The following settings apply to Mac OS X Leopard (10.5) and iPhone. They affect the behavior of the device on the network, particularly in regards to wireless connections and 802.1X authentication. Each of these settings are configurable automatically using XpressConnect.
This setting controls the encryption and authentication style for the SSID. XpressConnect can detect this setting.
Supported settings include:
WPA Enterprise - Default. If selected, WPA Enterprise will be used. This is the 802.1X version of WPA and is sometimes referred to simply as WPA (as opposed to WPA-PSK).
WPA Personal - If selected, WPA Personal will be used. This is also known as WPA-PSK (pre-shared key).
WPA2 Personal - If selected, WPA2 Personal will be used. This is also known as WPA2-PSK (pre-shared key).
WPA2 Enterprise - If selected, WPA2 Enterprise will be used. This is the 802.1X version of WPA2 and is sometimes referred to simply as WPA2 (as opposed to WPA2-PSK).
Open - If selected, the ssid will be configured to be open (no encryption).
Static WEP - If selected, the ssid will be configured for static WEP.
Dynamic WEP (802.1X) - If selected, the ssid will be configured for dynamic WEP. This is the original version of 802.1X (pre-WPA) and is sometimes labeled simply as '802.1X'.
XpressConnect is able to auto remediate this setting. By default, Mac OS X will use an open network.
Within the Mac supplicant, information is stored in profiles, each with a profile name. XpressConnect can detect whether or not a particular profile is defined on the system. Typically, the profile name is also the ssid name in a wireless environment.
Supported settings include:
Configured - Default. The profile is considered configured if it exists in the list of profiles within Internet Connect. If the profile exists by name, it will be modified. If not, it will be created.
XpressConnect is able to auto remediate this setting. By default, Mac OS X does not contain any profiles. Note: A single profile name is tied to a single interface. Therefore, if supporting both wired and wireless connections, the profile name for wired connections should not be the same as for wireleess. We recommend using the ssid as the profile name for wireless and using 'Sample University Wired' for wired connections.
On Leopard, setting this value to [SYSTEM] will cause the profile to be stored as the System profile.
Any other name will be stored as a User profile.
Within a profile, one or more EAP types may be specified. The supplicant will determine the appropriate one to use. XpressConnect is able to detect and configure this list of acceptable EAP types.
Supported settings include:
Selected - Default. The EAP type(s) is considered selected if the list of selections within the profile exactly matches the list specified. Multiple EAP types may be specified using a semi-colon separated list.
NOTE: The list of valid EAP types on a standard install are: TTLS, TLS, EAP-FAST, PEAP, LEAP, and MD5. If specifying multiple, they must be specified in the same order as listed previously. For example, 'TTLS;PEAP' is correct, 'PEAP;TTLS' is incorrect. TLS is only selectable if client certificates are installed.
XpressConnect is able to auto remediate this setting. By default, Mac OS X will allow TTLS, EAP-FAST, PEAP, LEAP, and MD5. Selection of acceptable EAP types will depend on your deployment, but we recommend removing LEAP and MD5 from the acceptable list.
This setting controls the cached credentials of an 802.1X profile. XpressConnect can detect this setting.
Supported settings include:
cached - If selected, the credentials entered by the end-user will be cached in their login.keychain. This is important to ensure automatic reconnections.
XpressConnect is able to auto remediate this setting.
This setting prevents the operating system from caching the credentials for the 802.1X profile.
Supported settings include:
Disabled - Default. When disabled, the operating system will cache the user's credentials.
Enabled - When enabled, the operating system will prompt for credentials upon every association.
This setting is supported by Mac Snow Leopard (10.6) and iPhone. It is not supported by Mac Tiger (10.4) nor Leopard (10.5). XpressConnect is able to auto remediate this setting.
XpressConnect can configure the setting 'Trusted Server Certificate Names'.
Supported settings include:
Configured - Default. When selected, the name of the authentication server will be verified before an authentication is attempted. If selected, the server name must be specified.
The verification of the server name is based on the CN field within the server's certificate. Multiple server names may be specified using a semi-colon separated list.
This setting is not supported on Leopard. It is supported on Snow Leopard and iPhone. This setting is the equivalent of Verify Server Certificate on Windows.
XpressConnect can detect the state of the built-in firewall in Mac Leopard (10.5).
Supported settings include:
Enabled - Default. The firewall is considered enabled if either 'Allow only essential services' or 'Set access for specific services and applications' is selected in the Mac user interface.
Enabled And Stealth - The firewall is considered enabled if either 'Allow only essential services' or 'Set access for specific services and applications' is selected in the Mac user interface. The firewall is considered to be in stealth mode if 'Enable Stealth Mode' is selected in the Mac user interface.
For auto remediation, XpressConnect will enable the built-in firewall.
By default, a new install of Mac OS X Leopard (10.5) will have the built-in firewall disabled.
XpressConnect can detect the system clock. This is important when server certificates are used for authentication to ensure the machine does not incorrectly believe the certificate is expired. This setting will query the current timestamp from a URL. If the URL is unavailable, the user will be prompted to confirm their current system clock. If the system clock differs by more than 7 days, the user will be prompted to correct the system clock.
Supported settings include:
In Sync - Default. The system clock must be within the range specified.
