Articles,Deployment,Management,OS X March 7, 2013 at 7:00 am

Another Way to Enable Wi-Fi At Login Window (with Profiles!)

The Premise:

Nick McSpadden and I were both working on a similar goal this week: getting Macs to connect to Wi-Fi at the loginwindow. By default, adding preferred wireless networks will only connect once a user is logged in, either via the networksetup command or Profiles. By using a modified .mobileconfig from the iPhone Configuration Utility, we can achieve this goal without having to use Profile Manager.

We shared a common goal in this, to be able to bootstrap new MacBook Airs over Wi-Fi using Munki. I had an additional goal, to be able to authenticate to Active Directory over Wi-Fi. Without a Wi-Fi connection at the loginwindow, Directory Services must rely on cached credentials, which interferes with some authentication  methods as well as Kerberos, and also prevents new users from signing in.

Nick created a script which is run by a LaunchAgent that makes this work on Snow Leopard and later, but if you are using Lion or Mountain Lion, this can all be accomplished with the built-in functionality of Profiles.

The iPhone Configuration Utility can make .mobileconfig profiles, but these are ‘User’ profiles, in that wireless networks and credentials are installed in the current user’s Keychain. In order to achieve our goal, we need a ‘System’ profile, so this information is stored in the System Keychain and therefore usable by any user. We also must instruct the computer to connect at the loginwindow, and not just after users log in.

By using this setup, you will no longer need an Ethernet connection to setup new machines and users, and it will make it much easier to keep your fleet of portables updated. Be careful when bootstrapping over Wi-Fi, as a few machines downloading tens of gigabytes can easily overwhelm poorly-configured or cheap access points.

The Setup:

Download and install the iPhone Configuration Utility, and create a .mobileconfig profile for your Wi-Fi network(s). If you use 802.1x, be sure to include any certificates. Export the profile, and open it in your favorite text editior.

Your initial .mobileconfig should look like the following example. This example contains two Wi-Fi networks, a WPA2-PSK network and a WPA2-Enterprise, 802.1x authenticated network. We must make some manual modifications to this file.

https://gist.github.com/043bd8a814f84b37be8d

  1. To have the Wi-Fi networks installed into System.keychain, add this key to each Wi-Fi network’s dict, underneath the SSID_STR key.

https://gist.github.com/b32c3435e9c3601bf449

  1. To tell the computer to connect to these Wi-Fi networks at the loginwindow in addition to when users log in, add this key to the main dict, underneath the PayloadRemovalDisallowed key.

https://gist.github.com/a6a52e11074c8cc9279d

The resulting .mobileconfig should look like this:

https://gist.github.com/81cb3777a2cbe6782abd

As DeployStudio and Munki cannot currently install profiles themselves, a payload-free package should be created with it, using this command to install as a device profile:

https://gist.github.com/569919af8a48b201236b

Here is an example of a postflight script to use to install this profile:

https://gist.github.com/2a60044b70c5bf85e335

If installing with DeployStudio, be sure to mark it as a postponed installation, as the profiles command can only install on the currently booted disk. Adding this resulting package to your current DeployStudio or other thin/no-imaging workflow will make the machine connect to your Wi-Fi network and bootstrap with Munki, no Ethernet required.

Samuel Keeley

Samuel Keeley can frequently be found in ##osx-server on Freenode, or on Twitter @keeleysam.

More Posts - Website

Follow Me:
Twitter

Tags:

5 Comments

  • What if I still need or want to provide user credentials, instead of a predefined password for a specific network, eduroam for instance?
    Can this somehow be tweaked so that a prompt for username and password is provided “above” the loginwindow or somesuch?

    Thanks in advance!

  • Thank you for your post, will test!

  • Dear Samuel
    Thank you for your great article. It is great to adapt the xml but I have one question. I would love to sign or even encrypt the profiles after changing them so that I can be sure the profile is the right version. Of course IPCU does not import manipulated profile neither does profile manager. Do you know some “terminal/bash”-magic or any other way to at least sign profiles?
    Thank you so much for your help in advance!
    Mike

    • You can use the PayloadVersion key to ensure that it is the correct version. Signing is possible, but encryption is unfortunately not supported for these profiles.

  • Hello Samuel,

    I believe I followed your instructions but it does not work. I do not have the login window and the the profile disappear for each new user. it does not stay in the profile preference !
    Any advices, ideas ?

    thanks

Leave a reply

You must be logged in to post a comment.