Table of Contents
Managed Certificate Overview
The University of Maryland has reached a major milestone in the Campus Network Refresh – Policy-Driven Network initiative with the successful deployment of SecureW2-managed EAP-TLS certificates to all Jamf- and Intune-managed devices. This achievement enhances network security, streamlines the user experience, and lays the technical foundation for the rollout of a Policy-Driven Network in the future. Device certificates for managed Linux endpoints will be deployed later in the summer, further enhancing our security and providing a streamlined user experience on that platform. The managed certificate identifies the device as being managed by a specific local IT unit on the network.
Managed Certificate Troubleshooting (Windows)
- If you run into issues with getting a machine managed with Intune or JAMF onto the network, please run Install Eduroam Certs.exe (shortcut will be placed in C:\Users\Public\Documents)
- Running this application as an administrator will install missing and necessary root and intermediate certificates that failed to install via Intune.
- If that doesn’t work, then run Forget eduroam Wi-Fi (shortcut that will be placed in C:\Users\Public\Documents)
- Running this shortcut will delete the eduroam wireless profile and should allow the use of a username and password to log in to eduroam.
If issues persist, contact it-desktop@umd.edu with the name of the affected devices, and we will resolve the issue.
Why you may see “eduroam-UMD” in your wireless list (Windows)
Managed Windows devices at UMD now include both device and user certificates to ensure compatibility with all institutions using eduroam. You might notice a new network name, eduroam-UMD, used only when needed. Both eduroam and eduroam-UMD connect to the same eduroam network. No action is required—your device will automatically select the correct profile.
Note: This change only affects faculty and staff who connect to eduroam at other institutions.
Managed Certificate Troubleshooting (Mac)
Users may see a pop-up asking to select a certificate to continue connecting to eduroam.
- Click Select a Certificate and select EDUROAM 7D7166F7-8B18-4454-BB6E-36C07CDB494F.
- Click OK. There is no need to enter an Account Name.
If issues persist, contact it-desktop@umd.edu with the name of the affected devices, and we will resolve the issue.
Using Aruba Clearpass OnGuard
Aruba Clearpass OnGuard is a software solution that helps ensure secure network access by verifying the identity of users before they connect. This is a key step in preparing for the Policy Driven Network. The managed certificate identifies the device as managed by a specific local IT unit on the network. OnGuard then identifies the user on the device, allowing for more granular level access to networked resources.
OnGuard has been deployed to all DIT-managed computers. OnGuard now prompts users to authenticate using their University Directory ID and passphrase. See the screenshots below. After the initial login, users should only need to sign in again when they change their passphrase or log into a machine for the first time.
- Mac
- Windows
- Linux
Some Linux hosts are not managed centrally by DIT. Instead, these hosts are managed by department system administrators. In these cases, OnGuard will need to be installed manually. See our article covering the installation of OnGuard on Linux for instructions.
On Mac, Windows, and some Linux distributions, an OnGuard status icon will appear on the operating system taskbar or menu bar to indicate whether you are logged in or not:
Indicates you are not logged in.
Indicates you are logged in.
You can also open the OnGuard application to view the status if needed.
Note for Mac users
When launching ClearPass OnGuard for the first time, you may see the following pop-up:
Selecting Don't Allow will not affect the functionality of ClearPass OnGuard or your network connectivity. This prompt is standard behavior and can be safely dismissed.