Apple OS X Configuration - Revision history

Steve at 10:50, 13 October 2022

2022-10-13T10:50:56Z

← Older revision		Revision as of 11:50, 13 October 2022
Line 4:		Line 4:
	* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system\|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''Single User Devices''.		* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system\|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification\|User Identification]] mode to ''Single User Devices''.
	* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.		* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
	* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. OS X devices can automatically log in to the captive portal using the WISPr protocol.		* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. OS X devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network.

	If the network's [[Web: Permissions & Limits#HTTPS%20decryption\|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:		If the network's [[Web: Permissions & Limits#HTTPS%20decryption\|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:

Steve at 10:47, 13 October 2022

2022-10-13T10:47:13Z

← Older revision		Revision as of 11:47, 13 October 2022
Line 19:		Line 19:

	=== Devices on the Windows domain ===		=== Devices on the Windows domain ===
	It is preferable for shared devices to be members of the school's Windows domain.		It is preferable for shared devices to be members of the school's Windows domain. Please see [[Microsoft Windows Configuration#Shared devices\|Microsoft Windows Configuration]].

	~~Client devices '''must''' use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol~~. ~~We recommend using automatic proxy discovery wherever possible.~~

	* The network that the devide is being connected to should have [[~~Web: Permissions & Limits~~#~~Autoconfigure%20devices%20to%20use%20the%20proxy\|Autoconfigure~~ devices ~~to use the proxy]] ticked in [[Web: Permissions & Limits~~\|~~Permissions & Limits~~]].
	* Ensure that the [[Installation Requirements#Internal%20DNS%20configuration\|''wpad'' DNS records]] have been created on your internal domain.
	* Ensure that your DHCP scopes are [[Installation Requirements#DHCP\|correctly configured]].
	* Group Policy should have no web proxy servers set, and "Automatically detect settings" should be ticked.

	*The network that the device is being connected to should have its user identification profile set to ''Workstations''.
	If the network's [[Web: Permissions & Limits#HTTPS%20decryption\|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through Group Policy.

	=== Stand alone devices ===		=== Stand alone devices ===
	Shared devices which are not connected to the Windows domain must authenticate through the captive portal:		Shared devices which are not connected to the Windows domain must authenticate through the captive portal:

	~~This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.~~

	* Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system\|send RADIUS accounting data]] to the Opendium system.		* Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system\|send RADIUS accounting data]] to the Opendium system.
Line 56:		Line 44:

	==Multiuser servers==		==Multiuser servers==
	This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain.		This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain. If the machine is not on the Windows domain, the only option is to disable [[Web: Permissions & Limits#User%20identification\|User Identification]].

	~~Client devices '''must''' be set to use your non-transparent proxy, as this~~ is ~~a requirement of~~ the ~~Kerberos single signon protocol.~~

	~~The network that~~ the ~~device~~ is ~~being connected to should have its user identification profile set~~ to ~~''Multiuser Servers''.~~

	~~If the network's~~ [[Web: Permissions & Limits#~~HTTPS~~%~~20decryption~~\|~~HTTPS Decryption~~]] ~~mode is set to ''Active'', you must install your unique Opendium inspection certificate:~~

	~~Please see the shared devices section, above, for device configuration~~.

	~~===Limitations===~~

	*Not all applications respect the proxy server settings and traffic for such software is instead caught by the transparent proxy and it is not possible to authenticate this traffic. The ''Single User Devices'' and ''Workstations'' user identification profiles expect only one user to be logged into each device at any one time and can therefore infer which user the transparent proxy traffic belongs to based on the authentication credentials contained in the most recent non-transparent proxy traffic. Inferring traffic ownership in this way is not possible for systems that have multiple concurrent users, and therefore transparent proxy traffic from ''Multiuser Servers'' will not have an owner associated with it. Therefore, transparent proxy traffic will not be logged against an individual user, and will be filtered according to the ''Unidentified Users'' Policy Modelling report.		Please see [[Microsoft Windows Configuration#Multiuser servers\|Microsoft Windows Configuration]].
	*Not all applications support authenticated web proxy servers, and of those which do, some do not support Kerberos single signon. The ''Single User Devices'' and ''Workstations'' user identification profiles use heuristics to prevent broken software from being required to authenticate, and instead infers the traffic's ownership as described above. When the profile is set to ''Multiuser Servers'' these heuristics are disabled and all software using the non-transparent proxy is required to authenticate. This may result in some applications failing to connect to the internet, or spurious pop-up authentication boxes.
	[[Category:Client Configuration]]		[[Category:Client Configuration]]

Steve: Created page with "==One-to-one devices== This section covers devices which are always used by the same user and not connected to your Windows domain, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding Shared devices and Multiuser servers. * If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication an..."

