Custom Wi-Fi, SCEP, and Cert Chain Profile

Use this guide to help configure a custom profile with iMazing Profile Editor and deploy the custom profile from your Kandji instance

Prerequisites

• Download iMazing Profile Editor 

• Download the custom_wifi_scep_certchain_example.mobileconfig file from our Support GitHub repository

• Make sure to have any Root and Intermediate certificate files available

• You may need to work with your Network administrator to gather the required settings to fill out the SCEP payload

This guide is intended as an example to get you started. The intent is that you can use the example profile as a starting point and modify the profile to meet your environments specific needs.

Modifying the custom mobileconfig profile

1. Launch iMazing Profile Editor and open the custom_wifi_scep_certchain_example.mobileconfig download earlier 

2. You should see 4 payloads listed in the Configured Domains section
   
   
   

3. Select the Certificates payload

4. Remove the existing example certificates by clicking the minus buttons next to each one
   
   

5. Click + Add Configuration Payload to add your root certificate
   
   

6. In the Finder window navigate to your root certificate and select it 

7. Click Open
   
   

8. To add additional certificates, click the plus button in the top-right corner, and repeat this step for all of your intermediate certificates if applicable. In the example below, there are three certificates in this payload, a Root and two intermediate CA certificates.
   
   

9. Copy each certificate's Payload UUID and paste them to a temporary text document. These will be used later in the Wi-Fi payload.

10. Select the SCEP payload

11. Go down to the Payload UUID and copy it to the same temporary text document for use later in the Wi-Fi payload.

    
    
    

12. Fill in the SCEP server URL (required)

13. Enter any additional SCEP server settings information according to your requirements

    1. URL and Payload UUID are required fields.

    2. All other fields are optional based on your needs and should be left empty if not needed.

    3. Kandji Global Variables can be used if needed to dynamically fill in information such as $SERIAL_NUMBER or $EMAIL

       
       
       

14. Select the Wi-Fi payload

15. Enter your network Service Set Identifier (SSID)

16. Select an Encryption Type

17. Add the Accept EAP Types for your network

18. In the Certificate Anchor UUID section paste in the Certificate UUIDs that you copied earlier

19. In the Certificate UUID field paste in the SCEP payload UUID that you copied from earlier

    
    

    
    
    

20. If there are any additional Wi-Fi settings that are required for your network be sure to configure those in the Wi-Fi as well

21. Save the mobile config file by pressing ⌘ + S or by going to the File menu and selecting Save

    • At this point you can change the file name if you would like

Create Custom Configuration Profile in Kandji

1. Create a Custom Configuration Profile in Kandji by going Selecting Library > Add New > Custom Profile > Add & Configure

2. Give the custom profile the following name: Wi-Fi Settings

3. Assign the library item to a Blueprint.

   1. It is generally good practice to assign a new library item to a testing Blueprint to ensure that everything functions as expected.

4. Set Device Families to Mac.

5. Upload the custom_wifi_scep_certchain_example.mobileconfig file to Kandji as a custom configuration profile. 

6. Click Save in the bottom right.