How to Troubleshoot 802.1x Mac Authentication Issues

It is quite complex to troubleshoot 802.1x authentication issues for Mac. Here are a few sections you can look for errors:

1. RADIUS Server Log

This is the most convenient and efficient way to troubleshot 802.1x issues . Just send Mac address to your network engineer and ask for the authentication log 🙂

If you just use FQDN_computername, it will fail for sure

The correct name should be computername$

Or you can use host/FQDN_computername

 

2. EAPOLClient Log

If you cannot find your network engineer easily, here is the perfect log to troubleshoot for you. Just open terminal and use this command will show you the last 5minute mac authentication log:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1

log show –style syslog –predicate ‘processImagePath contains “eapolclient” and subsystem contains “com.apple.eapol”‘ –last 30m > ~/Desktop/eapolclient.log

You will get this if someone remove the network configuration profile:

You will get this if your network identity preference is not correctly linked to your mac client certificate:

Your EAP Response Identity should be computername$ or host/FQDN_computername

3. Keychains

 

You should have these items inside your Keychain:

  1. Identity Preference for Wifi under your “login” folder

2. Identity Preference for Ethernet under “System”

3.802.1x Password for WIFI under “System”

3. 802.1x Password for ethernet under “System”

4. Root CA certificate

 

 

 

4. Configuration Profile Installation Issues

If you see this message when trying to install the configuration profile:

The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Enable the log mode and then check from there:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

And then check log from /Library/Logs/ManagedClient/ManagedClient.log

 

If everything is fixed, you should able to see these from your network connection:

 


802.1X Network Authentication for Mac

Cannot believe I spent so much time just to figure out how to do 802.1x network authentication for Mac 🙂

So for managing macs, we have two ways of setup 802.1x, one is using Apple Profile Manager to create a configuration profile, and the other way is to use Casper configuration profile.  From the internet, it seems Casper profile has some issues with ethernet profile, so I decided to use the Apple Profile Manger from the Server app.

However no matter what settings I make, it always turned out like this when I install the profile on a test mac:

So I have to choose the Casper configuration route. However if you are using Apple Profile Manager, here is a few points maybe helpful to you:

  1.  On the Certificate Server, you have to type something like this: https://FQDN/certsrv
  2.  The username you use to authenticate with RADIUS server, it can be %ComputerName%$,

Here are a few articles are talking about this method:

https://support.apple.com/en-us/HT204602

https://kevinbecker.squarespace.com/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

 

Ok, now let’s talk about doing 802.1x authentication using Casper’s configuration profile.  Here are the settings from my environment:

  1. Upload your root CA certificate on the Certificate Tab;
  2. Setup your AD certificate to acquire your client certificate for your mac;
    2.1 Certificate Authority just the common name of your server is fine:
    2.2 Be careful about “The name of the CA”, you can find your real CA name from this URL:
    https://support.microsoft.com/en-us/help/555529?wa=wsignin1.0%3Fwa%3Dwsignin1.0
  3. On Network tab, create two network, one for wifi, and the other for ethernet.
    it needs to be “Computer Level” under ” General” tab
    Choose the security type your environment is in, for me, it is TLS
    On the Trust tab, choose the root CA, and specify any RADIUS you need to trust, if you have too many, just use *.FQDN

    On the username part, it is very important, If you use $COMPUTERNAME like Casper said, it will come out as name.domain.net, however for our RAIDUS server to be recognize, it needs to be something like name$, so we have to use %AD_ComputerID%.

    And then you do the same for ethernet. Some people prefer to create two separate configuration profiles, one for wifi, and the other for ethernet. I did that before, and then found out I will have two same client machine certificate, so I decided to put into one to avoid confusions.

3. If you think you are done, that is far too easy 🙂

If you install the configuration profile, you will see the ethernet will work well, however the wifi won’t work ( in my case, the wifi won’t associate my client machine certificate, so I have to manually link them together).

Here is my script to do a manual configuration profile install and then link them together:

#!/bin/sh

a=$(hostname -s)
b=”.your.domain.name”

/usr/bin/profiles -I -F /private/tmp/network.mobileconfig
security set-identity-preference -c $a$b -s com.apple.network.eap.user.identity.wlan.ssid.”your wifi name”

 

Ok, now you should be all set with 802.1 network authentication for your macs 🙂


How to Check Macs with Office 2011 & Office 2016 Installed in Casper

Here are the Casper Smart Groups to see how many office 2011 and office 2016 users:

 

 

 


SCCM SQL Report for All Office Users

Here is the sccm sql report statement to finding out all office users, I have used “Microsoft Office Professional” as the keyword, you can change to any software title you want 🙂

 

