AirWatch: Using a EAP-TLS certificate with WPA2 Enterprise (802.11x)

So now you want to get Wi-Fi.

  1. Use a cloud connector and configure Enterprise Integration to request a certificate from your Active Directory CA (ADDS) -- Not covered here
  2. Create a single profile.

In this profile, you'll add two payloads:

  1. Credentials (order is important):
    1. First tab: Upload your CA, and select "Allow access to all applications" and "Allow export from Keychain"
    2. Second tab: use your machine certificate (uncheck everything)
  2. Network:
    1. check Auto-Join
    2. WPA/WPA2 Enteprise. For some reason, if I choose only "WPA2 Enterprise", it fails. But it will then connect as WPA2.
    3. Uncheck "User logs in to authenticate with the network"
    4. Protocols: EAP-TLS
    5. Username: {EnrollmentUser}
    6. Identity Certificate: Certificate #2 (This is why order is important).
    7. Trusted certificates: Check both
    8. Allow trust exceptions: Check

Using AirWatch with Munki

So you want to use AirWatch, but you're unsure about the viability of their Self Service or package management system. I understand. Let me show you how to do it basically. 

You need 3 Devices > File/Actions:

  1. Munki Tools: Download and install latest release. Then upload it to /Library/AW and set Manifest to Install=/Library/AW/munkitools-xx.yy.pkg
  2. Munki Bootstrap: Run=/usr/bin/touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup
  3. Munki Forcerun: Run=/usr/local/munki/managedsoftwareupdate --auto

I'm aware Forcerun is bad practice and you should reboot before. But I was told by Greg that worst case scenario nothing works until next reboot. I think I'm safe enough.

You need 1 Devices > Products:

  1. Create a product that includes the three File/Actions before.

You need 1 Devices > Profiles:

  1. Custom Settings
<dict>
    <key>PayloadDisplayName</key>
    <string>MacLovin - Munki (Demonstration Setup)</string>
    <key>PayloadEnabled</key>
    <true />
    <key>PayloadIdentifier</key>
    <string>org.maclovin.munki.test</string>
    <key>PayloadUUID</key>
    <string>8214F1A8-0E65-422C-A82C-088502A14FD6</string>
    <key>PayloadType</key>
    <string>ManagedInstalls</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>SoftwareRepoURL</key>
    <string>http://munki.maclovin.org/munki_repo</string>
    <key>ClientIdentifier</key>
    <string>test_munki_client</string>
</dict>

Now have fun and let me know!

AirWatch: How to use the REST API

According to the "AirWatch REST API Guide" PDF document that you can get in https://my.air-watch.com, you need:

  • the URL : https://<host>/API/v1/help
  • the Token: aw-tenant-code (or API Key)
  • Authorization: Basic base64.b64encode("username:password")

How to find the Token

  1. Select the right Organization Group
  2. Go to Group & Settings > System > Advanced > API > REST > General
  3. Select "Override"
  4. an API Key will be generated. This is your "aw-tenant-code"

How to Authorize

The easiest way is to use Basic authentication.

  1. Make sure your admin has the correct role. In production, you should create a custom Role, but for test, Console Administrator is fine. Make sure he's in the correct OG, of course.
  2. The form should be "username:password", encoded using Base64. You can do this on OS X terminal (see below)
$ python -c "import base64; print base64.b64encode('login:password')"
bG9naW46cGFzc3dvcmQ=
$

How to test with Curl

$ curl -X "GET" "https://host.awmdm.com/API/v1/help" \ -H "Authorization: Basic bG9naW46cGFzc3dvcmQ=" \ -H "aw-tenant-code: bG9naW46cGFzc3dvcmFzZG/2FmYXNkZmFkc2Zhc2Zk="

With Python

# Install the Python Requests library:
# `pip install requests`

import requests


def send_request():
    # My API
    # GET https://host.awmdm.com/API/v1/help

    try:
        response = requests.get(
            url="https://host.awmdm.com/API/v1/help",
            headers={
                "Authorization": "Basic bG9naW46cGFzc3dvcmQ=",
                "aw-tenant-code": "bG9naW46cGFzc3dvcmFzZGZ/2FmYXNkZmFkc2Zhc2Zk=",
            },
        )
        print('Response HTTP Status Code: {status_code}'.format(
            status_code=response.status_code))
        print('Response HTTP Response Body: {content}'.format(
            content=response.content))
    except requests.exceptions.RequestException:
        print('HTTP Request failed')

Or just use Paw https://luckymarmot.com/paw ;-)

One More Thing…

It doesn't work with OS X clients:

<AirWatchFaultContract xmlns="http://www.air-watch.com/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
  <ActivityId>56b6ed75-30a2-418e-84fa-f8e04d35506a</ActivityId>
  <ErrorCode>501</ErrorCode>
  <Message>Functionality not supported for device type : AppleOsX</Message>
</AirWatchFaultContract>

AirWatch: Deploy custom MCX profiles

In order to deploy custom MCX profiles, I will use the excellent mcxToProfile tool by Tim Sutton. Get it here -> https://github.com/timsutton/mcxToProfile

My goal here is to change the delay to ask password to "Immediately". 

0. Install mcxToProfile. I use git as I find it easier to update, but you can also download it directory from the github page. You might need to make the python script executable (see below)

$ git clone https://github.com/timsutton/mcxToProfile.git
$ chmod +x ./mcxToProfile/mcxToProfile.py
  1. Make the changes to your Mac (Here, I go to System Preferences > Security & Confidentiality > General and I change the setting to "Immediately".
  2. Now, find the defaults domain. This is almost an art, I won't cover this here. In this case, it is com.apple.screensaver
  3. Launch mcxToProfile to create the .mobileconfig
$ ./mcxToProfile/mcxToProfile.py --defaults com.apple.screensaver --identifier org.maclovin.screensaver
$ cat org.maclovin.screensaver.mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>com.apple.screensaver</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>askForPassword</key>
                                <integer>1</integer>
                                <key>askForPasswordDelay</key>
                                <real>60</real>
                                <key>tokenRemovalAction</key>
                                <integer>0</integer>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>MCXToProfile.f4859170-42b5-467f-a249-220c689103ec.alacarte.customsettings.3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadUUID</key>
            <string>3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Included custom settings:
com.apple.screensaver

Git revision: a14a19d7f0</string>
    <key>PayloadDisplayName</key>
    <string>MCXToProfile: com.apple.screensaver</string>
    <key>PayloadIdentifier</key>
    <string>org.maclovin.screensaver</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>f4859170-42b5-467f-a249-220c689103ec</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

You can double click on this file to install it manually (or use $ open org.maclovin.screensaver.mobileconfig). Restart System Preferences to see this setting in the GUI (Security & Confidentiality > General). Then remove this profile, we'll move on to AirWatch.

Now you need to import this to AirWatch:

  1. Go to console
  2. Go to Devices > Profiles > List view
  3. Add > Add Profile
  4. Apple Mac OS X > Device Profile
  5. Fill General infos 

Go to Custom settings and paste only the relevant portion:

        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>com.apple.screensaver</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>askForPassword</key>
                                <integer>1</integer>
                                <key>askForPasswordDelay</key>
                                <real>60</real>
                                <key>tokenRemovalAction</key>
                                <integer>0</integer>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>MCXToProfile.f4859170-42b5-467f-a249-220c689103ec.alacarte.customsettings.3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadUUID</key>
            <string>3fad436d-d335-4d08-849e-3feda8397631</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>

Now it should be working fine