XpressConnect supports auto remediation of this setting.
If a PHP, JSP, or ASP deployment package is used, the package contains a timestamp file in tools. In these cases, leave the URL blank and the system will automatically use the timestamp file.
If an HTML deployment package is used, this needs to be the full URL (for example http://1.1.1.1/timestamp.txt) to a timestamp file. The timestamp file needs to contain the current timestamp in the format TIMESTAMP:YYYYMMDD-HHMMSS. There are a couple options as to how this file is handled. First, it may be queried from another server which contains scripting capabilities. The second option is to have a scheduled task regularly update the timestamp text file.
These settings allow additional softare packages to be installed if necessary.
Software (80025)
This setting will allow a generic software package it be installed if necessary. NOTE: For remediation by installation to work properly, see the FAQ on the Support tab regarding install-based remediation. Also, after adding this setting, you will need to edit the setting to specify additional information.
A root CA certificate is the publicly-exposed key of a certificate authority. When using server certificate validation with a self-signed certificate, it is necessary to install the root CA certificate on the user's machine. This setting allows the network administrator to ensure a CA certificate is installed. On Leopard, it will also ensure that the CA certificate is marked as 'trusted'.
XpressConnect can detect the installation status of a root CA certificate.
Supported settings include:
Installed - Default. The certificate is considered installed if it exists in one of the following certificate stores: Root, My, CA, or AuthRoot.
During auto remediation, XpressConnect will install the certificate in the Root certificate store (Windows) or the System keychain (Leopard). A new install of Windows XP, Vista, and Leopard contains a limited set of default root CA certificates.
XpressConnect can detect the presense of a Pharos printer package.
Supported settings include:
Configured - Default. The Pharos package name specified must exist on the system.
The verification of the package name is based on the Pharos package name given during packaging, which on Windows appears in the registry at HKLM\Software\Pharos\Installed Packages\.
Trust Server Certificate In Login Keychain (EAP) (61303)
The server certificate is the publicly-exposed key for the certificate located on the RADIUS server. On Mac Leopard, you have the option of trusting the Certificate Authority or
the actual server certificate. The first is most commonly used, the second is more secure. When using server certificate validation with a self-signed certificate, it is necessary to either install and trust the root CA certificate or install and trust the server certificate. This setting allows the network administrator to ensure the server certificate is installed and marked as 'trusted' for EAP (802.1X).
XpressConnect can detect the installation status of a server certificate.
Supported settings include:
Installed - Default. The certificate is considered installed if it exists in the user's login keychain and is marked trusted for EAP.
During auto remediation, XpressConnect will install the certificate in the user's login keychain and mark it trusted for EAP. A new install of Leopard does not contain server certificates.
Trust Server Certificate In System Keychain (EAP) (61304)
The server certificate is the publicly-exposed key for the certificate located on the RADIUS server. On Mac Leopard, you have the option of trusting the Certificate Authority or
the actual server certificate. The first is most commonly used, the second is more secure. When using server certificate validation with a self-signed certificate, it is necessary to either install and trust the root CA certificate or install and trust the server certificate. This setting allows the network administrator to ensure the server certificate is installed and marked as 'trusted' for EAP (802.1X).
XpressConnect can detect the installation status of a server certificate.
Supported settings include:
Installed - Default. The certificate is considered installed if it exists in the System keychain and is marked trusted for EAP.
During auto remediation, XpressConnect will install the certificate in the System keychain and mark it trusted for EAP. A new install of Leopard does not contain server certificates.
The Mac version of XpressConnect uses Java WebStart. WebStart requires that the application is signed with a code signing certificate. Upon launch, WebStart will prompt the user to ask if they trust the application. This setting will install the code signing certificate and mark it as trusted. This will eliminate the 'trust?' prompt on subsequent uses of XpressConnect.
Supported settings include:
Trusted - Default. The certificate is considered trusted if it exists in the user's login keychain and is marked trusted for code signing.
During auto remediation, XpressConnect will install the certificate in the user's login keychain and mark it trusted for code signing.
These settings control the proxy settings web browsers will use.
HTTP proxy settings (80028)
XpressConnect can detect the status of the 'HTTP Proxy settings' setting for web browsers.
Supported settings include:
No Proxy - Default. When selected, web browsers will be configured not to use a Proxy.
Auto-detect proxy settings for this network - When selected, the web browser will attempt to auto-detect proxy server settings on the network.
Use manual proxy settings for this network - When selected, the web browser will attempt to use manually configured proxy settings.
Use automatic proxy configuration URL for this network - When selected, the web browser will attempt to configure settings provided by an automatic proxy configuration URL.
This setting is only applicable if the user's machine has a supported web browser installed. XpressConnect is able to auto remediate this setting.
These settings will processes and services to be controlled.
Process (80004)
XpressConnect can detect the state of a process.
Supported settings include:
Running - Default. The process is considered running if it is listed on the Processes tab of the Windows Task Manager.
Disabled - The process is considered disabled if it is not running.
To enforce the state of a process, the network administrator must specify the name of the executable (ex. Calc.exe) as displayed on the Processes tab of the Windows Task Manager. This value is case-insensitive. The state of multiple processes may be enforced. For auto remediation, the application must exist on the user's computer and the executable file must be on the path.
SSID (40012)
