The following settings apply to Mac OS X Tiger (10.4). They affect the behavior of the device on the network, particularly in regards to wireless connections and 802.1X authentication. Each of these settings are configurable automatically using XpressConnect.
Within the Mac supplicant, information is stored in profiles, each with a profile name. XpressConnect can detect whether or not a particular profile is defined on the system. Typically, the profile name is also the ssid name in a wireless environment.
Supported settings include:
Configured - Default. The profile is considered configured if it exists in the list of profiles within Internet Connect. If the profile exists by name, it will be modified. If not, it will be created.
XpressConnect is able to auto remediate this setting. By default, Mac OS X does not contain any profiles. Note: A single profile name is tied to a single interface. Therefore, if supporting both wired and wireless connections, the profile name for wired connections should not be the same as for wireleess. We recommend using the ssid as the profile name for wireless and using 'Sample University Wired' for wired connections.
On Leopard, setting this value to [SYSTEM] will cause the profile to be stored as the System profile.
Any other name will be stored as a User profile.
Within a profile, one or more EAP types may be specified. The supplicant will determine the appropriate one to use. XpressConnect is able to detect and configure this list of acceptable EAP types.
Supported settings include:
Selected - Default. The EAP type(s) is considered selected if the list of selections within the profile exactly matches the list specified. Multiple EAP types may be specified using a semi-colon separated list.
NOTE: The list of valid EAP types on a standard install are: TTLS, TLS, EAP-FAST, PEAP, LEAP, and MD5. If specifying multiple, they must be specified in the same order as listed previously. For example, 'TTLS;PEAP' is correct, 'PEAP;TTLS' is incorrect. TLS is only selectable if client certificates are installed.
XpressConnect is able to auto remediate this setting. By default, Mac OS X will allow TTLS, EAP-FAST, PEAP, LEAP, and MD5. Selection of acceptable EAP types will depend on your deployment, but we recommend removing LEAP and MD5 from the acceptable list.
XpressConnect can detect the system clock. This is important when server certificates are used for authentication to ensure the machine does not incorrectly believe the certificate is expired. This setting will query the current timestamp from a URL. If the URL is unavailable, the user will be prompted to confirm their current system clock. If the system clock differs by more than 7 days, the user will be prompted to correct the system clock.
Supported settings include:
In Sync - Default. The system clock must be within the range specified.
XpressConnect supports auto remediation of this setting.
If a PHP, JSP, or ASP deployment package is used, the package contains a timestamp file in tools. In these cases, leave the URL blank and the system will automatically use the timestamp file.
If an HTML deployment package is used, this needs to be the full URL (for example http://1.1.1.1/timestamp.txt) to a timestamp file. The timestamp file needs to contain the current timestamp in the format TIMESTAMP:YYYYMMDD-HHMMSS. There are a couple options as to how this file is handled. First, it may be queried from another server which contains scripting capabilities. The second option is to have a scheduled task regularly update the timestamp text file.
These settings allow additional softare packages to be installed if necessary.
Software (80025)
This setting will allow a generic software package it be installed if necessary. NOTE: For remediation by installation to work properly, see the FAQ on the Support tab regarding install-based remediation. Also, after adding this setting, you will need to edit the setting to specify additional information.
XpressConnect can detect the presense of a Pharos printer package.
Supported settings include:
Configured - Default. The Pharos package name specified must exist on the system.
The verification of the package name is based on the Pharos package name given during packaging, which on Windows appears in the registry at HKLM\Software\Pharos\Installed Packages\.
These settings control the proxy settings web browsers will use.
HTTP proxy settings (80028)
XpressConnect can detect the status of the 'HTTP Proxy settings' setting for web browsers.
Supported settings include:
No Proxy - Default. When selected, web browsers will be configured not to use a Proxy.
Auto-detect proxy settings for this network - When selected, the web browser will attempt to auto-detect proxy server settings on the network.
Use manual proxy settings for this network - When selected, the web browser will attempt to use manually configured proxy settings.
Use automatic proxy configuration URL for this network - When selected, the web browser will attempt to configure settings provided by an automatic proxy configuration URL.
This setting is only applicable if the user's machine has a supported web browser installed. XpressConnect is able to auto remediate this setting.
These settings will processes and services to be controlled.
Process (80004)
XpressConnect can detect the state of a process.
Supported settings include:
Running - Default. The process is considered running if it is listed on the Processes tab of the Windows Task Manager.
Disabled - The process is considered disabled if it is not running.
To enforce the state of a process, the network administrator must specify the name of the executable (ex. Calc.exe) as displayed on the Processes tab of the Windows Task Manager. This value is case-insensitive. The state of multiple processes may be enforced. For auto remediation, the application must exist on the user's computer and the executable file must be on the path.
SSID (40012)
