jump to navigation

Wireless Installer – The Next Generation August 27, 2009

Posted by bigmaconcampus in Mac Tech.
Tags: , , , , , , , , , , , , , , , , , , , , ,

Ok, after originally posting the code for my wireless installer, I’ve updated the code earlier in the summer and keep promising to post an update. Without further adieu, here it finally is.

*NOTE* 9/29/09
There were some errors in the applescript sections of the original post. These should be correct now. Oops.

*NOTE* 12/21/09
Gave up fighting wordpress to display the code correctly so that it would compile correctly if someone copy/pasted it. Now have a direct link to download the working files at the bottom of this post. Sorry for the delay/problems.

Since I couldn’t remember specifically what I changed (several bug fixes, some major, some minor), I’ll re-post the entire thing here. It has been tested on over 1700 Macs since the beginning of June 2009, so I consider it fairly solid at this point.

There was an entire section redone in C code since there were certain APIs that could only be addressed that way. This was also the ONLY piece that was a reminant of a GUI based version I’d made a year beforehand. Now, all command line, YEAH. (Thanks Kim!) Also, now moves the newly added wireless network to the top of the preferred list so connection time is quicker (noticed that with users that had 20+ wireless networks, adding it to the end of the list resulted in several minute long connection times).

The only issues I’ve run into is that on occasional runs, the installer will not pickup the wireless username correctly (the main script thinks that the wireless username is blank). I haven’t been able to narrow down what causes it directly (I think it has to do with running the installer partially and quitting at a certain spot, which must be leaving some clutter behind, but haven’t directly proved this yet), but have added code to recognize the problem and exit with an error. Most times, running the installer a second time will work fine. (If anyone happens to figure it out, please let me know in the comments)

The other small issue shows about one in a hundred runs and I consider it an applescript bug. Sometimes the portion that is applescript won’t allow the user to type in the dialog box. A reboot solves this behavior.

This installer basically works the same as before, it is crammed into a PackageMaker .pkg file and runs as a postscript to perfom the setup. The beauty of this is that it can be posted on a website for the user’s to run themselves and doesn’t require a tech to setup their wireless for them. (Makes our lines MUCH shorter). If you are confused by any of the details, refer to the previous post for a deeper description of some portions.

It’s in several scripts in several different languages (Four in all I think, we almost had some perl in it, but I’m a Bash junkie and got it to work in less lines in Bash :P )

Change Log

July 2009
Version 3.6
Fixed bug that caused a blank wireless username in certain situations
Fixed bug with a ‘space’ in the Mac password
Wireless network is now added in the top location of preferred networks to enable faster connection
Added more error codes
Added better error descriptions
Added ‘retry counter’ to dialogs
Lowered number of retries from five to three

April 2009
Version 3.5
Rebuilt Keychain creation mechanism in C to solve several bugs centering around creation of ACL of Keychain and Assistive Devices settings.
Added Mac OS X 10.6 enhancements
Increased speed of installer
Added second wireless password test in case of system outage

March 2009
Version 3.1
Made compatible with Mac OS X 10.6 (Snow Leopard)
Added several exceptions for MacBook Air hardware types due to lack of ethernet port
Streamlined method of fixing certain symbol characters in passwords
Fixed bug with toggling Assistive Devices settings
Modified handling of certain preference files and previous Enterprise level network setups
Added steps to handle a blank Mac Password
Added error code for a corrupt login.keychain that cannot be unlocked

Final Important Info
After wrestling with WordPress attempting to get the code posted correctly, I’ve given up and decided to instead post a link to download the working files so that anyone interested can just download the pieces and package it themselves.

There are three applescripts, used to obtain and test usernames and passwords, and cleanup Keychain Items, that are called by the Main Script. These feed back the variables for username and password to the parent script.

The Mac password cannot be blank (I wouldn’t recommend a user have a blank password anyway) nor can it contain a space (causes problems with the script).

Some items in remove_keychain_items.scpt need to be edited manually (Names of keychain items). Also, if the keychain is locked with a different password than the main user account password, the script will error at this step.

C Programming Section:
This section replaced the part that would actually set the access level for the wireless to get to the keychain item. Before it used GUI Applescript and relied on Assistive Devices to be able to click a single ‘OK’ button. Using C to create the keychain item and set the ACL to allow the eapolclient to access the keychain fixes the issues with doing it the previous way.

This C code should be compiled for both Intel and PowerPC separately and the resulting files should be named:

The parent script determines the processor type and will run the appropriate version of the executable.

