eap-tls on apple watch?

tinfoilmatt

@johnpoz Appears to definitely be possible: https://developer.apple.com/documentation/devicemanagement/wifi/eapclientconfiguration-data.dictionary

I've used iMazing Profile Editor before to create valid configuration profiles (like to create a pfSense-hosted IPsec mobile warrior VPN on an iPhone, for example).

johnpoz

@tinfoilmatt yeah I have Imazing - and they added watch stuff, but only on their version that runs on mac0S. I can't get it to see my watch.

Atleast that is how I was reading it - might have to take a closer look at look at their profile editor..

tinfoilmatt

@johnpoz It does, in fact, contain all dictionaries (including WiFi.EAPClientConfiguration) for all supported OSes.

johnpoz

@tinfoilmatt ok how do you now get it on your watch??

I have added the certs, put in the ssid, etc. and have a mobileconfig file - how do you you get it onto the watch?

tinfoilmatt

@johnpoz Great question. USB charging/data connection cable?

johnpoz

@tinfoilmatt apple watches don't have those ;) at least not newer ones.. I can't see how to get normal iamazing to see my watch.. with the iphone I just emailed it to myself and it asked if wanted to load the profile but that was just a p12 file.

tinfoilmatt

@johnpoz iMazing (not Profile Editor) has some automagic network discovery functionality. I wonder if it could be used to import a profile to the watch.

johnpoz

@tinfoilmatt If so don't know how to do it - the imazing did add ipad and watch os, but says only for macOS

It really shouldn't be this difficult - why can it not just pull the info it needs from my iphone ;)

It sees my iphone no problem, but I am not seeing anything about my watch in it.

tinfoilmatt

I hear you. My next watch will be a Garmin. It definitely won't be able to do EAP-TLS. But I will have much more control over what networks it connects to, and Garmin Express appears to be at least partially supported on Linux.

johnpoz

@tinfoilmatt going put this on a back burner - it just ticks me off, when it should be so simple..

I mean your watch pulls apps and all sorts of other things from the phone its paired with - why would it also just pull or could be allowed to pull a profile for the certs for connecting to eap-tls..

Maybe I will just remove the whole eap-tls option, so its not haunting me every time my phone connects to it and my watch can't ;) hehehe

JonathanLee

This isn’t really related to the post, but I wanted to share something. I love Apple products — they’re my go-to when I just want things to work without hassle. I have my setup configured to auto-proxy so I can switch between a secure proxied network and a guest network for testing.
After upgrading my iMac to macOS Tahoe, though, it suddenly required a WPAD file even on the non-proxy guest network. I ended up putting a WPAD file on OpenWrt that basically tells the system “there is no proxy.” Once I did that, I could switch between the networks normally again. That way I could leave it on auto proxy.

Gertjan

@johnpoz said in eap-tls on apple watch?:

Ok how do you now get it on your watch??

Maybe this.

Can the watch reveive mails ? If so, if you can send a mail with attached 'config' files that you 'open', and iOS recognized them as config stuff, and now it get flagged under "Settings" and you'll be guided from there ?!
I know this works with importing certificats on an iPhone.

johnpoz

@Gertjan first thing I tried - can't do anything with the attachment. You can see the email has an attachment, but you can't click it, can't save it.. Unless I am just stupid ;) But can't see anyway to do anything with the attachment on the watch.

Gertjan

@johnpoz
Bummer. I down myself.

johnpoz

@Gertjan heheh - thanks for trying.. Its paired to the phone, why can I not just push it from the phone like you can do with an app.. Maybe you can, and just don't know how? And my google is failing - or there just isn't a way, only thing I find is management through the apple stuff like mdm.. But I don't need something for an enterprise or even a smb..

I just want a free way to get eap-tls working on my stupid watch ;)