How to generate a batch of profiles and certificates for OS X Server Profile Manager

802.1xconfiguration-profilesosx-serverprofile-managerwifi

I'm using the Profile Manager on OS X Server (Mavericks). I ran a script that imported our ~20 users into Open Directory from CSV. I've configured Radius with EAP-TLS, and have set up 802.1x so that our WiFi APs and router authenticate with the Radius server.

I've generated a self-signed CA for Radius, and a client certificate for myself, using Keychain Access. I managed to export my client certificate, upload it to the Profile Manager web interface, upload the Radius server's trusted certificate, configure all the network settings as payloads, download and install my profile, and get connected to our WiFi.

I have to set up over 20 more profiles, and it's a huge PITA to manually generate all these certificates, upload them, and configure WiFi settings for each individual user.

I know I can programmatically generate the client certificates with openssl on the command line. I used dscl to work with Open Directory, but is there a command-line tool that can push payloads into Profile Manager?

Or would it be easier if I just programmatically generate the .mobileconfig XML files and email / AirDrop them out to each user?

I want to know how a regular small business IT person rolls out network settings and profiles to an office, but it's really hard to find documentation on this topic. I also have a few follow-up questions:

  • How do you manage a PKI on Mac Server, and how do you use it with Profile Manager?
  • I've set a temporary password for users, but how can I allow them to sign in and change their Open Directory password?

Best Answer

You should be able to do all the configuration by group.

Add all the users into an OD group and then set all the WiFi preferences there. You should also be able to set a certificate for the group and allow the entire group to authenticate against the Radius server.

When it comes to setting up PKI then you enter into the dark realms of Kerberos. (Be very careful with your DNS or you will never return.)

This is a good guide http://yesdevnull.net/2013/10/os-x-mavericks-server-open-directory-master/

Reading everything Charles Edge writes is always worthwhile :- http://krypted.com/guides/mavericks-server/ - he literally wrote the book on Macs in the enterprise.

If you turn on the web server (which I assume you have for the Profile Manager) the front page provides a nice link to change passwords for OD users.