You would need to do a find/replace in this section of code for wirelessnetworkname and put in the name of your particular wireless network.

Download working files
Wireless Installer

Hopefully the new and improved version (which is still not 100% complete, but getting closer) will help someone out there. If so, drop a comment.


1. Craig - August 28, 2009

Definitely very helpful. Thank you for releasing this.

I’ve found that for TLS certs. I need the following in $EAPPROFILES
after looking at working copies and comparing.
Other than that there is not *that* much difference.

“$Buddy” -c “Add :Profiles array” $EAPProfiles
“$Buddy” -c “Add :Profiles:0 dict” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration dict” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:AcceptEAPTypes array” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:AcceptEAPTypes:0 integer 13” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:Description string Automatic” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:EAPFASTProvisionPAC bool true” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:EAPFASTUsePAC bool true” $EAPProfiles
#”$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:TLSIdentityHandle data ” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:TLSVerifyServerCertificate bool true” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:TTLSInnerAuthentication string MSCHAPv2” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:UserName string $USER” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:UserPasswordKeychainItemID string $uuid” $EAPProfiles
#”$Buddy” -c “Add :Profiles:0:UserDefinedName string $USER” $EAPProfiles
#”$Buddy” -c “Add :Profiles:0:Wireless\ Network string $WIRELESS” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:UniqueIdentifier string $uuid” $EAPProfiles
“$Buddy” -c “Add :Profiles:0:userDefinedName string WPA: $WIRELESS” $EAPProfiles

TLS certs are indicated by “ticking” TLS on the 802.1X Profile check box in Sys Preferences or –
the command
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:AcceptEAPTypes:0 integer 13” $EAPProfiles

I figured that *13* is TLS by trial and error.
I think I am learning something…


“$Buddy” -c “Add :KnownNetworks:$uuid:SecurityType string 802.1X\ WEP” $AirportPref

is the only major difference in com.apple.airport.preferences.plist

I have added my keychain login using..

security add-generic-password -D “Internet Connect” -a name -w password -s $uuid -l “WPA: $WIRELESS” -T /System/Library/CoreServices/SystemUIServer.app -T /Applications/System\ Preferences.app -T group://AirPort /Users/name/Library/Keychains/login.keychain

I am still using the old script at the moment but will look at moving to the new script soon and adding your extra features.

Unfortunately, the line #”$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:TLSIdentityHandle data ##data##” $EAPProfiles
is a worry as it contains data on the keychain login which I don’t know how to add via command line.

Also I get an error with the line

echo $MACPASS | sudo -S “$PLISTBUDDY” -c “Add :KnownNetworks:$uuid:_timeStamp date 1995-06-21T14\:00\:00Z” $AirportPref

error returned is “Unrecognized Date Format”

I have tried a couple of things using a variable and having that $DATETIME variable grab the current date but it throws up the same error.

Wondering how we get the Wireless Network to show up in “Preferred Networks” in System Preferences> Networks> AirPort..

I’m getting there!
Thanks again for your hard work.

Dagger2b - May 24, 2010

Did you ever find out how to get the TLSIdentityHandle data?

Craig - July 6, 2013

It /has/ been quite a while! I’m still scripting. ;)

I never used it. It seemed to connect just fine without it. :/

These days I’m writing profiles from scratch.
Some things never change.

2. Craig - August 29, 2009

Fantastic work. I have emailed you about this.
Sorry about the length of the email..

3. Clifster - September 3, 2009

Thanks for putting this together. Could you explain what do with this code other than copy-paste into Script Editor / shell script file?

Also the get_wireless_pass section will not compile under Mac OS 10.6 (failure on line 24: “echo ).

Thanks in advance for you help.

bigmaconcampus - September 3, 2009

Read the other linked entry about the first version that I attempted. It has more details about making the scripts and putting them into a PackageMaker installer to run as postscripts.

I know this latest version will function on 10.6 (added those pieces several months ago), however, I have not tried compiling it under 10.6 (did it on 10.5). Thanks for the warning since I will be recompiling it soon in the future to make a few minor mods (need to add some ‘wait until’ pieces in the Applescript to keep it from timing out. This will hopefully fix the only minor issue I’ve had with the Exit 20 errors I get occasionally. I think the students start the installer then get side-tracked and the password prompts will time out after about 2 mins. and error the script.

bigmaconcampus - September 3, 2009

Decided to test it to see what I would be dealing with moving it to a 10.6 system, and I’m not having the compiling issue. Please double-check that something didn’t get missed in your copy/paste step.

