Profiles are the primary means to manage devices. Configure profiles so that your Linux devices remain secure and configured to your preferred settings.

You can think of profiles as the settings and rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They contain the settings, configurations, and restrictions that you want to enforce on devices.

A profile consists of the general profile settings and a specific payload. Profiles work best when they contain only a single payload.

Wi-Fi Profile for Linux

Configuring a Wi-Fi profile lets devices connect to corporate networks, even if they are hidden, encrypted or password protected.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Linux

  2. Configure the profile's General settings as appropriate.

  3. Select the Wi-Fi payload.

  4. Configure Wi-Fi settings, including:

    1. Setting

      Description

      Service Set Identifier

      Provide the name of the network.

      Hidden Network

      Indicate if the Wi-Fi network is hidden.

      Set as Active Network

      Indicate if the device will connect to the network with no end-user interaction.

      Security Type

      Specify the access protocol used and whether certificates are required. Depending on the selected security type, this will change the required fields.

      If None or WPA/WPA 2 are selected; the Password field will display.

      If WPA/WPA 2 Enterprise is selected, the Protocols and Authentication fields display.

      Protocols - Use Two Factor Authentication SFA Type Authentication - Identity Anonymous Identity Username Password Identity Certificate Root Certificate

      Password

      Provide the required credentials for the device to connect to the network. The password field displays when WPA/WPA 2 is selected from the Security Type field.

      Proxy Type

      Enable to configure the Wi-Fi proxy settings.

      Proxy Server

      Enter the hostname or IP address for the proxy server.

      Proxy Server Port

      Enter the port for the proxy server.

      Exclusion List

      Enter the hostnames to exclude from the proxy. Hostnames entered here will not be routed through the proxy. Use the * as a wild card for the domain. For example: *.vmware.com or *vmware.com.

  5. Select Save & Publish.

Credential Profile for Linux

For greater security, you can implement digital certificates to protect corporate assets. To do this, you must first define a certificate authority, then configure a Credentials payload alongside your Wi-Fi payload. Each payload has settings for associating the certificate authority defined in the Credentials payload.

Note:

To install certificates on Linux devices, we utilize the following open source puppet forge module: https://forge.puppet.com/modules/broadinstitute/certs

This module and therefore our support for credentials requires Puppet to be installed on the device and supports the following distributions and versions:

  • RedHat 7 & 8

  • CentOS 7 & 8

  • OracleLinux 7 & 8

  • Scientific 8, 9 & 10

  • Debian

  • Ubuntu

  • SuSE

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Linux

  2. Configure the profile's General settings as appropriate.

  3. Select the Credentials profile and select Configure.

  4. Use the drop-down menu to select either Upload or Defined Certificate Authority for the Credential Source. The remaining profile options are source-dependent. If you select Upload, you must enter a Credential Name and upload a new certificate. If you select Defined Certificate Authority, you must choose a predefined Certificate Authority and Template.

  5. Select Save & Publish.

Custom Configuration Profile

The Custom Configuration payload can be used to configure your Linux devices with features that Workspace ONE UEM console does not currently support through its native payloads. This payload currently utilizes open source Puppet for this configuration, so nothing other than the free Puppet agent installed on the device to support this functionality.

When a custom configuration profile is assigned to a Linux device, Workspace ONE UEM will pass the manifest to puppet running on the device. Currently, when a device is enterprise wiped or unenrolled, these configuration changes will not be removed from the device unless a removal manifest is defined in the profile.

For more information on Puppet, including sample manifests, please see: http://forge.puppet.com

To validate the syntax of your puppet code, please see: https://validate.puppet.com

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Linux

  2. Configure the profile's General settings as appropriate.

  3. Select the Custom Configuration profile and select Configure.

  4. Configure the payload including:

    1. Setting

      Description

      Name

      Populate a name that will distinguish this payload from others.

      Enforce Manifest

      If checked, the manifest will be reapplied at the data transmit interval configured in Settings > Device & Users > Linux > Intelligent Hub Settings. If left unchecked, the manifest will only be executed once when the profile is initially pushed to the device.

      Check for Dependency

      If the puppet manifest has a required dependency, it can be included here. For example, "puppetlabs/stdlib"

      Install Manifest

      Copy and paste the content of your Puppet Manifest here. This manifest will be implemented on the device assigned in the general tab.

      Remove Manifest

      This manifest will be executed on the device when this profile is unassigned from a device. If this manifest is left blank, when a custom configuration profile is removed from a device, the action dictated by the install manifest will remain on the device.

  5. Select Save & Publish

Custom Configuration Examples

Puppet Manifest Examples

Although we encourage you to learn and explore Puppet if you are interested in creating custom configuration profiles, to get you started, following are examples of puppet code that can be used on standard Ubuntu. They will not work on other distributions of Linux.

Install Chrome Browser on Ubuntu:

  • Dependency: None

  • Installation Manifest:

file { 'google-chrome-stable_current_amd64.deb': source => 'https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb', path => '/tmp/google-chrome-stable_current_amd64.deb', ensure => present, } exec { 'install-chrome': command => '/usr/bin/dpkg -i /tmp/google-chrome-stable_current_amd64.deb', logoutput => true, }

  • Removal Manifest:

package { 'google-chrome-stable': ensure => 'absent', }

Disabling SSH Server on Ubuntu:

  • Dependency: puppetlabs-stdlib

  • Installation Manifest:

service { 'ssh': name => 'sshd', ensure => false, enable => false,}

Removal Manifest:

service { 'ssh': name => 'sshd', ensure => true, enable => true,}