Apple OS X Configuration
One-to-one devices
This section covers devices which are always used by the same user and not connected to your Windows domain, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding Shared devices and Multiuser servers.
- If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to send RADIUS accounting data to the Opendium system. Set the User Identification mode to RADIUS. If 802.1x authentication cannot be used, Set the User Identification mode to Single User Devices.
- If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
- If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. OS X devices can automatically log in to the captive portal using the WISPr protocol.
If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate:
- Launch Safari and browse to https://<your Opendium host name>/opendium.crt (This URI is displayed on the Web tab).
- Go to Downloads.
- Double click the certificate.
- Enter the machine's password when prompted and click Modify keychain.
- The Keychain Access window will appear showing the Opendium certificate.
- Double click the Opendium certificate.
- Expand the Trust section in the pop up window and set it to Always Trust.
This section covers devices which are shared between multiple users (one user logged in at a time). Scroll down for information regarding multiuser servers.
Devices on the Windows domain
It is preferable for shared devices to be members of the school's Windows domain.
Client devices must use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. We recommend using automatic proxy discovery wherever possible.
- The network that the devide is being connected to should have Autoconfigure devices to use the proxy ticked in Permissions & Limits.
- Ensure that the wpad DNS records have been created on your internal domain.
- Ensure that your DHCP scopes are correctly configured.
- Group Policy should have no web proxy servers set, and "Automatically detect settings" should be ticked.
- The network that the device is being connected to should have its user identification profile set to Workstations.
If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate. This is usually done through Group Policy.
Stand alone devices
Shared devices which are not connected to the Windows domain must authenticate through the captive portal:
This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.
- Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to send RADIUS accounting data to the Opendium system.
- Set the User Identification mode to RADIUS.
- Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-mac". This user must exist on the Opendium system.
- The user must use the captive portal to authenticate.
- When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).
If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate:
- Launch Safari and browse to https://<your Opendium host name>/opendium.crt (This URI is displayed on the Web tab).
- Go to downloads.
- Double click the certificate.
- Enter the machine's password when prompted and click Modify keychain.
- The Keychain Access window will appear showing the Opendium certificate.
- Double click the Opendium certificate.
- Expand the Trust section in the pop up window and set it to Always Trust.
Shared stand alone OS X devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable User Identification.
Troubleshooting
Shared devices on the Windows domain should transparently authenticate using Kerberos single sign-on. If the device pops up authentication boxes rather than automatically authenticating, check that the clock on both the device and the domain controller are correct. The Opendium server provides an NTP service and we recommend that your machines use this to keep their clocks synchronised.
Multiuser servers
This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain.
Client devices must be set to use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol.
The network that the device is being connected to should have its user identification profile set to Multiuser Servers.
If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate:
Please see the shared devices section, above, for device configuration.
Limitations
- Not all applications respect the proxy server settings and traffic for such software is instead caught by the transparent proxy and it is not possible to authenticate this traffic. The Single User Devices and Workstations user identification profiles expect only one user to be logged into each device at any one time and can therefore infer which user the transparent proxy traffic belongs to based on the authentication credentials contained in the most recent non-transparent proxy traffic. Inferring traffic ownership in this way is not possible for systems that have multiple concurrent users, and therefore transparent proxy traffic from Multiuser Servers will not have an owner associated with it. Therefore, transparent proxy traffic will not be logged against an individual user, and will be filtered according to the Unidentified Users Policy Modelling report.
- Not all applications support authenticated web proxy servers, and of those which do, some do not support Kerberos single signon. The Single User Devices and Workstations user identification profiles use heuristics to prevent broken software from being required to authenticate, and instead infers the traffic's ownership as described above. When the profile is set to Multiuser Servers these heuristics are disabled and all software using the non-transparent proxy is required to authenticate. This may result in some applications failing to connect to the internet, or spurious pop-up authentication boxes.