Onboard macOS devices with certificates using Kandji, SCEP, and a custom profile
In this topic, you will learn how to deploy Portnox™ Cloud SCEP certificates via Kandji, SCEP, and iMazing Profile Editor to manage macOS devices (Wi-Fi + Ethernet).
Kandji lets you create Wi-Fi profiles using the cloud user interface but does not let you create Ethernet profiles. However, you can distribute custom profiles using Kandji, so you can create a custom profile and then use Kandji for management.
This topic shows you how to create a custom Apple profile for user-based authentication to connect to Portnox Cloud via Wi-Fi and Ethernet. We recommend that you use a free app called iMazing Profile Editor, but you can create a custom profile using a different tool or edit it manually in XML, if you prefer.
If your devices need only Wi-Fi connectivity, we recommend that you follow a simpler procedure in the following topic: Onboard macOS devices with certificates using Kandji and SCEP.
Turn on the Portnox Cloud SCEP services
In this section, you will configure Portnox™ Cloud to provide SCEP services to your devices.
If you have previously turned on the Portnox Cloud SCEP services, skip to the later step in which you get the Cloud SCEP URL and password.
Portnox Cloud SCEP services let devices contact the Cloud SCEP server and get a unique certificate for the device or for the specific user of the device.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
Enable integration with SCEP services.
- Click on the Edit link.
- Activate the Enable integration checkbox.
- Click on the Save button.
- Click on the ⧉ icon next to the SCEP URL field to copy the SCEP URL, and paste it in a text file for later use.
-
Click on the ⧉ icon next to the Password field to
copy the SCEP password, and paste it in a text file for later use.
Download the root CA certificate
In this section, you will download the root CA certificate from Portnox™ Cloud, which is needed to create a profile.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
Click on any of the RADIUS servers listed in the right-hand pane to show its configuration.
-
Click on the Download root certificate link.
Result: The root CA certificate file is in the Downloads folder on the local disk.
Download the tenant CA certificate
In this section, you will download the Portnox™ Cloud tenant CA certificate from the Cloud portal.
You need the tenant CA certificate from Portnox Cloud so that your managed devices can verify the validity of individual SCEP certificates, which are signed using the tenant CA certificate.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Trusted Root Certificates section, click on the Download link,
then save the downloaded file.
The default name of the file is Your_tenant_name - Portnox CLEAR.pfx, for example, Portnox - Portnox CLEAR.
The downloaded tenant CA certificate is a file in the Personal Information Exchange binary format (PFS, also known as PKCS#12), which you cannot use directly. You need to convert it to the Base-64 encoded X.509 format (sometimes referred to as CER or PEM).
Convert the tenant CA certificate
In this section, you will convert the downloaded tenant CA certificate into the Base-64 encoded X.509 format.
You need this certificate in the Base-64 encoded X.509 format, which is sometimes called the PEM format. Files with this format usually have the .pem or .cer extension, but files in the DER binary format also have the .cer extension.
The following are three recommended ways to convert the PKCS#12 certificate into Base-64 encoded X.509:
-
Convert the tenant CA certificate using Windows certificate management.
You need to download the certificate to a Windows computer or copy it to a Windows computer.
-
Convert the tenant CA certificate using OpenSSL.
If you have OpenSSL installed on your macOS device, you can use it to convert certificates. OpenSSL is not installed by default and the installation requires using a third party package or compiling OpenSSL from source.
-
Convert the tenant CA certificate using a third-party online converter.
Important: The following converters are not affiliated in any way with Portnox. They were found using web search and verified to support the required conversion. If needed, search the web for other converters.
- RVSSL (select PFX/PKCS#12 as the input format and Standard PEM as the output format)
- SSL Shopper (select PFX/PKCS#12 as the input format and Standard PEM as the output format)
Create the custom profile
In this section, you will use the iMazing Profile Editor to create an Apple profile for use in Kandji, which contains the following payloads: the root CA certificate, the tenant CA certificate, the SCEP configuration, the Wi-Fi configuration, and the Global Ethernet configuration.
-
Install the iMazing Profile
Editor and open it from the Launcher.
To install iMazing Profile Editor, follow the links from the iMazing website and the standard installation procedure in the operating system.