2022-10-13T09:45:39Z

Created page with "==One-to-one devices== This section covers devices which are always used by the same user and not connected to your Windows domain, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding Shared devices and Multiuser servers. * If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication an..."

New page

==One-to-one devices==
This section covers devices which are always used by the same user and not connected to your Windows domain, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Apple OS X Configuration#Shared devices|Shared devices]] and [[Apple OS X Configuration#Multiuser servers|Multiuser servers]].

* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. OS X devices can automatically log in to the captive portal using the WISPr protocol.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:
*Launch Safari and browse to https://''<your Opendium host name>''/opendium.crt (This URI is displayed on the [[Web]] tab).
*Go to ''Downloads.''
*Double click the certificate.
*Enter the machine's password when prompted and click ''Modify keychain.''
*The ''Keychain Access'' window will appear showing the Opendium certificate.
*Double click the Opendium certificate.
*Expand the ''Trust'' section in the pop up window and set it to ''Always Trust.''

==Shared devices==
This section covers devices which are shared between multiple users (one user logged in at a time). Scroll down for information regarding [[Apple OS X Configuration#Multiuser servers|multiuser servers]].

=== Devices on the Windows domain ===
It is preferable for shared devices to be members of the school's Windows domain.

Client devices '''must''' use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. We recommend using automatic proxy discovery wherever possible.

* The network that the devide is being connected to should have [[Web: Permissions & Limits#Autoconfigure%20devices%20to%20use%20the%20proxy|Autoconfigure devices to use the proxy]] ticked in [[Web: Permissions & Limits|Permissions & Limits]].
* Ensure that the [[Installation Requirements#Internal%20DNS%20configuration|''wpad'' DNS records]] have been created on your internal domain.
* Ensure that your DHCP scopes are [[Installation Requirements#DHCP|correctly configured]].
* Group Policy should have no web proxy servers set, and "Automatically detect settings" should be ticked.

*The network that the device is being connected to should have its user identification profile set to ''Workstations''.
If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through Group Policy.

=== Stand alone devices ===
Shared devices which are not connected to the Windows domain must authenticate through the captive portal:

This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

* Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system.
* Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''.
* Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-mac". This user must exist on the Opendium system.
* The user must use the captive portal to authenticate.
* When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:
*Launch Safari and browse to https://''<your Opendium host name>''/opendium.crt (This URI is displayed on the [[Web]] tab).
*Go to ''downloads.''
*Double click the certificate.
*Enter the machine's password when prompted and click ''Modify keychain.''
*The ''Keychain Access'' window will appear showing the Opendium certificate.
*Double click the Opendium certificate.
*Expand the ''Trust'' section in the pop up window and set it to ''Always Trust.''
Shared stand alone OS X devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User%20identification|User Identification]].

===Troubleshooting===
Shared devices on the Windows domain should transparently authenticate using Kerberos single sign-on. If the device pops up authentication boxes rather than automatically authenticating, check that the clock on both the device and the domain controller are correct. The Opendium server provides an NTP service and we recommend that your machines use this to keep their clocks synchronised.

==Multiuser servers==
This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain.

Client devices '''must''' be set to use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol.

The network that the device is being connected to should have its user identification profile set to ''Multiuser Servers''.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:

Please see the shared devices section, above, for device configuration.

===Limitations===

*Not all applications respect the proxy server settings and traffic for such software is instead caught by the transparent proxy and it is not possible to authenticate this traffic. The ''Single User Devices'' and ''Workstations'' user identification profiles expect only one user to be logged into each device at any one time and can therefore infer which user the transparent proxy traffic belongs to based on the authentication credentials contained in the most recent non-transparent proxy traffic. Inferring traffic ownership in this way is not possible for systems that have multiple concurrent users, and therefore transparent proxy traffic from ''Multiuser Servers'' will not have an owner associated with it. Therefore, transparent proxy traffic will not be logged against an individual user, and will be filtered according to the ''Unidentified Users'' Policy Modelling report.
*Not all applications support authenticated web proxy servers, and of those which do, some do not support Kerberos single signon. The ''Single User Devices'' and ''Workstations'' user identification profiles use heuristics to prevent broken software from being required to authenticate, and instead infers the traffic's ownership as described above. When the profile is set to ''Multiuser Servers'' these heuristics are disabled and all software using the non-transparent proxy is required to authenticate. This may result in some applications failing to connect to the internet, or spurious pop-up authentication boxes.
[[Category:Client Configuration]]