Apple OS X Configuration: Difference between revisions

From Opendium Documentation
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 4: Line 4:
* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system.  Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''.  If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system.  Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''.  If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.  OS X devices can automatically log in to the captive portal using the WISPr protocol.
* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.  OS X devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network.


If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:
If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:

Latest revision as of 10:50, 13 October 2022

One-to-one devices

This section covers devices which are always used by the same user and not connected to your Windows domain, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding Shared devices and Multiuser servers.

  • If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to send RADIUS accounting data to the Opendium system. Set the User Identification mode to RADIUS. If 802.1x authentication cannot be used, Set the User Identification mode to Single User Devices.
  • If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
  • If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. OS X devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network.

If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate:

  • Launch Safari and browse to https://<your Opendium host name>/opendium.crt (This URI is displayed on the Web tab).
  • Go to Downloads.
  • Double click the certificate.
  • Enter the machine's password when prompted and click Modify keychain.
  • The Keychain Access window will appear showing the Opendium certificate.
  • Double click the Opendium certificate.
  • Expand the Trust section in the pop up window and set it to Always Trust.

Shared devices

This section covers devices which are shared between multiple users (one user logged in at a time). Scroll down for information regarding multiuser servers.

Devices on the Windows domain

It is preferable for shared devices to be members of the school's Windows domain. Please see Microsoft Windows Configuration.

Stand alone devices

Shared devices which are not connected to the Windows domain must authenticate through the captive portal:

  • Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to send RADIUS accounting data to the Opendium system.
  • Set the User Identification mode to RADIUS.
  • Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-mac". This user must exist on the Opendium system.
  • The user must use the captive portal to authenticate.
  • When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate:

  • Launch Safari and browse to https://<your Opendium host name>/opendium.crt (This URI is displayed on the Web tab).
  • Go to downloads.
  • Double click the certificate.
  • Enter the machine's password when prompted and click Modify keychain.
  • The Keychain Access window will appear showing the Opendium certificate.
  • Double click the Opendium certificate.
  • Expand the Trust section in the pop up window and set it to Always Trust.

Shared stand alone OS X devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable User Identification.

Troubleshooting

Shared devices on the Windows domain should transparently authenticate using Kerberos single sign-on. If the device pops up authentication boxes rather than automatically authenticating, check that the clock on both the device and the domain controller are correct. The Opendium server provides an NTP service and we recommend that your machines use this to keep their clocks synchronised.

Multiuser servers

This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain. If the machine is not on the Windows domain, the only option is to disable User Identification.

Please see Microsoft Windows Configuration.