Onboard macOS devices with certificates using Kandji and SCEP
In this topic, you will learn how to deploy Portnox™ Cloud certificates via Kandji and SCEP to manage macOS devices (Wi-Fi only).
Kandji lets you create Wi-Fi profiles using the cloud user interface but does not let you create Ethernet profiles. If you need to create a profile with Ethernet connectivity, you need to create a custom profile manually and distribute this custom profile using Kandji. For instructions, how to do it, see the following topic: Onboard macOS devices with certificates using Kandji, SCEP, and a custom profile.
Turn on the Portnox Cloud SCEP services
In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.
If you have previously turned on the Portnox Cloud SCEP services, skip to the later step in which you get the Cloud SCEP URL and password.
Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
Enable integration with SCEP services.
- Click on the Edit link.
- Activate the Enable integration checkbox.
- Click on the Save button.
- Click on the ⧉ icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
-
Click on the ⧉ icon next to the Password field to
copy the SCEP password, and paste it in a text file for later use.
Download the root CA certificate
In this section, you will download the root CA certificate from Portnox™ Cloud, which is needed to create a profile.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
Click on any of the RADIUS servers listed in the right-hand pane to show its configuration.
-
Click on the Download root certificate link.
Result: The root CA certificate file is in the Downloads folder on the local disk.
Download the tenant CA certificate
In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal.
You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Trusted Root Certificates section, click on the Download CER
link, then save the downloaded file.
The default name of the file is Your_tenant_name - Portnox CLEAR.cer, for example, Vorlon - Portnox CLEAR.cer.
- Optional: Rename the downloaded file to tenantCertificate.cer. This is the name used in the next part of this guide.
Optional: Hand over information from the Portnox Cloud team to the Kandji team
In this section, you will learn what information was collected in previous steps from Portnox Cloud, which is needed to configure Kandji to work with Portnox Cloud.
If different people are responsible for managing Portnox Cloud and Kandji, here is the information you need to hand over:
-
The URL of the Portnox Cloud SCEP server. For example, https://scep.portnox.com/b2973887-1274-45d4-91d0-4a342a861c76.
-
The password for the SCEP server.
-
The root CA certificate file in the X.509 format. For example, rootCertificate.cer.
-
The tenant CA certificate file in the X.509 format. For example, tenantCertificate.cer.
Create a blueprint in Kandji
In this section, you will create a blueprint in Kandji that lets you add Wi-Fi and wired profiles for networks as well as other Kandji security features to your managed devices.
-
Open your Kandji instance in the browser and log in.
For example, vorlon.kandji.io
-
In the Kandji main menu, click on the BLUEPRINTS option.
Kandji shows the Blueprints pane on the right-hand side.
-
In the top-right corner of the Blueprints pane, click on the New
Blueprint button.
Kandji shows the Create a new Blueprint window over the right-hand pane.
Note: You can use an existing blueprint instead. If so, skip the steps for creating a new blueprint and when asked to select a blueprint, select your existing blueprint instead. -
In the Create a new Blueprint window, click on the + New Blueprint
button in the top-left corner of the window, enter a Blueprint name, and click on the
Create Blueprint button.
We used the name Vorlon but you can use any name you like.
Create a Wi-Fi profile in Kandji
In this section, you will create a profile that contains configuration for your managed Wi-Fi network.
-
In the Kandji main menu, click on the LIBRARY option.
Kandji shows the Library pane on the right-hand side.
-
In the top-right corner of the Library pane, click on the Add new
button.
Kandji shows the Add Library item pane on the right-hand side.
-
In the Add Library item pane, in the Search box on the right-hand
side, start typing wi-fi and then click on the Wi-Fi tile in the
Profiles section.
-
In the Wi-Fi section on the bottom of the right-hand side pane, click on the Add
& Configure button.
Kandji shows the Wi-Fi pane on the right-hand side.
-
In the Add a title field on top of the Wi-Fi Profile pane, enter the
name for the new Wi-Fi profile.
We used the name Vorlon Wi-Fi but you can use any name you like.
-
In the Blueprint field, select the blueprint you created earlier.
-
In the Service Set Identifier (SSID) field, enter the SSID of
the Wi-Fi network configured in Portnox Cloud.
section below, in the
-
Activate the Disable MAC address randomization checkbox.
Important: If you do not turn off MAC address randomization, Portnox Cloud may assign the device a new license every time it connects with a different MAC address. This may have a major impact on your licensing costs.
-
In the
section below:
-
In the SCEP configuration pane on the right-hand side:
-
In the
section:
-
Adjust values of any other fields if necessary and then click on the Save button in the
bottom-right corner of the Wi-Fi configuration pane.