machine.

You can proceed configuring the next steps.

 

For OSX you need to add the Certificates for the:

  • ROOT_CA
  • Issuing CA (Intermediate)
  • NPS_SRV1,NPS_SRV2
  • Retrieve a certificate for the OSX Server (must be domain joined).

 

Export these from the Servers -

 

First you need to disable the secure file system, to be able to import ROOT and Intermediate Certificates.

Boot into the recovery mode, go to the shell and type:

csrutil disable

followed by a reboot

Then execute this shell .sh script to import those certificates. Note: they must be in the same directory for execution.

 

 

#!/bin/sh

 

if [ ! -d "/private/tmp/certs" ]; then

  mkdir /private/tmp/certs

fi

# Export Computer Certificate for Import

CompName=$(scutil --get ComputerName)

cp *.cer /private/tmp/certs

certLocation="/private/tmp/certs/"

declare -a rootCerts=('ROOT_CA.cer');

declare -a intermediateCerts=('Issuing_CA.cer' );

declare -a RadiusCert=('NPS_SRV1.DNZ.cer' 'NPS_SRV2.DNZ.cer');

for cert in "${rootCerts[@]}"

do

sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustAsRoot "$certLocation$cert"

echo "Installed Root Certificate in System Keychain: $cert"

sudo security add-trusted-cert -d -r trustAsRoot -k /Users/$USER/Library/Keychains/login.keychain-db "$certLocation$cert"

echo "Installed Root Certificate in Login Keychain: $cert"

done

for cert in "${intermediateCerts[@]}"

do

sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustAsRoot "$certLocation$cert"

echo "Installed Intermediate Certificate: $cert"

sudo security add-trusted-cert -d -r trustAsRoot -k /Users/$USER/Library/Keychains/login.keychain-db "$certLocation$cert"

echo "Installed Root Certificate in Login Keychain: $cert"

done

for cert in "${RadiusCert[@]}"

do

sudo security add-trusted-cert -d -r unspecified -k /Users/$USER/Library/Keychains/login.keychain-db "$certLocation$cert"

echo "Installed Radius Server Certificate in Login Keychain: $cert"

sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustAsRoot "$certLocation$cert"

echo "Installed Radius Server Certificates in System Kehchain: $cert"

done

sudo security find-certificate -c "$CompName" -a -p > "$certLocation$CompName.pem"

echo "Exported the Computer Certificate for Trust Import: $cert"

sudo security add-trusted-cert -d -r unspecified -k /Users/$USER/Library/Keychains/login.keychain-db "$certLocation$CompName.pem"

echo "Reinstalled Computer Certificate in Login Keychain: $CompName"

sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustAsRoot "$certLocation$CompName.pem"

echo "Reinstalled Computer Certificates for Network Policy Authentication: $CompName"

 

# Next, you need to secure the Protected File System again.

 

As shown before, go into recovery, open a shell and enable it again.

csrutil enable

followed by a reboot