Enable User Wi-Fi Profile (ADMX)

=== Notice ===

This group policy should only be used for admins who are not able to use the non-ADMX setting under:

Computer Configuration -> Centrify Settings -> Mac OS X Settings -> 802.1X Settings -> Enable User Wi-Fi Profile

Non-ADMX settings will take precendence over this ADMX setting.

=== Setting Instructions ===

Open "Enable User Wi-fi Profile (ADMX)"
1. Click Enabled
2. Click Show to add the details of the Wi-Fi Profile
3. Each row corresponds to a Wi-Fi Profile with the string
ssid:{SSID},securityType:0/1,autoJoin:0/1,hiddenNetwork:0/1,proxyPACURL:{URL},proxyPACFallback:0/1

where:

SSID - SSID, any string

Security Type - 0: WEP Enterprise, 1: WPA/WPA2 Enterprise (Default: 1)

Auto join - 0: unchecked, 1: checked (Default: 1 - Checked)

Hidden network - 0: unchecked, 1: checked (Default: 0 - Unchecked)

Proxy PAC URL - The URL of the PAC file that defines the proxy configuration, any string (Default: empty).

Proxy PAC Fallback - If false, prevents the device from connecting directly to the destination if the PAC file is unreachable. 0: unchecked, 1: checked (Default: 0 - Unchecked)

Example: ssid:User,securityType:0,autoJoin:1,hiddenNetwork:0,proxyPACURL:http://myserver.mycompany.com/myproxy.pac,proxyPACFallback:0

4. Click Ok and "Apply" to close.

=== Setting Details ===

This policy currently supports TLS protocol for certificate based authentication as user.

By default, the auto-enrolled user certificates are pushed down to ~/.centrify/autouser_(name).{cert,key,chain}. They are also imported into each user's respective login keychain.

Note that user must perform the following steps manually after login to authenticate to the network as him/herself:
1. Go to System Preferences > Network > Wi-Fi.
2. Click on "Disconnect" to disconnect existing 802.1X connections, if any. (For example, if machine 802.1X Wi-Fi policy has been set, Mac will already be authenticated using machine credential)
3. Click on "Connect". This prompts the user with a list of available identities (certificate-key pair).
4. Choose the appropriate auto-enrolled user identity (certificate-key pair).

Also note that the resulting profile will be signed using the first available auto-enrolled machine certificates, which are under /var/centrify/net/certs/auto_(name).{cert,key,chain} by default.
If one is not available, the profile will be unsigned.

Supported on:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\8021X
Value NameUserWifiProfileEnableADMX
Value TypeREG_SZ
Enabled ValueON
Disabled ValueOFF

Add a Wi-Fi network:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\8021X\userwifiprofile\WifiProfileADMX
Value NameWifiProfile_{number}
Value TypeREG_SZ
Default Value

centrify_mac_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)