Apple Configurator
- Download Client CA from the EAP-TLS page by clicking 'Download CA' button under Client Certificate Authorities.
- Download active Server CA from the EAP-TLSpage by clicking 'Download CA' under 'Server Certificate Authorities'.
- Download Apple Configurator Application
- Click on SCEP in left menu
- URL - Obtain the URL from SCEP page. It will be mentioned below 'Unique Endpoint' heading on the SCEP page. If you need to create a SCEPEndpoint, please see the screenshot below for reference. Copy the endpoint from Foxpass console and paste it under URL in Apple Configurator.
- Name - leave blank
Remember to always use "CN" in capitalized form.
- Subject - CN=<user's email address>
- Subject Alternative Name Value (optional) - RFC822: <user's email address>.
- Challenge - Copy the Challenge password from the SCEP page.
- Key Size: Note the key size should be 4096 bits.
- Fingerprint - Click 'Create from Certificate' and select the CA certificate you downloaded earlier. Make sure to change the extension of the client CA from .crt to .cer.
- Go back to Apple Configurator 2. Click Certificates on the left side of your profile.
- Click Configure. Select 'Server CA' (The one you downloaded in Step 2)from the 'Downloads' folder. You will start seeing 'Server CA' as specified in the screenshot below:
- By default, enterprise settings are selected to Protocols.
- SSID - Your network's SSID Note: this must match EXACTLY, including capital letters.
- Security Type - WPA/WPA 2 Enterprise or WPA2/WPA3 Enterprise depending on what you have configured in your Access Point.
- Protocols - TLS
- Identity Certificate - Select SCEP from the dropdown.
- Now select 'Trust' in 'Enterprise Settings'. Select the Server CA.
-
Go to your MAC System Settings, search Profiles > Install, view or remove configuration profiles. Click on the the profile you just configured in Apple Configurator 2. A dialog box will open to ask if you want to install the profile. Click 'Install'.Save and test
The profile will be installed and you can see a SCEP certificate under 'Client Certificates' on the EAP-TLS page.
If all well, you will be able to connect to your SSID.
Updated 5 months ago