Last week, I posted a document on how to configure User Suite to enroll devices for PKI authentication. Today we'll follow that up with a quick how-to on enabling Exchange ActiveSync with PKI Authentication.

Read more...

Enabling PKI Enrollment with Centrify User Suite

 

With Centrify User Suite you can enable mobile devices to request a certificate for PKI authentication for either WiFi networks, and/or Exchange ActiveSync. The certificates are requested from your existing CA attached to your Active Directory, and can be used on both iOS and (supported) Android Devices.

 

Why should organizations use PKI based authentication?

Using certificates for authentication is much more secure than the standard username and password scheme. Users must have the proper certificate installed on the device in order to access corporate services such as WiFi and Exchange Active Sync. These certificates are stored in very secure “keyrings” on the device, and in many cases stored in a hardware secured device that thwarts tampering or removing the certificates without proper approval.

Another advantage of using certificates is that the user no longer needs to remember and enter a password to access corporate services requiring PKI based authentication.  Better security, and better user experience.

 

Using Centrify User Suite Microsoft Certificate Services

Set-up CA server for auto-enrollment

The following steps assume you have a working certificate services role/service within your domain. If you do not, please follow the article for setting up a CA.  http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx

This document will describe creating 2 certificates for use in device enrollment. A User certificate for Exchange/SMIME use, and a Computer certificate for device authentication into WiFi networks.

 

Configuration:

Active Directory Configuration

In Active Directory Group Policy Management snap-in,

  • Right click Default Domain Policy
  • Select Edit to open the Group Policy Management Editor

 

In the Group Policy Management Editor snap-in, go to “User Configuration” container

  • Expand Policies
  • Expand Windows Settings
  • Expand Security Settings
  • Select Public Key Policy

 

On the right pane, double click on Certificate Services Client Certificate Enrollment

Change the policy to “Enabled”. Keep others as default, click ”OK” to save it.

Do the same for “Computer Configuration” policy.

 

Windows Server CA Configuration

In Certification Authority snap-in,

  • Right click Certificate Templates
  • Select Manage

In Certificate Templates Console snap-in,

  • Right click on User template
  • Select Duplicate Template
  • Choose Windows Server 2003 Enterprise and click OK

In Template display name

  • In General tab, fill in the information as follows

Template Name: User-ClientAuth

  • In Security tab, make sure Domain Users has the Enroll permissions set.

In the Subject Name tab, click the “Supply in the request” radio button.

 

 

Duplicate the “Computer” certificate template, and name it “Computer-ClientAuth”, and set the same settings as above.

In Certification Authority snap-in,

  • Select “Certificate Templates”
  • Right-click and select “New->Certificate Template to Issue”

 

 

 

  • Select the newly created User-ClientAuth template and click OK
  • Do the same for the Comptuer-ClientAuth template

 

 

Centrify Cloud Proxy Configuration

  • Open the Centrify Cloud Proxy Configuration tool, and select the Mobile Settings Tab
  • Make sure the appropriate CA is selected for the configuration as completed above

 

 

User and Computer certificates are now configured for deployment to mobile devices, and can be used for further policy involving Microsoft ActiveSync and/or WiFi profiles. If a policy is created that requires the use of certificates, the devices will automatically request and enroll certificates.

You can then go back to the Certificate Authority tool, and check to make sure certificates are generated for mobile devices, under “Issued Certificates”.

See the Centrify documentation for configuration guides for PKI authentication for ActiveSync and WiFI.

Read more...

TonyC

Online Help is available for Centrify for Mobile / SaaS

by Centrify ‎01-31-2014 08:36 AM - edited ‎02-03-2014 01:58 PM

Greetings Community Members!

 

Did you know that Centrify for Mobile has a free online help reference available for all Centrify users? We're proud to offer a complete online reference for administering settings and devices in the Cloud Manager as well as an easy to read reference for end users when accessing the MyCentrify user portal.

 

A complete Application Configuration reference is also available for Centrify for SaaS (see below).

 

Administrators will find the online reference helpful as specific topics can be linked directly and provided to end-users. The guide can also be exported to PDF for offline viewing.

