How to get OS X 10.9 to save WPA2 Enterprise passwords in System keychain?

macos wireless-networking passwords keychain
7,624

There seems to be an Apple official way to do it, but it's an extremely convoluted process. I'll post it here but hope that someone else can provide you with a much more sane way to do it.

The apparent Apple official way requires access to a recent version of Mac OS X Server; any of the versions that were sold for just $20 on the Mac App Store should do it:

  • 10.7 "Lion Server"
  • 10.8 "Mountain Lion Server"
  • 3.0 (corresponds to Mac OS X 10.9 Mavericks).

Here goes:

  1. Have your Mac log into the WPA2-Enterprise network once, and trust the certificate(s). Then find the relevant certificate(s) in the System keychain (via Keychain Access) and export them each as separate .cer files. This could be a single self-signed server cert, or it could be a server cert plus zero or more intermediate CA certs, plus a root CA cert.
  2. Set up the "Profile Manager" service of Mac OS X Server if you haven't already.
  3. Create a placeholder "Device Profile" that defines a Wi-Fi network to join and the security type and credentials to use.
    1. Use a web browser to go to the /profilemanager/ URL on your Mac OS X Server machine, and log on using a system administrator account.
    2. In the "Library" list on the left-most column, select "Devices".
    3. In the second column, hit the + button and "Add Placeholder" to create a new placeholder device profile. Give it some name like "My WPA2-Enterprise Network Login Profile" and type any random crap (maybe "Placeholder") as the placeholder serial number. Hit "Add".
    4. In the third column, go to the "Settings" tab and hit "Edit".
    5. In the big sheet that comes up, select the "General" section, and switch the Profile Distribution Type to Manual Download.
    6. Go to the "Certificates" section, and use the UI to import each of the .cer files for your network that you exported via Keychain Access before you started.
    7. Go to the "Network" section, and create a payload for your Wi-Fi network. Be sure to type in the SSID perfectly correctly (capitalization, punctuation, and spaces matter).
      1. Type in your SSID. Make sure you get it exactly right.
      2. Set the Security Type to WPA/WPA2 Enterprise.
      3. Under Protocols > Accepted EAP Types, check the boxes for the EAP types in use on your network.
      4. Enter your Username and Password in the relevant fields.
      5. On the "Trust" tab, check the checkboxes next to the certs you imported, so that they'll be trusted.
      6. Hit "OK".
  4. Hit "Save"
  5. Hit "Download". You'll be downloading a .mobileconfig file. Copy this .mobileconfig file to any machine you need to install it on. WARNING: This profile will contain your username and password as cleartext, so be careful with how you transport it and where you leave it.
  6. Double-click the .mobileconfig to import it into the Profiles pane of System Preferences. You'll be prompted for an administrator password.

If the profile got installed correctly, it should show up as a device profile, not a user profile. You can now reboot your machine and see if it is able to get on the network without so much prompting.

Also note that this setup will allow your machine to stay on the network even when no one's logged into the machine (like when the machine is sitting a Login Window with no one logged in). Depending on your needs, that might be a nice bonus or it might be a security concern. Just thought I should let you know.

P.S. Using the old iOS Configuration Utility or the more modern Apple Configurator app to create these profiles won't allow you to create System-scope profiles that are allowed to put things in the System keychain. The .mobileconfig plist formats are the same, but the ones created by Mac OS X Server's Profile Manager web app contain some extra plist key/value pairs that allow it to be set as System scope.

Share:
7,624

Related videos on Youtube

Richard Garner
Author by

Richard Garner

Updated on September 18, 2022

Comments

  • Richard Garner
    Richard Garner over 1 year

    I am using OS X Keychain as my password manager. To make it reasonably secure, I have a different password on my login keychain than on my user account, and have the keychain set to lock automatically after 5 minutes or on sleep.

    On the whole this works well, with one exception. At home, my wireless works without needing to unlock the login keychain, since the password is stored on the "system" keychain, which has the same password as my user account. However, at work, the wireless password is stored on the "login" keychain, and so requires me to enter the keychain password before it will connect. The difference between the two seems to be that the home system is WPA2 Personal and the work one is WPA2 Enterprise.

    This problem has been compounded since upgrading to OSX 10.9. Now, wireless access at work requires me to enter the keychain password TWICE: once so that "eapolclient" can access the login keychain, and a second time so that Keychain Access can access the login keychain.

    I have tried moving the WPA2 Enterprise password item from the login keychain to the system keychain, but it seems to ignore it. So my question is:

    • Is there any way of persuading OS X to read a WPA2 Enterprise wireless password from the system keychain, rather than from the login keychain?

    • If not, is there any way of avoiding needing to enter the keychain password twice, as in OS X 10.8 and earlier?

  • Richard Garner
    Richard Garner over 10 years
    Wow, that is pretty complicated. Hopefully I'll get around to giving it a go. Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why do I have to enter my password every time I activate / deactivate AirPort (WiFi) on my MacBook Pro?
Deleting the system keychain from Mac, specified keychain could not be found
OSX wants to make changes. Type an administrator's name and password... Won't go away
Keychain password for macOS Flutter app on VM
How to stop "keychain access" permission dialog on MacOS when debugging Flutter app on Visual Studio Code?
Update GitHub authentication to use token on macOS (rather than password)?
How to delete a keychain reference from command line
How to export certificate from Mac OS X to get pair of .cert and .key files ?
How to use Keychain for saving password like GenericKeychain sample code
KeyChain Security command line tool works with find-internet-passwords but not find-generic-passwords