Last week, I posted a document on how to configure User Suite to enroll devices for PKI authentication. Today we'll follow that up with a quick how-to on enabling Exchange ActiveSync with PKI Authentication.Read more...
With Centrify User Suite you can enable mobile devices to request a certificate for PKI authentication for either WiFi networks, and/or Exchange ActiveSync. The certificates are requested from your existing CA attached to your Active Directory, and can be used on both iOS and (supported) Android Devices.
Using certificates for authentication is much more secure than the standard username and password scheme. Users must have the proper certificate installed on the device in order to access corporate services such as WiFi and Exchange Active Sync. These certificates are stored in very secure “keyrings” on the device, and in many cases stored in a hardware secured device that thwarts tampering or removing the certificates without proper approval.
Another advantage of using certificates is that the user no longer needs to remember and enter a password to access corporate services requiring PKI based authentication. Better security, and better user experience.
The following steps assume you have a working certificate services role/service within your domain. If you do not, please follow the article for setting up a CA. http://technet.microsoft.com/en-us/library/cc77239
This document will describe creating 2 certificates for use in device enrollment. A User certificate for Exchange/SMIME use, and a Computer certificate for device authentication into WiFi networks.
In Active Directory Group Policy Management snap-in,
In the Group Policy Management Editor snap-in, go to “User Configuration” container
On the right pane, double click on Certificate Services Client Certificate Enrollment
Change the policy to “Enabled”. Keep others as default, click ”OK” to save it.
Do the same for “Computer Configuration” policy.
In Certification Authority snap-in,
In Certificate Templates Console snap-in,
In Template display name
Template Name: User-ClientAuth
In the Subject Name tab, click the “Supply in the request” radio button.
Duplicate the “Computer” certificate template, and name it “Computer-ClientAuth”, and set the same settings as above.
In Certification Authority snap-in,
User and Computer certificates are now configured for deployment to mobile devices, and can be used for further policy involving Microsoft ActiveSync and/or WiFi profiles. If a policy is created that requires the use of certificates, the devices will automatically request and enroll certificates.
You can then go back to the Certificate Authority tool, and check to make sure certificates are generated for mobile devices, under “Issued Certificates”.
See the Centrify documentation for configuration guides for PKI authentication for ActiveSync and WiFI.Read more...
Greetings Community Members!
Did you know that Centrify for Mobile has a free online help reference available for all Centrify users? We're proud to offer a complete online reference for administering settings and devices in the Cloud Manager as well as an easy to read reference for end users when accessing the MyCentrify user portal.
A complete Application Configuration reference is also available for Centrify for SaaS (see below).
Administrators will find the online reference helpful as specific topics can be linked directly and provided to end-users. The guide can also be exported to PDF for offline viewing.
To access the online help, select it from the drop-down menu in either the Cloud Manager or MyCentrify user portals:
Centrify for SaaS also offers it's own detailed Application Configuration online reference to assist Administrators with quickly adding and configuring web and mobile apps. Each App available within the Cloud Manager offers 1-click access to specific help for that particular app or app type:
It may be helpful to bookmark the below links to access the online help directly:
APNS Renewal – don’t let your APNS certificate expire!
Greetings Community Members! The one year anniversary of APNS integration with Centrify for Mobile is quickly approaching and I wanted to provide some information regarding renewal of APNS certificates to avoid any loss in functionality for iOS and OS X devices.
When a new APNS certificate is created and issued by Apple, it comes with an expiration date exactly one year from the date of creation. The current APNS certificate in use must be renewed and uploaded into the Cloud Manager prior to expiration In order to continue management of currently enrolled iOS and OS X devices. Failure to renew the certificate before it expires will require a new certificate be created and all iOS devices will need to re-enroll in order to restore MDM functionality. APNS configuration is specific for Apple iOS and OS X only - does not apply to Android devices.
You can verify your current certificate expiration from the Cloud Manager under Settings > APNS Certificate. In this example, the certificate will expire on October 11, 2013 @ 6:55pm
To renew the APNS certificate, follow the steps below
The below example shows the matching certificate is set to expire on October 11, 2013
The updated expiration date of the renewed certificate now displays October 11, 2014 in the below example. The actual expiration will be determined by the date when the new certificate is created by Apple
After renewing and uploading the new certificate into the Cloud Manager, be sure to test MDM functions and iOS device enrollment to ensure everything is working as expected.
If you have enrolled iOS devices , it is necessary to setup a APNS Certificate so that you can enroll iOS devices and ensure connectivity. For details on how to setup APNS Certificate refer to this video.
Apple only issues certificates that are valid for 1 year from the time of issue. It is important to ensure that you renew this certificate every year before the expiry date else your iOS devices will not communicate with Centrify Cloud Service.
To check the current expiry date follow the steps below and take steps to ensure the validity of your certificate.
1. Login to "Cloud Manager" - https://cloud.centrify.com/manage
2. Go to Settings
3. Click on APNS Certificate
4. On the top you will see the "Current Expiry Date"
5. To renew your certificate visit https://identity.apple.com/pushcert and follow the steps.
Additional info can also be found in the Administrators Guide on page 41
This short video will show how to configure the Group Policy and setup Exchange Active Sync for Touchdown on Android.Read more...
In order for the Centrify Cloud Service to communicate securely with your enrolled iOS devices, you need an Apple Push Notification Service (APNS) SSL certificate signed by both Centrify and Apple. An APNS cert is required before you can enroll iOS devices. This step is not required if you intend to enroll only Android devices.Read more...
For the Beta3 release the Android Mobile Manager has to be upgraded. Please follow the steps to ensure a smooth upgrade for your Android device.
Step1: Unenroll your device
1. Launch the Mobile Manager on your Android
2. Once you see the main screen, on the top right hand corner click on “Menu”
3. Click on “Settings” under “Menu”
4. In the settings option, click on “Unenroll”
5. Once this operation completes you will not see the “Unenroll” option, which indicates the operation, completed successfully ( as shown below )
Step 2:Delete the existing Centrify Mobile Manager App
1. On your Android device under "Applications" , select "Manage Applications"
2. Locate the "Centrify Mobile Manager" and click on the same
3. Once the "Application Info" screen shows the Centrify Mobile Manager app, click on "Uninstall" to remove the app
4. Click "OK" when prompted to uninstall the app
Step 3:Download and Install new Centrify Mobile Manager App
Visit the cloud portal at – http://cloud.centrify.com from your Android device and click on the “Enroll Your Android Now”
Refer to the earlier posting on "How to: Enroll Android Devices" to Install the new App ( Beta3 )
Step 4: Enroll your device again
Refer to the earlier posting on “How to: Enroll Android Devices” and continue from Step4 to complete the enrollmentRead more...
This short video shows where to validate the settings
This short video shows you an example of how to configure a prompt for a passcode for the devices before they can use the device.
Once the Cloud Management Suite has been installed, the server needs to be configured to make sure the Centrify Cloud Proxy Server is installed correctly and the service is running.
Here is a short video to show the settings on the server. Also refer to Page 12, section "Configuring the Centrify Cloud Proxy Server" in the Evaluation guide for "Direct Control for Mobile" for additional details.
This video shows how to install the Centrify Cloud Proxy Server which connects your Active Directory to the Centrify Cloud Service on a host in your environment. You are also installing Centrify extensions to your standard windows management tools
On what ports does the Centrify cloud proxy server talk to the Centrify cloud serviceRead more...
When trying to enroll your iphone or ipad , your device ends up with an failure during the enrolment process that says "You appear to have cookies disabled. Cookie support is required for enrollment, please enable before continuing"Read more...