Kandji MDM SCEP/EAP-TLS
This document provides a comprehensive guide on configuring SCEP (Simple Certificate Enrollment Protocol) using Kandji MDM for EAP-TLS authentication with Foxpass. It outlines the necessary steps to integrate and manage certificates, ensuring secure and automated network authentication for macOS devices enrolled in Kandji. By following this guide, you can streamline certificate management and enhance the security of your wireless networks using EAP-TLS.
Download Foxpass Active Server CA
- Download Foxpass Server CA by clicking the 'Download CA' button in the active CA section on the EAP-TLS page, which is located under 'Server Certificate Authorities'.
Configure Wi-Fi profile in Kandji
Follow the steps below in Kandji MDM:
- Go to the library.
- Click 'Add New'
- Search for Wi-Fi in the search box.
- Click on Wi-Fi under Profiles.
- Click 'Add and Configure'
Make settings as below. Anything not mentioned, leave as the default.
- Give a name to your profile. For e.g. <Foxpass Wi-Fi profile>
- Install on: MAC
- Assign it to the proper blueprint.
- Service Set Identifier: <YOUR SSID> Note: This must match your network's SSID name exactly including capital letters. SSID 'Foxpass EAP-TLS' in the screenshot is just an example.
- Authentication Type: WPA2 Enterprise
- Accepted EAP Types: TLS
- Username (optional): Leave blank
- Identity certificate: SCEP
- Click on 'Configure SCEP certificate' button.
- URL: Copy the URL of the endpoint from the Foxpass SCEP page and paste. Create a SCEP endpoint if it doesn't exists. Set Verification Type to 'None'.
- Name: Leave blank
- Challenge: Paste the Challenge password of the endpoint noted from the Foxpass SCEP page.
- Fingerprint: (leave blank)
- Subject: CN=$EMAIL
- Specify Subject Alternative Names (SAN): SAN Type: RFC 822 Name: $EMAIL
- Key Size: 4096
- Key Usage: None
- Automatic profile redistribution: Yes
- Certificate Trust: Select "Specify trusted certificates".
- Upload the Server Certificate Authority that you downloaded earlier.
- Click Save.
Enroll your device
Enroll your device to Kandji if not enrolled already. The enrollment URL is your Kandji URL followed by /enroll. Follow the on-screen instructions and install the profile on your MAC. Once the profile is installed, you will be connected to your configured SSID. You can see the status of your profile in Kandji by clicking your device and then clicking dropdown of your Wi-Fi profile.
You can check successful/unsuccessful logs on the RADIUS logs page.
Updated 2 months ago