John - September 29, 2009

I’m having the same issue with the AppleScript. Script Editor doesn’t think it’s valid. I’ve re-copied/pasted. Zapped gremlins in Text Wrangler, no luck.

I get the error: “Expected “then”, etc. but found identifier.”

This happens at “echo” on line 24.

John - September 29, 2009

Also of note: This is using “AppleScript Editor” located in Applications/Utilities, not the previous “Script Editor” found in the Applications/AppleScript folder. Maybe it’s a bug in the new App.

Ryan M - October 22, 2009

I’m also trying to compile on 10.6, and getting the same error at line 24. It looks to me like there’s an extra double quote on line 23 that could be causing the problem, but I’m not sure whether it’s an extra quote or a missing quote.

bigmaconcampus - October 22, 2009

There seems to be an issue with how wordpress is displaying the code. I will try to correct it soon. Sorry everyone.

Ryan M - October 22, 2009

Would it be easier to just offer the bundle of scripts in a Zip file?

4. Craig - September 3, 2009

I get the same… 10.5.8

5. Clifster - September 9, 2009

Your earlier post states, “I have posted a flat-file .pkg on a website at our University for students/employees to download and run themselves.” What University? Is there a link that you could provide to this? Is this an Xcode project that you compile these in?

Also, is final product similar to the SetupWireless off AFP548?


That is ideally what I would like to get users at our University to, because right now they are looking at 18+ steps that is simply absurd for most users to follow:


bigmaconcampus - September 12, 2009

The .pkg file was created using PackageMaker 3.03 (comes in the Developer tools). It simply installs the script pieces into a /tmp/folder and then runs them as a post-install script. Seemed like the simplest method for letting users do it themselves.

The reason for using the flat-file (10.5 only) format was so that it didn’t even have to be put into a .dmg file for download.

The installer can be found at http://ccit.clemson.edu/mac_software, however it won’t function since you wouldn’t be in range of the wireless network and the .pkg file won’t ‘crack open’ to let you see how it is setup. If you look at /tmp/cu_wireless while it is running, you’ll see the same scripts I’ve already posted installed there.

I did communicate a few times with the fellow who posted the afp548 article, however, we each were dealing with separate types of 802 networks and had to come up with separate solutions.

I’m in the middle of updating it again with some minor modifications and will try to post those as well.

From what I can tell from a brief glance at the inner workings of Snow Leopard, this could be accomplished easier than I did it for Leopard, but the work is done and it works on SL as well (after I modified it to do so back in the spring).

6. Jerry Johnson - September 27, 2009

Hi bigmaconcampus,

Appreciate if you can tell me how to invoke wireless_setup.sh in the package postflight. I just get the error –

Sep 27 17:49:28 mobile-166-129-028-027 /private/tmp/scripts.aQ6f/./postflight[9674]: LSGetApplicationForInfo() failed with error -10814 while trying to determine the application with bundle identifier com.lynda.it.wireless_installer.wirelessinstaller.wirelesssetup.pkg.wirelesssetupsh.

You can see I am trying to get wireless_setup.sh to be executed with no luck.


7. bigmaconcampus - September 29, 2009

I’m just putting the wireless_setup.sh as the postflight using the GUI PackageMaker app. However, I am using version 3 of PackageMaker which might be different than PackageMaker 2 (I’ve been using PackageMaker 3 and understand the two are quite different from one another).

My package is also for 10.5 and 10.6 systems only. A flat-distribution package.

8. Joe - December 7, 2009

What’s the procedure for compiling the C code?
Any progress on the errors in get_wireless_pass.scpt that are preventing it from compiling?

9. Justin - August 21, 2010

I get two errors continuously during install:

“An error occurred while attempting to turn the wireless on or off”


“The wireless username or password is blank”

of course this is because the script never prompts me to enter any credentials.

10. Paul de Groot - June 22, 2011

Testcase 1 @ 23-06-2011 by joyallitathotmail.younow

Working around the scripts, for 10.6.7.

