This past year I helped two companies move from a standard WPA2 WiFi setup to a EAP-TLS configuration, leveraging certificates from a SCEP source.

Each situation was a little bit different (as each company was deploying different technologies around Jamf) but I ran into the same pain points each time: no documented configurations.

So, in this post I hope to provide some quick info that I would have killed for when doing this the first time around.

First off – I won’t be covering the setup of the SCEP integration itself. I’m assuming you’ve already done that, but are having issues getting WiFi working.

Jamf does have some pretty good documentation surrounding both Enabling SCEP Proxy for Configuration Profiles and 802.1X WiFi Configurations

If you’re using Cisco ISE (Godspeed!), you will also want to take a look at this: Integrating Jamf Pro with Cisco ISE 3.1 and this: Integrate ISE 3.3 with JAMF as MDM Server.

You’ll want your Configuration Profile to look something like this:

(keep in mind that you may need to modify these settings to suite your environment)

CERTIFICATE PAYLOAD:

• Root Cert
• Sub Cert

NETWORK PAYLOAD:

• SSID
  • Hidden Network (optional)
  • Auto Join
• Security Type:
  • WPA / WPA2 Enterprise
• Protocols:
  • TLS
  • Identity Certificate: SCEP Proxy
• Trust:
  • Identity Certificate: SCEP Proxy
  • Trusted Certificates:
    • Root Cert
    • Sub Cert

SCEP PAYLOAD:

• Name: If left blank will default to SCEP Proxy
• Redistribute Profile: Never
• Subject: CN=$COMPUTERNAME.DOMAIN.TLD (replace this with your company domain)
• Subject Alternative Name: None
• Retries: 3
• Retry Delay: 30
• Certificate Expiration Notification: 14
• Check Allow Apps to Access

Hopefully this helps at least one person! 🫡