Deploying 1E Client on macOS
Guidance for deploying 1E Client onto macOS devices, including installation and uninstallation. Only the 1E features of 1E Client are available on macOS.
Requirements
Please review Planning for 1E Client pages. After installation, please review the Verifying page.
For details of supported OS platforms, please refer to Common client requirements page.
Guidance provided below is for installation on macOS.
Note
1E Client does not have a license key. Even so, you must adhere to the terms of your license agreement.
Deployment choices
You must decide how you will configure the 1E Client and deploy to devices. Deploying the 1E Client is normally achieved using your existing software deployment tool.
Note
For more information about configuring the 1E Client properties during and after installation, please refer to 1E Client configuration settings and installer properties.
Non-Windows installation account
To install the 1E Client on a non-Windows client the installation account must have privileges to run the sudo command.
1E Client installation files
1E Client installation files are available for download from https://support.1e.com/.
Installation source files for non-Windows are available in a zip file called 1EClient-Non-Windows.v.x.x.zip
Within the zip, 1E Client for macOS is provided as 1e.client-macOS_v.x.x.pkg.
Certificate files
The client authentication certificate, and Go Daddy Certificate Authority (CA) certificates should be stored within the macOS Key Store under the System keychain.
Each client device requires a client authentication certificate with the following properties. This must be deployed to devices as .pfx certificate file along with the 1E Client package.
Use the following points to create and use the .pfx file:
Issued by a trusted Certificate Authority (CA): Most organizations have automated distribution of CA certificates to clients and servers. For example, Group Policy can be used to deploy CA certificate to Windows clients.
Has at least the following Enhanced Key Usage: Client Authentication.
Has at least the following Key Usage: Digital Signature and Key encipherment.
Has a private key.
Revocation information is included: References at least one OCSP endpoint.
Has a Subject Name of type Common Name (CN=<computername>) or Subject Alternative Name (DNS Name=<computername>) where <computername> depends on the type of device. For a Mac this could be MAC01.local and is case-sensitive
Each client requires the Certificate Authority (CA) certificates used by the 1E server’s certificate Trust Path, so the client can validate the server. 1E servers use certificates issued by Go Daddy. Typically the client only needs the Go Daddy Root CA certificate, but in some cases you may also require the Go Daddy Intermediate CA certificate.
Cetificate type | Certificate Name | SHA1 thumbprint (as seen in browser certificate details) | SHA256 thumbrint (as seen in Go Daddy repository) |
---|---|---|---|
Root CA | Go Daddy Root Certificate Authority - G2 | 47 BE AB C9 22 EA E8 0E 78 78 34 62 A7 9F 45 C2 54 FD E6 8B | 45 14 0B 32 47 EB 9C C8 C5 B4 F0 D7 B5 30 91 F7 32 92 08 9E 6E 5A 63 E2 74 9D D3 AC A9 19 8E DA |
Intermediate CA | Go Daddy Secure Certificate Authority - G2 | 27 AC 93 69 FA F2 52 07 BB 26 27 CE FA CC BE 4E F9 C3 19 B8 | 97 3A 41 27 6F FD 01 E0 27 A2 AA D4 9E 34 C3 78 46 D3 E9 76 FF 6A 62 0B 67 12 E3 38 32 04 1A A6 |
Obtain Certificate Authority (CA) certificates as individual .cer files (which are Base-64 encoded X.509 format). Some alternative ways of getting them are:
Received from your 1E Account Team.
Download .crt files from https://certs.godaddy.com/repository - you can rename or convert these as .cer files.
Use Microsoft Manage Computer Certificates (certlm.msc) on a Windows computer, to export each CA certificate as a .cer file using base-64 encoded X.509 format.
Warning
You must have individual .cer files instead of a bundle such as a .pem because the Keychain Access app only imports the last certificate it encounters.
Preparation
You will need to create a PFX certificate file using a template, follow this guide for using a Microsoft Certificate Authority (CA) to:
Create a template for issuing client authentication certificates.
Use the template to request certificates.
Export the certificate as a .pfx file ready for installation on the device.