Fixid error on cu_wireless_setup.sh scanning network

WIRELESSINRANGE=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport –scan=”$WIRELESSNETWORKNAME”`

Add files in folder cu_wireless:

– system_profile.txt (must be empty)
– PlistBuddy
– wireless-install-report.sh
– your .pem
– your.cer

remove the network mount if you do not need it in get_wireless_pass.scpt

on run argv
set myMacPass to item 1 of argv
set LOGS to item 2 of argv
set ERRORLOG to item 3 of argv
set MBAirPresent to item 4 of argv
set theUser to (do shell script “echo $USER”)
set myPass to “”
set counter to 1
set serverMount to “”

tell application “Finder”
with timeout of 10000 seconds
repeat until myPass is not “”
if counter &1 > ” & ERRORLOG
do shell script “echo \”exit 99 User cancelled installation.\” 2>&1 >> ” & LOGS
end tell
tell application “Installer” to activate
end if
if button returned of acctBox is “OK” then
if myAcct is not “” then

— Remove any trailing @mydomain.com information from network name
if myAcct contains “@” then
set myAcct to text 1 through ((offset of “@” in myAcct) – 1) of myAcct
end if

— Test to see if Network password is correct
set myPassBox to display dialog “Voer hier U wachtwoord op:” & return & return & “Let op !” & return & “Dit zijn enkel letters” default answer “” buttons {“Quit”, “OK”} default button 2 with title “MediaCollege Amsterdam Wireless Setup” with hidden answer
if button returned of myPassBox is “Quit” then
tell me
do shell script “echo \”exit 99 User cancelled installation.\” 2>&1 > ” & ERRORLOG
do shell script “echo \”exit 99 User cancelled installation.\” 2>&1 >> ” & LOGS
end tell
tell application “Installer” to activate
end if
set myPass to the text returned of myPassBox

— test to see if network password is blank
if myPass is not “” then

— Convert any illegal symbols in password to hexadecimal to function correctly in URL of Volume mount test
tell me
set fixedPassword to do shell script “python -c ‘import sys, urllib; print urllib.quote(sys.argv[1])’ ” & quoted form of myPass
end tell

on error
tell me
do shell script “echo \”exit 90 Password possibly contains unsupported characters, such as backslash or double quotes. Please reset password and try again.\” 2>&1 > ” & ERRORLOG
do shell script “echo \”exit 90 Password possibly contains unsupported characters, such as backslash or double quotes. Please reset password and try again.\” 2>&1 >> ” & LOGS
end tell
tell application “Finder”
set dialogReply to display dialog “wachtwoord niet conform de gegevens in de brief.” & return & return & “.” buttons {“Quit”} default button 1 with icon caution

end tell
tell application “Installer”
end tell
end try

— Test to see if Network Password is correct

display dialog “Clemson University password cannot be blank!” buttons {“OK”} default button 1 with icon caution
end if
display dialog “Clemson University username cannot be blank!” buttons {“OK”} default button 1 with icon caution
end if
end if

tell application “Installer”
end tell
end if
set counter to counter + 1
end repeat
end timeout
end tell
delay 0.5

— Write username to file for parent script to pickup
if myAcct is not “” then
tell me
do shell script “touch /private/tmp/cu_wireless/WirelessUserNameIs” & myAcct user name theUser password myMacPass with administrator privileges
end tell
end if
if myAcct is “” then
tell me
do shell script “echo \”exit 21 Wireless username is blank. Unknown error.\” 2>&1 > ” & ERRORLOG
do shell script “echo \”exit 21 Wireless username is blank. Unknown error.\” 2>&1 >> ” & LOGS
end tell
tell application “Finder”
display dialog “Wireless username is blank. Unknown error.” & return & return & “Please try running the Wireless Installer again.” buttons {“OK”} default button 1 with icon caution
end tell
tell application “Installer”
end tell
end if
tell application “Installer”
end tell

— Send wireless password to parent script
delay 0.3
return myPass

end run

Comming back soon while trying to fix it for SL

11. Paul de Groot - June 22, 2011

Addendum: Testcase 1

# the line for package delivery cleanup while testing in cu_wireless_setup.sh in Terminal like this:

# Remove previous database receipt to allow cu_wireless install to copy to /tmp/cu_wireless
# echo $MACPASS | sudo -S pkgutil –forget edu.clemson.clemsonUniversityWireless.cuwireless.pkg

PS is Jeff still active on scripting, realy need some help -;)

12. Paul de Groot - June 23, 2011

I posted some update but the are removed WHY

bigmaconcampus - December 11, 2011

My apologies. Missed your posts somehow, but approved them as soon as I noticed. Thanks for the updates.

13. Al - April 18, 2012

do you know of a way to manually import EAP-FAST PAC files into OSX keychain?

bigmaconcampus - May 9, 2012

I’ve honestly never tried. Do you have more details, like what Mac OS version and such?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: