Device Certificates and MWireless authentication

In early 2024, we will be rolling out device certificates along with certificate-based authentication with MWireless. We will be making this available to our iOS customers after the Mac deployment.

Benefits

  • Macs will be able to join MWireless without needing a user’s uniqname and password, and will be able to join MWireless before the desktop loads.

  • Initial user login can now be performed wirelessly on campus.

  • Packages can be installed while at the login screen, without a user being logged in.

    • On iOS, this means MDM commands won’t require the device be unlocked to be received.

  • We can secure Izzy APIs and other services with client certificates, rather than secret header values.

 

Certificates will be valid for six months at a time, and will be automatically renewed starting about 90 days before they expire.

  • If a device’s certificate expires (it’s been in a drawer for a year), the device will need to be connected to Ethernet, MGuest, any home or public WiFi, or with a uniqname and password to MWireless, to obtain a new certificate.

  • We will stop renewing certificates for systems that are older than our n-1 OS support policy. We do not plan on revoking them, but we won’t extend their lifetimes, either.

    • This means that a device running an out of date OS may lose MWireless auto-join around three months, on average, after we stop auto renewal.

User Visible Changes

  • A new profile will be deployed, named “Device Certificate and MWireless”

  • A new certificate can be found in Keychain Access, in the System keychain, with the device’s serial number as its name.

    • That certificate’s issuer will be “ITS Device Access Intermediate CA”

  • System Settings > WiFi > MWireles > Details… > 801.1X tab - will show that 802.1X is authenticated using EAP-TLS.

Other Notes

  • Devices should land on the 37.x full user range, and not the 67.x network.

  • The Mac will prefer MWireless, which may cause frustration with some setups (e.g., connecting to a lab or development network).

  • Eduroam is not affected by this change.

  • This feature is limited to T2 Intel and Apple silicon Macs, as the keys are hardware bound in the Secure Enclave. The keys cannot be exported.

Future

  • In late 2024, we hope to move to using Managed Device Attestation certificates, wherein Apple attests to certain properties of the hardware. That lets us make strong statements that the device is the device we think it is, and that it is, in fact, owned by U-M.

Known Issues

  • Some Macs with a saved MWireless password in Keychain Access.app may not join MWireless until this key is deleted.

MWirelessKeychainEntry.png

Once deleted, turn off wireless, then back on from the Mac menu bar.