Note: By default, when you run iMazing Profile Editor, it opens a new profile window and the General section. If not, select from the top menu to open a new profile window. -
In the right-hand side pane, in the Name section, enter a name for this profile.
We used the name Vorlon SCEP but you can use any name you like.
-
On the left-hand side of the profile window, scroll down to the Root Certificate icon, click
on it, and in the right-hand side pane click on the Add Configuration Payload button.
-
In the file selector, locate and click on the root CA certificate file, downloaded as described in the previous
section, and then click on the Open button.
-
Copy the value of the Payload UUID field and save it for later use.
You will need to add a reference to this root CA certificate in the Wi-Fi and Ethernet payloads later, so that the device can confirm the identity of the RADIUS server.
Note: Make a note next to this value that says root CA UUID. -
In the top-right corner of the right-hand side pane, click on the + button
to add another root certificate payload.
-
In the file selector, locate and click on the tenant CA certificate file, downloaded and converted as described in
the previous sections, and then click on the Open button.
-
Copy the value of the Payload UUID field and save it for later use.
You will need to add a reference to this tenant CA certificate in the Wi-Fi and Ethernet payloads later, so that the device can confirm the SCEP certificate validity.
Note: Make a note next to this value that says tenant CA UUID. -
On the left-hand side of the profile window, scroll down to the SCEP icon, click on it, and
in the right-hand side pane click on the Add Configuration Payload button.
-
In the SCEP pane on the right-hand side, configure the following properties:
-
On the left-hand side of the profile window, scroll down to the Wi-Fi icon, click on it, and
in the right-hand side pane click on the Add Configuration Payload button.
-
In the Wi-Fi pane on the right-hand side, configure the following properties:
-
On the left-hand side of the profile window, scroll down to the 802.1X Ethernet: Global
icon, click on it, and in the right-hand side pane click on the Add Configuration Payload
button.
Note: Depending on your hardware configurations, you can choose a different 802.1X Ethernet payload, for example, First Active Ethernet. The setup procedure is almost the same for all 802.1X payloads.
-
In the 802.1X Ethernet: Global pane on the right-hand side, configure the following
properties:
- In the top menu of iMazing Profile Editor, select , and select a location to save the profile.
Result: The custom profile file (.mobileconfig) is saved on the disk and ready for use in Kandji.
Create a blueprint in Kandji
In this section, you will create a blueprint in Kandji that lets you add Wi-Fi and wired profiles for networks as well as other Kandji security features to your managed devices.
-
Open your Kandji instance in the browser and log in.
For example, vorlon.kandji.io
-
In the Kandji main menu, click on the BLUEPRINTS option.
Kandji shows the Blueprints pane on the right-hand side.
-
In the top-right corner of the Blueprints pane, click on the New
Blueprint button.
Kandji shows the Create a new Blueprint window over the right-hand pane.
Note: You can use an existing blueprint instead. If so, skip the steps for creating a new blueprint and when asked to select a blueprint, select your existing blueprint instead. -
In the Create a new Blueprint window, click on the + New Blueprint
button in the top-left corner of the window, enter a Blueprint name, and click on the
Create Blueprint button.
We used the name Vorlon but you can use any name you like.
Add the custom profile to Kandji
In this section, you will upload the custom profile file to Kandji and assign it to an existing blueprint, so that Kandji can distribute it to managed devices.
-
In the Kandji main menu, click on the LIBRARY option.
Kandji shows the Library pane on the right-hand side.
-
In the top-right corner of the Library pane, click on the Add new
button.
Kandji shows the Add Library item pane on the right-hand side.
-
In the Add Library item pane, in the Search box on the right-hand
side, start typing profile and then click on the Custom Profile tile
in the General section.
-
In the Custom Profile section on the bottom of the right-hand side pane, click on the
Add & Configure button.
Kandji shows the Custom Profile pane on the right-hand side.
-
In the Add a title field on top of the Custom Profile pane, enter the
name for the new custom profile.
We used the name Vorlon SCEP but you can use any name you like.
-
In the Blueprint field, select the blueprint you created earlier.
-
In the click to upload link and upload the profile file
that you created in the iMazing Profile Editor.
section below, click on the
-
Click on the Save button in the bottom-right corner of the custom profile configuration
pane.