AirWatch: Using a EAP-TLS certificate with WPA2 Enterprise (802.11x)

So now you want to get Wi-Fi.

  1. Use a cloud connector and configure Enterprise Integration to request a certificate from your Active Directory CA (ADDS) -- Not covered here
  2. Create a single profile.

In this profile, you'll add two payloads:

  1. Credentials (order is important):
    1. First tab: Upload your CA, and select "Allow access to all applications" and "Allow export from Keychain"
    2. Second tab: use your machine certificate (uncheck everything)
  2. Network:
    1. check Auto-Join
    2. WPA/WPA2 Enteprise. For some reason, if I choose only "WPA2 Enterprise", it fails. But it will then connect as WPA2.
    3. Uncheck "User logs in to authenticate with the network"
    4. Protocols: EAP-TLS
    5. Username: {EnrollmentUser}
    6. Identity Certificate: Certificate #2 (This is why order is important).
    7. Trusted certificates: Check both
    8. Allow trust exceptions: Check

Using AirWatch with Munki

So you want to use AirWatch, but you're unsure about the viability of their Self Service or package management system. I understand. Let me show you how to do it basically. 

You need 3 Devices > File/Actions:

  1. Munki Tools: Download and install latest release. Then upload it to /Library/AW and set Manifest to Install=/Library/AW/munkitools-xx.yy.pkg
  2. Munki Bootstrap: Run=/usr/bin/touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup
  3. Munki Forcerun: Run=/usr/local/munki/managedsoftwareupdate --auto

I'm aware Forcerun is bad practice and you should reboot before. But I was told by Greg that worst case scenario nothing works until next reboot. I think I'm safe enough.

You need 1 Devices > Products:

  1. Create a product that includes the three File/Actions before.

You need 1 Devices > Profiles:

  1. Custom Settings
<dict>
    <key>PayloadDisplayName</key>
    <string>MacLovin - Munki (Demonstration Setup)</string>
    <key>PayloadEnabled</key>
    <true />
    <key>PayloadIdentifier</key>
    <string>org.maclovin.munki.test</string>
    <key>PayloadUUID</key>
    <string>8214F1A8-0E65-422C-A82C-088502A14FD6</string>
    <key>PayloadType</key>
    <string>ManagedInstalls</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>SoftwareRepoURL</key>
    <string>http://munki.maclovin.org/munki_repo</string>
    <key>ClientIdentifier</key>
    <string>test_munki_client</string>
</dict>

Now have fun and let me know!

Casper: Forget a package

Forgetting a package is a good way to troubleshoot some behaviours. It doesn't install anything, but the computer will believe the package was never installed.

Installer.app/SWU

For OS X packages, installed by Installer.app or Software update, simply use sudo pkgutil --forget [package_id]. You can list current installed packages with pkgutil --pkgs

This will get updated at next recon to Inventory > Package Receipts > Installer.app/SWU.

Casper Suite

To change this (unrelated) list, you need to delete the relevant file in /Library/Application Support/JAMF/Receipts, then do a sudo jamf recon

Again, this doesn't do anything but change inventory.