You can configure the SecureW2 network profile to provision the device at the system level instead of the user level. There are also a few other changes needed so that the certificate is issued for the hostname instead of the user. The user running the provisioning application needs to be a super/admin user. The application won't prompt for elevation in Windows, you just have to run as admin for it to complete without error. IIRC it worked fine in macOS.
If this is for managed devices instead of BYOD, then there is a good chance it already has a domain issued identity certificate (You mentioned ADCS/GPO). I'm not certain, but I believe that I had a working SecureW2 policy that didn't actually issue a certificate, it just configured the device to use an existing identity certificate. Take that with a grain of salt though, it's been a year or so since I played with that, I may not be recollecting correctly. SecureW2 also has a Managed Device Gateway subscription that makes this very easy. Instead of having a user go out and provision a device manually, it automates the process. Of course, it's not free. Unrelated to SecureW2 and WiFi, we recently completed a project that uses ADCS issued identity certificates to perform AnyConnect authentication. Managed Windows devices already had the certificate, but macOS devices had a certificate issued by our jamf CA. To make the whole process simpler for AnyConnect and the headend ASA, we added a policy for macOS devices that has them obtain an additional identity cert from ADCS when the device is provisioned by jamf (They have the jamf and ADCS ID certs). I wasn't directly involved in the jamf configuration, but I believe that jamf acts as a proxy and requests the cert from ADCS. Ethan Grinnell CCIE R&S #39723, BS CmpE Network Engineer Office of Information Technology, Technology Infrastructure, Networking Portland State University On Wed, Oct 14, 2020 at 12:21 PM Tim Cappalli < 00000194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: > For Windows 10, you can use TEAP with chained machine + user certs (or a > mix of cert and legacy cred). > > > > For macOS, I’d recommend just using a machine identity, unless you > absolutely need user identity for policy. > > > > tim > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Wednesday, October 14, 2020 at 15:15 > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *[WIRELESS-LAN] multi user windows/osx eap tls onboarding > > For folks who onboard using eap tls. What workflow or solution do you use > for multiuser windows/osx devices? We are using securew2 and this onboard > process creates cert for that user who onboards the device. Then when > another user logs on they can’t connect to wireless because the cert isn’t > for that user currently logged on. I can do machine auth via adcs and > gpo that out for those but not sure how or what to do with osx multi user > > > > Thanks > > Trent > > > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C25708c4323aa42f9544608d8707591a9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637382997541534260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VVSZQyXmPJsdgD1yHZyxm5q3MCPR%2BLuGaKR5umkeMLs%3D&reserved=0> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community