I have a customer that has users with company-issued MacBook Pros. They want to implement ISE for Wireless 802.1X access control, using EAP-TLS. The challenge is certificate distribution to the Mac client device. The customer's preference is to have it as automated as possible - much like with an AD GPO for the Windows machines.
I've thought of three options:
- Point them to a Self-registration portal and have the device go through an NSP/BYOD process to get the cert on there (seems unnecessarily complex)
- Anyconnect loaded on the Mac to get the cert (is this possible??)
- Manually install the root certificate and then request/install the user certificate (what they want to avoid)
Which (if any) of those options is most reasonable, or is there a better way?
thanks in advance,
I have done many deployments in the past where customer had MAC and wanted to on-board them with certificates. I have used both ISE and an MDM to perform this function. Currently ISE uses a Java based provisioning which became messy when Apple removed the native Java application. With ISE 1.3 it will be moved to a .dmg based deployment which will make things much easier. However, the whole on-boarding process (outside of java) is pretty slick and user friendly. You can do it via single or dual SSIDs and tie the on-boarding to the users' AD credentials. You will need a SCEP/NDES server.
The MDM (IMO) makes the deployment even easier and some of the providers out there can now integrate directly with the CA server without the need of SCEP/NDES server.
Other than that, you can look into "Apple's Configurator" but I have not used it in the past so I am not sure what are its capabilities. I don't believe that the AnyConnect client has any options to auto enroll a certificate.
You can have a manual process where the users must go and request the cert, download it, install it along with the trusted root but as you said that is not ideal and should be avoided.
Hope this helps!
Thank you for rating helpful posts!