Skip to main content
All CollectionsDevice ManagementPolicy management
Configuring a RADIUS Policy for macOS (with SCEP)
Configuring a RADIUS Policy for macOS (with SCEP)
Updated over a week ago

This article describes how to create and configure a RADIUS Policy in the Device Management module for macOS devices. By using SCEP (Simple Certificate Enrollment Protocol), you can seamlessly distribute certificates to your macOS devices for secure Wi‑Fi and/or VPN connections.

Overview

  • Purpose: Use the RADIUS Policy to configure Wi‑Fi and/or VPN connections on macOS devices.

  • Supported OS Versions:

    • macOS 10.10+

    • iOS 7.0+

    • iPadOS 7.0+
      (While this article focuses on macOS, the policy can also apply to iOS or iPadOS devices where applicable.)

  • Prerequisites:

    • Tenant ID, Client ID, and Client Secret from your SCEP service provider (e.g., ScepMan).

    • An existing RADIUS server setup or VPN server configuration.

    • Certificates (root or intermediate) if you plan to install them as part of the policy.

Step 1: Create a New Policy

  1. Log in to the Console and select Device Management from the main menu.

  2. Click Policy and then Create New Policy.

  3. In the Select Policy screen, choose RADIUS Policy.

  4. Click Continue to move to the Basic Configurations step.

Step 2: Name and Describe the Policy

  1. Under Basic Configurations, give your policy a Policy Name (for example, “Mac RADIUS Policy”).

  2. (Optional) Add a Policy Description (for example, “This policy is used to manage RADIUS, Wi‑Fi, and VPN configurations on macOS devices”).

  3. Review the Requirements details to ensure your devices meet the OS requirements.

Step 3: Configure the SCEP Settings

  1. In the Settings section, choose the SCEP Service Provider from the dropdown (e.g., ScepMan).

  2. Enter your Tenant ID, Client ID, Client Secret, and the SCEP Main API App ID (if required by your provider).

  3. (Optional) Provide the SCEP App Service Default Domain.

These credentials allow the system to request certificates on behalf of devices, ensuring that Wi‑Fi or VPN connections are authenticated securely.

Step 4: (Optional) Configure Wi‑Fi

  1. Check the Configure WiFi box if you want the policy to manage Wi‑Fi settings on macOS.

  2. Under Wi‑Fi Policy:

    • Service Set Identifier (SSID): Enter the network SSID or domain name (if required on macOS 10.7 or later).

    • Password: Provide the Wi‑Fi password (if using a password-based encryption type).

    • Encryption Type: Choose from supported encryption types (e.g., WPA2, WPA3, or Any).

    • (Optional) Hidden Network: Check this if the network’s SSID is hidden.

    • (Optional) Auto-Join: If enabled, the device will automatically join the network once configured.

    • (Optional) Advanced Network Configurations: Provide additional Wi‑Fi properties if required by your network.

  3. (Optional) If needed, check Configure Security Root Certificate to push a root or intermediate certificate to devices. This is useful for networks using WPA2-Enterprise or 802.1x authentication.

  4. (Optional) Check Configure SCEP to set up additional certificate parameters, if your environment requires a separate SCEP payload aside from the main SCEP settings above.

Step 5: (Optional) Configure VPN

  1. Check the Configure VPN box if you want the policy to manage VPN settings on macOS.

  2. Under VPN Policy:

    • User Defined Name: A description or name displayed on the device (e.g., “Company VPN”).

    • VPN Type: Select the VPN type (e.g., IKEv2, L2TP, or custom types supported by macOS).

    • DNS:

      • Domain Name: The primary domain (tunnel) used by the VPN.

      • Search Domains: Additional domains used for name resolution inside the VPN tunnel.

      • Server Addresses: IP addresses of DNS servers for name resolution.

      • Supplemental Match Domains: (Optional) Additional match domains used to trigger a VPN connection or for advanced DNS settings.

      • Append Supplemental Match Domains to Search Domains: (Optional) Merge match domains with search domains.

    • IPv4 | Sending All Traffic Over VPN: If enabled, all device traffic will route through the VPN once connected.

    • Proxies (HTTP / HTTPS): If your VPN requires a proxy configuration, specify it here.

Step 6: Review and Deploy

  1. Click Continue to review your selections in the Select Devices or Select Device Groups steps.

  2. Assign the policy to the desired devices or device groups:

    • Select devices individually, or

    • Select device groups to apply the policy to a group of macOS devices.

  3. Confirm the settings and click Finish (or Deploy/Save, depending on your console’s workflow).

Once the policy is pushed, enrolled macOS devices will automatically receive the Wi‑Fi and/or VPN configuration, along with the necessary certificates issued via SCEP.

Troubleshooting Tips

  • Check SCEP Credentials: Make sure your Tenant ID, Client ID, and Client Secret are correct. An invalid credential can prevent devices from receiving certificates.

  • Network Connectivity: Ensure that devices can reach the SCEP server and your RADIUS server or VPN endpoint.

  • Certificate Trust: If your RADIUS or VPN server uses a custom certificate authority, you may need to deploy the root or intermediate certificates via Configure Security Root Certificate.

  • View Policy Status: In the Compliance Center (or relevant area), you can see if a device successfully applied the policy or if there were any errors.

Additional Resources


Need more help? If you encounter issues or have questions not covered in this guide, reach out to our support team at support@swif.ai or via live chat within the Console.


That’s it! Once you complete the above steps, your macOS devices should automatically retrieve the RADIUS (Wi‑Fi/VPN) profile and any required certificates. This ensures a secure, certificate-based connection experience for your organization.

Did this answer your question?