Configuring 802.1X Server Settings for Apple Devices
Last month we discussed enabling 802.1X server validation for Windows and Android clients. As with Windows and Android-based clients, Mac OS X and iOS devices (iPhones, iPod Touches and iPads) can connect to some 802.1X networks without prior configuration, depending upon the EAP type the network uses.
However, you may want to pre-configure some of the 802.1X and other network settings anyways for increased security and better user friendliness. On computers running Mac OS X 10.6 (Snow Leopard) or earlier, you can access the advanced 802.1X settings along with the other network settings.
But for computers running Mac OS X 10.7 Lion or later — as well as iOS devices — you can't edit the advanced 802.1X settings within the native OS settings. Instead, you must use an Apple tool like Apple Configurator or the iPhone Configuration Utility (iPCU) to create a configuration profile, and then install it onto the Mac computer or iOS device.
The Apple Configurator lets you do everything the iPhone Configuration Utility (iPCU) does. However, the Apple Configurator includes functionality not offered by the iPCU, such as specifying apps to install and direct multiple device configuration for those plugged into the computer via USB.
The catch is that the Apple Configurator is only available on Macs, even though the iPCU is available on both Mac and Windows. If you only have Windows available, you can only use the iPCU. As a result, we'll only be discussing the functionality provided by iPCU below.
Delving into the iPhone Configuration Utility
The iPhone Configuration Utility (iPCU) allows you to specify one or more network profiles to be configured on the computers or devices. This includes the basic details like SSID and security type, plus proxy settings for use with the particular Wi-Fi network.
For 802.1X you can also configure exact EAP types allowed, include and specify trusted client or CA certificates, specify trusted certificate names, and turn on Protected Access Credential (PAC). You can also specify an Outer Identity, similar to the Identity Privacy in Windows, allowing you to disguise the username when it's sent over the network the first time in clear text.
Other server and network settings that you can configure with iPCU include VPN, Mail, Exchange ActiveSync and LDAP. You can also optionally enforce passcode and other restrictions, configure a MDM solution, and configure CalDAV calendars, CardDAV contact servers, and SCEP settings.
After configuring the desired settings in iPCU, you can save and export the configuration profile with the option of digitally signing it or even encrypting it for specific devices. Once you have the exported file, ending in .mobileconfig, you can distribute however you want. Perhaps post on your website for users to download, post on a captive portal of an open SSID, or email directly to users.
Once the user has the configuration profile downloaded on their device they can open it to import the settings you specified.
For additional assistance, check out the Enterprise deployment guides and other resources on Apple's enterprise support page. You can go to the iTunes store to download the free Apple Configurator or download the iPhone Configuration Utility (iPCU) from their website.
Eric Geier is a freelance tech writer — keep up with his writings on Facebook. He's also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.
Read more on "Server Virtualization Spotlight" »