I am using OS X Keychain as my password manager. To make it reasonably secure, I have a different password on my login keychain than on my user account, and have the keychain set to lock automatically after 5 minutes or on sleep.
On the whole this works well, with one exception. At home, my wireless works without needing to unlock the login keychain, since the password is stored on the "system" keychain, which has the same password as my user account. However, at work, the wireless password is stored on the "login" keychain, and so requires me to enter the keychain password before it will connect. The difference between the two seems to be that the home system is WPA2 Personal and the work one is WPA2 Enterprise.
This problem has been compounded since upgrading to OSX 10.9. Now, wireless access at work requires me to enter the keychain password TWICE: once so that "eapolclient" can access the login keychain, and a second time so that Keychain Access can access the login keychain.
I have tried moving the WPA2 Enterprise password item from the login keychain to the system keychain, but it seems to ignore it. So my question is:
-
Is there any way of persuading OS X to read a WPA2 Enterprise wireless password from the system keychain, rather than from the login keychain?
-
If not, is there any way of avoiding needing to enter the keychain password twice, as in OS X 10.8 and earlier?
Best Answer
There seems to be an Apple official way to do it, but it's an extremely convoluted process. I'll post it here but hope that someone else can provide you with a much more sane way to do it.
The apparent Apple official way requires access to a recent version of Mac OS X Server; any of the versions that were sold for just $20 on the Mac App Store should do it:
Here goes:
.cer
files. This could be a single self-signed server cert, or it could be a server cert plus zero or more intermediate CA certs, plus a root CA cert./profilemanager/
URL on your Mac OS X Server machine, and log on using a system administrator account.WPA/WPA2 Enterprise
.If the profile got installed correctly, it should show up as a device profile, not a user profile. You can now reboot your machine and see if it is able to get on the network without so much prompting.
Also note that this setup will allow your machine to stay on the network even when no one's logged into the machine (like when the machine is sitting a Login Window with no one logged in). Depending on your needs, that might be a nice bonus or it might be a security concern. Just thought I should let you know.
P.S. Using the old iOS Configuration Utility or the more modern Apple Configurator app to create these profiles won't allow you to create System-scope profiles that are allowed to put things in the System keychain. The .mobileconfig plist formats are the same, but the ones created by Mac OS X Server's Profile Manager web app contain some extra plist key/value pairs that allow it to be set as System scope.