SELECT DISTINCT
TOP (100) PERCENT RV.AD_Site_Name0 AS [AD Site], RV.Netbios_Name0 AS [PC Name], RV.Creation_Date0 AS [PC Joined Date], RV.User_Name0 AS [User Name],
dbo.v_GS_INSTALLED_SOFTWARE.ProductName0, dbo.v_GS_INSTALLED_SOFTWARE.ProductVersion0, dbo.v_R_User.description0 AS [Employee Location], dbo.v_R_User.Mail0 AS Email,
dbo.v_R_User.title0 AS Title, dbo.v_R_User.department0 AS Department, dbo.v_R_User.manager0 AS Manger
FROM dbo.v_R_System_Valid AS RV INNER JOIN
dbo.v_R_User ON RV.User_Name0 = dbo.v_R_User.User_Name0 INNER JOIN
dbo.v_GS_INSTALLED_SOFTWARE ON RV.ResourceID = dbo.v_GS_INSTALLED_SOFTWARE.ResourceID
GROUP BY RV.Netbios_Name0, RV.AD_Site_Name0, RV.Creation_Date0, RV.User_Name0, dbo.v_R_User.department0, dbo.v_R_User.description0, dbo.v_R_User.Mail0, dbo.v_R_User.manager0, dbo.v_R_User.title0,
dbo.v_GS_INSTALLED_SOFTWARE.ProductName0, dbo.v_GS_INSTALLED_SOFTWARE.ProductVersion0
HAVING (dbo.v_GS_INSTALLED_SOFTWARE.ProductName0 LIKE N’%Microsoft Office Professional%’)
ORDER BY [User Name]


SCCM Package for Tableau & Tableau Reader

Installation command line:

TableauReader-64bit-10-3-1.exe /quiet /norestart AUTOUPDATE=0 ACCEPTEULA=1

 

Detection method:

File exist and version equal:

C:\Program Files\Tableau\Tableau Reader 10.3\bin

 


Cannot Install SCCM client – Setup was unable to compile Sql CE

It turns out the solution is easy :

Just delete everything under C:\Windows\CCM


Another way to check Update Installed via Powershell

I have to check if machine has MS March update installed, and SCCM cannot make my job simpler 🙁

So I created a new compliance rule to check the result, here is the code:

$error.clear()

try {

$Session = New-Object -ComObject “Microsoft.Update.Session”

$Searcher = $Session.CreateUpdateSearcher()

$historyCount = $Searcher.GetTotalHistoryCount()

$Searcher.QueryHistory(0, $historyCount) | Select-Object Title, Description, Date,

    @{name=“Operation”; expression={switch($_.operation){

        1 {“Installation”}; 2 {“Uninstallation”}; 3 {“Other”}

}}}

}

catch { “March, 2017 Security Monthly Quality Rollup” }

if (!$error) {

Write-Host “Compliant”

}

else {Write-Host “Non-Compliant”}

 


More Accurate SCCM Software Metering Report

I found out that the sccm table view v_MonthlyUsageSummary is not really accurate, actually v_GS_CCM_RECENTLY_USED_APPS.LastUsedTime0 is the best accurate one to determine user’s application usage by SCCM:

here is my SQL query:

SELECT DISTINCT
TOP (100) PERCENT RV.AD_Site_Name0 AS [AD Site], RV.Netbios_Name0 AS [PC Name], RV.User_Name0 AS [User Name], dbo.v_GS_CCM_RECENTLY_USED_APPS.LastUsedTime0 AS [Last Used Time],
dbo.v_GS_CCM_RECENTLY_USED_APPS.OriginalFileName0 AS [File Name], dbo.v_GS_CCM_RECENTLY_USED_APPS.ProductName0 AS [Product Name],
dbo.v_GS_CCM_RECENTLY_USED_APPS.ProductVersion0 AS Version, dbo.v_R_User.description0 AS [Employee Location], dbo.v_R_User.Mail0 AS Email, dbo.v_R_User.title0 AS Title,
dbo.v_R_User.department0 AS Department, dbo.v_R_User.manager0 AS Manger, RV.Creation_Date0 AS [PC Joined Date]
FROM dbo.v_R_System_Valid AS RV INNER JOIN
dbo.v_GS_CCM_RECENTLY_USED_APPS ON RV.ResourceID = dbo.v_GS_CCM_RECENTLY_USED_APPS.ResourceID INNER JOIN
dbo.v_R_User ON RV.User_Name0 = dbo.v_R_User.User_Name0
GROUP BY RV.Netbios_Name0, RV.AD_Site_Name0, RV.Creation_Date0, dbo.v_GS_CCM_RECENTLY_USED_APPS.LastUsedTime0, dbo.v_GS_CCM_RECENTLY_USED_APPS.OriginalFileName0,
dbo.v_GS_CCM_RECENTLY_USED_APPS.ProductName0, dbo.v_GS_CCM_RECENTLY_USED_APPS.ProductVersion0, RV.User_Name0, dbo.v_R_User.department0, dbo.v_R_User.description0,
dbo.v_R_User.Mail0, dbo.v_R_User.manager0, dbo.v_R_User.title0
HAVING (dbo.v_GS_CCM_RECENTLY_USED_APPS.OriginalFileName0 = N’WINPROJ.EXE’) AND (DATEDIFF(day, dbo.v_GS_CCM_RECENTLY_USED_APPS.LastUsedTime0, GETDATE()) > 30)
ORDER BY [Last Used Time]


My Automated Powershell Script for SCCM Patching Process

we are slowing moving every machine to SCCM patching lately, and I have to move 100 machines each week, so I created this automated powershell script to run weekly.