If you do not already have a suitable certificate template on your Certificate Authority, you can create one by making a duplicate of either the Computer or Workstation template and configuring it with at least the following properties:
General : Use a suitable name such as 1E Client Devices and validity period.
Request Handling: Allow private keys to be exported.
Subject Name: Allow information to be supplied in the certificate request, rather than being built from Active Directory information.
Extensions: Application policies should contain only Client Authentication.
Security: Ensure relevant users and computers will be able to request certificates.
Once you have created the new template on the Certificate Authority (CA), you should issue it. Using the issued template, request a certificate for a target device, and export it in .pfx form and remember the password. The certificate and associated private key should be exported, together with all extended properties, except include all certificates in the certification path if possible and enable certificate privacy.
Warning
The Subject Name of the certificate must be the host name of the macOS device. You will supply this value during enrolment. To find the hostname of the macOS machine open Finder and click the Apple icon in the upper left. Select System Preferences -> Sharing -> Screen Sharing.
Below the computer name field, you will see Computers on your local network can access your computer at: this value will be your host name. It must be typed exactly as displayed in the certificate request (case-sensitive and including any special characters).
Installation
Note
Together, the client authentication certificate and its associated private key are termed an identity on macOS. The client authentication certificate (with its private key), and the Go Daddy Certificate Authority (CA) certificates should be stored within the macOS Key Store under the System keychain. The System keychain is for certificates trusted by all users and local system processes including the 1E Client which will run on the macOS machine.
Installing certificates can be done by using the Keychain Access app, which can be started using either of the following methods:
Pressing command-space and searching for keychain
From the Finder app, top left select Go > Utilities and double-click on Keychain Access to invoke the app.
Install the client certificate
To install a client certificate on each macOS device, follow these steps:
Copy the client certificate .pfx file onto the macOS device.
Open Finder, and double-click on the .pfx file to import the certificate into the macOS Keychain store. Or use File → Import Items... directly from Keychain Access. Enter the .pfx password when prompted.
Open Keychain Access, the certificate and its associated private key should be found under the login keychain.
Copy the client certificate and its associated private key), separately into the System keychain.
To allow access to the private key follow these steps:
Locate the private key within the System keychain - the private key will appear under its associated certificate.
Ensure the private key is present in the System keychain.
Double click the private key and select the Access Control tab.
Ensure Confirm before allowing access is selected and then add the 1E Client binary to the Always allow access by these applications adding the 1E Client by its path name, which is typically
/Applications/1E.app/Contents/MacOS/1E.Client
Caution
The Keychain Access app cannot be guaranteed to always refresh its view following, for example, an update of access control permission. However, after exiting the app, killing the process:
/Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access
Then restarting the app, will ensure the Keychain Access view will correctly display the contents of the Key Store.
An alternative approach to using the Keychain Access app is to import the .pfx file using the command-line and the security command:
sudo security import <download location>/<macOSpfx>.pfx -k /Library/Keychains/System.keychain -t agg -f pkcs12 -P <password> -T '/Applications/1E.app/Contents/MacOS/1E.Client'
This command imports a client certificate and the associated private key from a .pfx file to a <keychain> as an aggregated type in PKCS #12 format using the specified password and giving access to the 1E Client.
Note
If you do not grant correct access to the client certificate's private key, and the 1E Client debug logging is configured the log will show that it cannot obtain the client certificate's private key.
Install the CA certificates
Copy the CA certificate .cer file(s) onto the macOS device.
Open Finder, and double-click on each .cer file in turn to import each certificate into the macOS Keychain store. Or use File > import Items... directly from Keychain Access.
Open Keychain Access, the certificates should be found under the System keychain. If not, then find each newly imported certificate and copy it to the System keychain.
Starting with the root CA certificate, if it is shown as not trusted, double-click to open. At the top left, above the Details section, expand the Trust section and ensure that When using this certificate Always Trust is selected and save the changes.
If you experience problems importing certificates using the Keychain Access app, for example if it reports error -25294 and CSSM_CODE_MEMORY_ERROR, an alternative way of importing public certificates and trusting them is to use the security command line tool. For example:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate.cer>
Install the 1E Client
To install the macOS 1E Client perform one of the following options :
Double-click on the package .pkg file within the Finder window to install using defaults.
Install the package file from a command window to install using defaults. The -target is the volume mount point, not the path in the file system at which it will be installed.
You must substitute <settings> with actual values agreed with 1E for example:
SWITCH <customerDNSname>-sw.cloud.1e.com:443 (do not include https:// and that the DNS name has suffix -sw)
BACKGROUNDCHANNELURL https://<customerDNSname>.cloud.1e.com:443/Background/
sudo launchctl setenv SWITCH <SWITCH> BACKGROUNDCHANNELURL <BACKGROUNDCHANNELURL> && sudo installer -pkg /path/to/pkg/1e.client-macOS_vx.x.x.x.pkg -target /
Reconfiguration
You will need to use the 1E.Client.updateconf.sh script if you want to reconfigure the client, or you installed 1E Client using the previous installation options.
The pkg installation package for macOS includes a bash script called 1E.Client.updateconf.sh. The configuration properties for the Switch and Background Channel are mandatory, therefore assuming they are on the same 1E Server which has a DNS Name FQDN tachyon.acme.local then the post-installation command line would be similar to the following but all on one command line. The second Switch and Background Channel can be removed if a DMZ server is not used. Single quotes avoid escape characters and are necessary to allow the use of the ; character.
sudo sh '/Library/Application Support/1E/Client/1E.Client.updateconf.sh' '/Library/Application Support/1E/Client/1E.Client.conf' SWITCH='tachyon.acme.local:4000;tachyon.acme.com:4000' BACKGROUNDCHANNELURL='https://tachyon.acme.local:443/Background/;https://tachyon.acme.com:443/Background/'
Please refer to 1E Client configuration settings and installer properties for a list of other configuration properties that can be appended to the above command-line.
Starting the 1E Client
To load and start the 1E Client use the command:
sudo launchctl load -w /Library/LaunchDaemons/com.1e.pkg.1E.Client.plist
Note
The client starts automatically if the switch and background URL are passed in the installation command as parameters as well as after client upgrade.
If it is necessary to stop the 1E Client use the command:
sudo launchctl unload /Library/LaunchDaemons/com.1e.pkg.1E.Client.plist
If the 1E Client should fail to start correctly please check:
sudo launchctl list | grep -i 1e - to confirm the service is actually running. It should appear as com.1e.pkg.1E.Client
/Library/Logs/1E.Client.Daemon.log - shows any service start errors
tail -f /Library/Logs/1E.Client.log - shows the current operation of the 1E Client.
If necessary raise the /Library/Application Support/1E/Client/1E.Client.conf to LoggingLevel=debug using a suitable text editor such as vi and then restart the 1E Client.
Uninstallation
You will need to use the following Uninstall.sh script if you want to uninstall the client.
sudo sh 'PATH_TO_THE_UNINSTALL_SCRIPT'
Upgrading
Tip
You may need or want to provide a more recent client authentication certificate.
To upgrade the macOS 1E Client, use one of the following methods:
Double-click on the package .pkg file within the Finder window.
Upgrade using the package file from a command window using Existing configuration.
sudo installer -pkg /path/to/pkg/1e.client-macOS_vx.x.x.x.pkg -target /
Upgrade using the package file from a command window using New configuration. You must substitute <settings> with actual values provided to you by 1E.
sudo launchctl setenv SWITCH <SWITCH> BACKGROUNDCHANNELURL <BACKGROUNDCHANNELURL> && sudo installer -pkg /path/to/pkg/1e.client-macOS_vx.x.x.x.pkg -target /
The -target is the volume mount point, not the path in the file system at which it will be installed.
You must substitute <settings> with actual values agreed with 1E, for example:
SWITCH <customerDNSname>-sw.cloud.1e.com:443 (note, do not include https:// and that the DNS name has suffix -sw)
BACKGROUNDCHANNELURL https://<customerDNSname>.cloud.1e.com:443/Background/