 

 

To access the online help, select it from the drop-down menu in either the Cloud Manager or MyCentrify user portals:

 

Online Help.jpg

 

Cloud Manager Online Help.jpg

 

 

 

Centrify for SaaS also offers it's own detailed Application Configuration online reference to assist Administrators with quickly adding and configuring web and mobile apps. Each App available within the Cloud Manager offers 1-click access to specific help for that particular app or app type:

 

Office 365 Online Help.jpg

 

Application Configuration Online Help.jpg

 

 

It may be helpful to bookmark the below links to access the online help directly:

 

 

APNS Renewal – don’t let your APNS certificate expire!

 

Greetings Community Members! The one year anniversary of APNS integration with Centrify for Mobile is quickly approaching and I wanted to provide some information regarding renewal of APNS certificates to avoid any loss in functionality for iOS and OS X devices.

 

When a new APNS certificate is created and issued by Apple, it comes with an expiration date exactly one year from the date of creation. The current APNS certificate in use must be renewed and uploaded into the Cloud Manager prior to expiration In order to continue management of currently enrolled iOS and OS X devices. Failure to renew the certificate before it expires will require a new certificate be created and all iOS devices will need to re-enroll in order to restore MDM functionality. APNS configuration is specific for Apple iOS and OS X only - does not apply to Android devices.

 

You can verify your current certificate expiration from the Cloud Manager under Settings > APNS Certificate. In this example, the certificate will expire on October 11, 2013 @ 6:55pm

 

 APNS old expiration.png

 

 

To renew the APNS certificate, follow the steps below

 

  1. Login to the Cloud Manager (cloud.centrify.com/manage) and select Settings from the top menu then APNS Certificates
  2. Select the Generate Request button and download the MDM_csr.pem file when prompted
  3. Login to the Apple Push Certificates Portal at https://identity.apple.com/pushcert  - a valid Apple ID is required for login
  4. After login, the Manage Certificates page should be displayed. Locate the certificate that matches the expiration date displayed in the Cloud Manager

 

The below example shows the matching certificate is set to expire on  October 11, 2013

 

 APNS Certificate Manager.png

 

 

  1. Select the Renew button on the matching certificate and upload the MDM_csr.pem file downloaded in Step 2 above when prompted. DO NOT SELECT REVOKE!!
  2. After the certificate has been updated and a new expiration date is displayed in the Apple Manage Certificates page, select the Download button and save the new MDM_ Centrify Corporation_Certificate.pem file when prompted
  3. In the Cloud Manager APNS settings, select the Upload Apple Response button and upload the new MDM_ Centrify Corporation_Certificate.pem file
  4. After refreshing the Cloud Manager, the new APNS expiration should now be displayed

 

The updated expiration date of the renewed certificate now displays October 11, 2014 in the below example. The actual expiration will be determined by the date when the new certificate is created by Apple

 

 

APNS new expiration.png

 

 

After renewing and uploading the new certificate into the Cloud Manager, be sure to test MDM functions and iOS device enrollment to ensure everything is working as expected.  

 

Regards,

-Tony

If you have enrolled iOS devices , it is necessary to setup a APNS Certificate so that you can enroll iOS devices and ensure connectivity. For details on how to setup APNS Certificate refer to this video

 

Apple only issues certificates that are valid for 1 year from the time of issue. It is important to ensure that you renew this certificate every year before the expiry date else your iOS devices will not communicate with Centrify Cloud Service. 

 

To check the current expiry date follow the steps below and take steps to ensure the validity of your certificate.

 

1. Login to "Cloud Manager" - https://cloud.centrify.com/manage

2. Go to Settings 

3. Click on APNS Certificate

4. On the top you will see the "Current Expiry Date" 

 

7-22-2013 6-15-53 PM.jpg

 

5. To renew your certificate visit  https://identity.apple.com/pushcert and follow the steps.

 

Additional info can also be found in the Administrators Guide on page 41

 

 

Read more...

David

How To: setup Touchdown for access to Exchange Active Sync

by Centrify ‎09-28-2012 01:26 PM - edited ‎09-28-2012 01:30 PM

This short video will show how to configure the Group Policy and setup Exchange Active Sync for Touchdown on Android.

Read more...

Raman

How To: Create an Apple Push Notification Service ( APNS ) certificate

by Centrify ‎09-24-2012 11:36 AM - edited ‎09-25-2012 09:35 AM

In order for the Centrify Cloud Service to communicate securely with your enrolled iOS devices, you need an Apple Push Notification Service (APNS) SSL certificate signed by both Centrify and Apple. An APNS cert is required before you can enroll iOS devices. This step is not required if you intend to enroll only Android devices.

Read more...

Raman

How To: Upgrade the Centrify Mobile Manager App for Android from Beta2 to Beta3

by Centrify ‎05-04-2012 05:16 PM - edited ‎05-05-2012 12:28 AM

For the Beta3 release the Android Mobile Manager has to be upgraded. Please follow the steps to ensure a smooth upgrade for your Android device.

 

 

Step1: Unenroll your device

 

1. Launch the Mobile Manager on your Android

 

 step 1.png

 

2. Once you see the main screen, on the top right hand corner click on “Menu”

 

 step2.png

 

3. Click on “Settings” under “Menu”

 

step 3.png

 

4. In the settings option, click on “Unenroll”

 

step 4.png

 

step 5.png

5. Once this operation completes you will not see the “Unenroll” option, which indicates the operation, completed successfully ( as shown below )

 

 step 6.png

 

Step 2:Delete the existing Centrify Mobile Manager App

 

1. On your Android device under "Applications" , select "Manage Applications"

 

2. Locate the "Centrify Mobile Manager" and click on the same

 

3. Once the "Application Info" screen shows the Centrify Mobile Manager app, click on "Uninstall" to remove the app

 

4. Click "OK" when prompted to uninstall the app

 

Step 3:Download and Install new Centrify Mobile Manager App

 

Visit the cloud portal at – http://cloud.centrify.com from your Android device and click on the “Enroll Your Android Now” 

 

Refer to the earlier posting on "How to: Enroll Android Devices" to Install the new App ( Beta3 ) 

 

 

Step 4: Enroll your device again

 

Refer to the earlier posting on “How to: Enroll Android Devices” and continue from Step4 to complete the enrollment

Read more...

David

How to: Enroll Android Devices

by Centrify ‎04-01-2012 05:50 PM - edited ‎04-02-2012 10:22 PM

This article will show you a few short steps to enroll an Android device. 

 

 

 Enrollment Login.jpg

Read more...

  • Once the device has been enrolled its time to validate the settings on your device

This short video shows where to validate the settings 

 

Read more...

This short video shows you an example of how to configure a prompt for a passcode for the devices before they can use the device.

 

Read more...

Raman

How to: Add Group Policy templates to GPMC

by Centrify on ‎02-13-2012 12:30 PM

  • On the host where Cloud Management Suite was installed, if the default options were selected then the installer would have also installed the Group Policy templates that can be used with GPMC.
  • Make sure GPMC is installed on the machine as well. 
  • This video shows you how to import the templates so that you can start using the settings through Group Policies

 

Read more...

Raman

How to: Enroll a Mobile Device

by Centrify ‎02-13-2012 12:22 PM - edited ‎02-13-2012 12:22 PM

  • Once you have defined a group of mobile users on Active Directory, the users need to enroll their mobile devices ( iphones or ipads ). 
  • Ensure that cookies are enabled for the device. Refer to the instructions on how to enable cookies for Safari on your mobile devices here
  • Users need to open https://cloud.centrify.com from their devices and click on the "Enroll Your Phone or Tablet Now" button
  • You will need the Customer ID for your organization, check with your IT team to get the ID.
  • Go through the install on your device.

 

Read more...

Raman

How to: Configuring the Centrify Cloud Proxy Server

by Centrify ‎02-13-2012 11:43 AM - edited ‎02-13-2012 03:57 PM

Once the Cloud Management Suite has been installed, the server needs to be configured to make sure the Centrify Cloud Proxy Server is installed correctly and the service is running. 

 

Here is a short video to show the settings on the server. Also refer to Page 12, section "Configuring the Centrify Cloud Proxy Server" in the Evaluation guide for "Direct Control for Mobile" for additional details.

 

Read more...

This video shows how to install the Centrify Cloud Proxy Server which connects your Active Directory to the Centrify Cloud Service on a host in your environment. You are also installing Centrify extensions to your standard windows management tools

 

Read more...

On what ports does the Centrify cloud proxy server talk to the Centrify cloud service

Read more...

Raman

How to enable cookies on your iphone / ipad for Safari

by Centrify ‎02-13-2012 09:38 AM - edited ‎02-13-2012 01:14 PM

When trying to enroll your iphone or ipad , your device ends up with an failure during the enrolment process that says "You appear to have cookies disabled. Cookie support is required for enrollment, please enable before continuing"

Read more...