 

1.My first script is to move machines to a new OU with SCCM as the WSUS server :

$pcs = Get-Content “C:\\Patching\1.txt”
foreach($pc in $pcs) {
get-adcomputer $pc | Move-ADObject -TargetPath ‘OU=SCCM Testing,OU=Laptop,OU=Employee,OU=User-Computers,DC=xxx,DC=xxx,DC=xxx’
}

 

2.And once they are moved, I create a new collection for them and add them to this new collection.

# Add computer list from txt file to new collection
# Ray Qiu
# 3/20/2017

Import-Module $env:SMS_ADMIN_UI_PATH.Replace(“\bin\i386″,”\bin\configurationmanager.psd1”)
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location “$($SiteCode.Name):\”

$newcollection = ’04’

#Step 2
New-CMDeviceCollection -Name $newcollection -LimitingCollectionName ‘All Systems’

#Step 3
$Collection = Get-CMDeviceCollection -Name $newcollection

#Step 4
Move-CMObject -InputObject $Collection -FolderPath ‘XXX:\DeviceCollection\Patching List’

#Step 5

$pcs = Get-Content “C:\Users\xxx\Patching\1.txt”

Foreach ($pc in $pcs){

$resource =[INT](Get-CMDevice -name $pc).ResourceID
echo $pc
echo $resource
$resource.GetType().FullName
Add-CMDeviceCollectionDirectMembershipRule -CollectionName $newcollection -ResourceId $resource

}

3. Now I deploy update for these new machines, first week they get the windows 7 baseline patching, and second week they get the latest monthly patching:

# Deploy Updates
# Ray Qiu
# 3/20/2017

# Change SUPGroupName to match the name of the Software Update Group that you wish to deploy
$SUPGroupName = “Windows 7 Baseline”
$SUPGroupName2 = “Workstation Monthly”
$CollName = “02”

#Load Configuration Manager PowerShell Module
Import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + ‘\ConfigurationManager.psd1’)

#Get SiteCode and set Powershell Drive
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-location $SiteCode”:”

# Create Deployments
Start-CMSoftwareUpdateDeployment -SoftwareUpdateGroupName “$SUPGroupName” -CollectionName “$CollName” -DeploymentName “$SUPGroupName-$CollName” -DeploymentType Required -VerbosityLevel OnlySuccessandErrorMessages -TimeBasedOn LocalTime -DeploymentAvailableDay (Get-Date).AddDays(1) -EnforcementDeadlineDay (Get-Date).AddDays(1) -UserNotification DisplayAll -SoftwareInstallation $True -AllowRestart $True -RestartServer $True -RestartWorkstation $False -ProtectedType RemoteDistributionPoint -UnprotectedType UnprotectedDistributionPoint -GenerateSuccessAlert $False -DisableOperationsManagerAlert $False -GenerateOperationsManagerAlert $False -PersistOnWriteFilterDevice $False -UseBranchCache $False
Start-CMSoftwareUpdateDeployment -SoftwareUpdateGroupName “$SUPGroupName2” -CollectionName “$CollName” -DeploymentName “$SUPGroupName2-$CollName” -DeploymentType Required -VerbosityLevel OnlySuccessandErrorMessages -TimeBasedOn LocalTime -DeploymentAvailableDay (Get-Date).AddDays(7) -EnforcementDeadlineDay (Get-Date).AddDays(7) -UserNotification DisplayAll -SoftwareInstallation $True -AllowRestart $True -RestartServer $True -RestartWorkstation $False -ProtectedType RemoteDistributionPoint -UnprotectedType UnprotectedDistributionPoint -GenerateSuccessAlert $False -DisableOperationsManagerAlert $False -GenerateOperationsManagerAlert $False -PersistOnWriteFilterDevice $False -UseBranchCache $False


SCCM Visio / Project Uninstaller Package

It was such a pain to create a sccm visio/project package for this ! I tried a few different ways of msi uninstall via the product code, all failed. then I started using the setup /uninstall , success, but keep force reboot after the installation no matter what settings I changed. Finally now I got it working:

Here are the commands to initial the installation, depends on you are using Professional or Standard version of your Visio/Project:

setup.exe /uninstall PrjPro /config PrjPro.WW/config.xml

setup.exe /uninstall PrjStd /config PrjStd.WW/config.xml

setup.exe /uninstall vispro /config vispro.ww/config.xml

setup.exe /uninstall Visio /config visio.WW/config.xml

And here is the two lines you need to add to the config.xml:

<Display Level=”none” CompletionNotice=”no” SuppressModal=”yes” AcceptEula=”yes” />
<Setting Id=”SETUP_REBOOT” Value=”Never”/>

The first line is to get rid of all the annoying notifications, and the second line is to disable the force reboot!

Also, inside the return codes, I changed hard reboot and soft reboot to no reboot: