Apple .mobileconfig templates for user devices?

Brian Julin BJulin at
Mon Nov 14 15:49:54 CET 2016

You could use eduroam's CAT tool to generate these.  Recently the source was
moved over to github (not sure if that's every part to need to get a full CAT instance
up and running.)

A bit of overkill maybe for a home network, but not being an eduroam SP you'll
need to build your own rather than use the live tool.

At any rate, just google for mobileconfigs from universities.  The ones that do not
use PSK do not have any private info them so they are generally posted publicly,
and many use EAP-PEAP-MSCHAPv2

also see:

...for the instructions on how to sign them.  You can embed your homegrown CA cert into the
mobileconfig for one-step installation.

If you also want add  a VPN client config to the file as well, see the strongswan wiki; they have a posted
example for that.

From: Freeradius-Users < at> on behalf of Toby Walsh <walshtj at>
Sent: Sunday, November 13, 2016 5:48 PM
To: Alan Buxey
Cc: FreeRadius users mailing list
Subject: Re: Apple .mobileconfig templates for user devices?

Problem is my personal admin machine and my personal home devices are
Linux and Android only :). I used to have Windows 10 until the SSD it
was on died and now that you have to pay, well, I'm not paying. I can
borrow an OS X machine but it's a shame it's not just a simple GUI. We
tried yesterday to install the configuration tool but the OS X machine
normally resides on a controlled/sterile environment and it's locked
down so I can't install the configuration tool until the owner of the
machine asks their IT department nicely for permission. Sigh.

The thing that got me about the Windows machine is on Android you
select 802.1x security, select the method, select the authentication
and it all matches what you set up in Freeradius (in my mind). On
Windows when you choose security there were (I think) four basic
methods: none, wep, wpa or 802.1x. If you choose 802.1x there, then
you can't get the config to work. If you choose wpa there, that's what
you needed to do and then set up 802.1x authentication later on. I
didn't understand why 802.1x was offered as an option early on and why
I couldn't get that to work when I kept choosing it. I ended up trying
to config a working profile using netsh wlan ... commands and still
not having access to the options I thought I needed. If they'd only
offered none, wep, wpa in the first pool of options then I would have
probably managed to set it up much faster. Oh well, I know now after
wasting a couple of hours.


On 13 November 2016 at 21:53, Alan Buxey <A.L.M.Buxey at> wrote:
> The .mobileconfig file can be generated with the apple iPhone configuration
> tool which is available for regular macos, not just apple servers. An older
> version used to run on windows too if you want to hint that out.
> Add for windows being 'weird', the correct wireless term is WPA2 Enterprise
> So it's not being wierd (Using 802.1X for the auth phases target than a pre
> shared key) ;)
> alan
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list