Topic
  • 8 replies
  • Latest Post - ‏2013-04-05T23:57:21Z by Michael_Knauth
Michael_Knauth
Michael_Knauth
10 Posts

Pinned topic WPA credentials in iOS Wifi profile

‏2013-04-04T04:08:50Z |
Hi All,

Is it possible to deploy an iOS Wifi profile that includes some or all of a user's credentials?

We use WPA2 Enterprise with an EAP authentication scheme for wireless devices. If I try and deploy an iOS Wifi profile that omits the authentication username, the deployment fails - as far as I can tell, this is because the iOS device doesn't accept the profile, possibly due to not being complete.

In order to get it to deploy, I need to at least supply a username in the profile for the fixlet to be applied successfully. For an organisation with large number of mobile devices, pre-configuring a profile of any sort with static credentials is undesirable.

As these devices are already authenticated, can we use some of this information to deploy a pseudo-dynamic profile - at least with a relevant username? I suppose the same would go for proxy authentication settings as well.

Michael.
Updated on 2013-04-05T23:57:21Z at 2013-04-05T23:57:21Z by Michael_Knauth
  • Michael_Knauth
    Michael_Knauth
    10 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-04T05:27:28Z  
    After some tinkering, I found that you can manually edit the fixlet to modify the generated iOS XML and 'nullify' the username field so that users don't get confused when they see someone else' name.

    Now, to work out if I can use variables in the BigFix Action Script to populate the value with data from the device's properties...
  • DTan
    DTan
    37 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-04T15:25:22Z  
    After some tinkering, I found that you can manually edit the fixlet to modify the generated iOS XML and 'nullify' the username field so that users don't get confused when they see someone else' name.

    Now, to work out if I can use variables in the BigFix Action Script to populate the value with data from the device's properties...
    Hi Michael,

    You can directly put relevance expression in the user field from the UI, such as:

    {preceding text of first "@" of value of enrollment answer "email"}

    When the action is executed, the result of the above relevance expression will be inserted into the xml.

    See more details on a similar post:

    http://www.ibm.com/developerworks/forums/thread.jspa?threadID=481062

    -Dawson
  • Ivan.FPL
    Ivan.FPL
    28 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-04T15:25:51Z  
    Since you discovered you can manually edit the action script, you can replace the static username with some relevance in the action script.

    For example, to use the authenticated user id (CN=*user*,OU=...):
    <key>UserName</key>
    <string>{(following text of first "CN=" of preceding text of first "," of authenticated id of current user) as lowercase}</string>

    Or to retrieve the username from the email used to register the device (*user*@email.address):
    {((preceding text of first "@" of name of current user as lowercase) | "username")}

    I included a small error check in the email retrieval so in case of failure, it will output "username" instead.
  • Michael_Knauth
    Michael_Knauth
    10 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-04T23:50:35Z  
    Hi Dawson and Ivan,

    Thanks for your suggestions - this is exactly what I was looking for.

    For the time being, I've manually modified the action script to include the relevance for the UserName key: {(name of current user as lowercase) | "username"} (We use CN as the ldap login value instead of email).

    Dawson, I tried to include the relevance in the UI, but on clicking Finish, a JavaScript error popped up, preventing the fixlet from being updates. I've attached a screen shot indicating the error. Obviously, including the values in the UI means that if and when the profile is modified, manual edits don't need to be re-added (and the operator, whoever it may be, doesn't need to be aware of this).

    Thanks,
    Michael.
  • Michael_Knauth
    Michael_Knauth
    10 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-05T01:44:34Z  
    Hi Dawson and Ivan,

    Thanks for your suggestions - this is exactly what I was looking for.

    For the time being, I've manually modified the action script to include the relevance for the UserName key: {(name of current user as lowercase) | "username"} (We use CN as the ldap login value instead of email).

    Dawson, I tried to include the relevance in the UI, but on clicking Finish, a JavaScript error popped up, preventing the fixlet from being updates. I've attached a screen shot indicating the error. Obviously, including the values in the UI means that if and when the profile is modified, manual edits don't need to be re-added (and the operator, whoever it may be, doesn't need to be aware of this).

    Thanks,
    Michael.
    Maybe it would help if I attached the screen shot...
  • DTan
    DTan
    37 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-05T16:32:50Z  
    Maybe it would help if I attached the screen shot...
    Thanks Michael,

    I was able to reproduce it when editing profile from the UI, but not when creating new ones). We will fix this in the next release.

    As a workaround, you can probably create a new profile with the intended relevance expression, although it could be challenging to get everything right in one shot...

    Thanks again.
    -Dawson
  • Michael_Knauth
    Michael_Knauth
    10 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-05T23:53:06Z  
    • DTan
    • ‏2013-04-05T16:32:50Z
    Thanks Michael,

    I was able to reproduce it when editing profile from the UI, but not when creating new ones). We will fix this in the next release.

    As a workaround, you can probably create a new profile with the intended relevance expression, although it could be challenging to get everything right in one shot...

    Thanks again.
    -Dawson
    Hi Dawson,

    Thanks for this. I've re-created the profile with the appropriate relevance strings.

    Thanks for everyone's assistance and suggestions.

    Michael.
  • Michael_Knauth
    Michael_Knauth
    10 Posts

    Re: WPA credentials in iOS Wifi profile

    ‏2013-04-05T23:57:21Z  
    Query solved by including relevance strings in iOS profile fields.

    It's noted that with IEM 9.0.586.0, an error is thrown when editing an existing profile with new or existing relevance strings and modifications can't be committed.