Last week, I posted a document on how to configure User Suite to enroll devices for PKI authentication. Today we'll follow that up with a quick how-to on enabling Exchange ActiveSync with PKI Authentication.Read more...
Enabling PKI Enrollment with Centrify User Suite
With Centrify User Suite you can enable mobile devices to request a certificate for PKI authentication for either WiFi networks, and/or Exchange ActiveSync. The certificates are requested from your existing CA attached to your Active Directory, and can be used on both iOS and (supported) Android Devices.
Why should organizations use PKI based authentication?
Using certificates for authentication is much more secure than the standard username and password scheme. Users must have the proper certificate installed on the device in order to access corporate services such as WiFi and Exchange Active Sync. These certificates are stored in very secure “keyrings” on the device, and in many cases stored in a hardware secured device that thwarts tampering or removing the certificates without proper approval.
Another advantage of using certificates is that the user no longer needs to remember and enter a password to access corporate services requiring PKI based authentication. Better security, and better user experience.
Using Centrify User Suite Microsoft Certificate Services
Set-up CA server for auto-enrollment
The following steps assume you have a working certificate services role/service within your domain. If you do not, please follow the article for setting up a CA. http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx
This document will describe creating 2 certificates for use in device enrollment. A User certificate for Exchange/SMIME use, and a Computer certificate for device authentication into WiFi networks.
Active Directory Configuration
In Active Directory Group Policy Management snap-in,
- Right click Default Domain Policy
- Select Edit to open the Group Policy Management Editor
In the Group Policy Management Editor snap-in, go to “User Configuration” container
- Expand Policies
- Expand Windows Settings
- Expand Security Settings
- Select Public Key Policy
On the right pane, double click on Certificate Services Client Certificate Enrollment
Change the policy to “Enabled”. Keep others as default, click ”OK” to save it.
Do the same for “Computer Configuration” policy.
Windows Server CA Configuration
In Certification Authority snap-in,
- Right click Certificate Templates
- Select Manage
In Certificate Templates Console snap-in,
- Right click on User template
- Select Duplicate Template
- Choose Windows Server 2003 Enterprise and click OK
In Template display name
- In General tab, fill in the information as follows
Template Name: User-ClientAuth
- In Security tab, make sure Domain Users has the Enroll permissions set.
In the Subject Name tab, click the “Supply in the request” radio button.
Duplicate the “Computer” certificate template, and name it “Computer-ClientAuth”, and set the same settings as above.
In Certification Authority snap-in,
- Select “Certificate Templates”
- Right-click and select “New->Certificate Template to Issue”
- Select the newly created User-ClientAuth template and click OK
- Do the same for the Comptuer-ClientAuth template
Centrify Cloud Proxy Configuration
- Open the Centrify Cloud Proxy Configuration tool, and select the Mobile Settings Tab
- Make sure the appropriate CA is selected for the configuration as completed above
User and Computer certificates are now configured for deployment to mobile devices, and can be used for further policy involving Microsoft ActiveSync and/or WiFi profiles. If a policy is created that requires the use of certificates, the devices will automatically request and enroll certificates.
You can then go back to the Certificate Authority tool, and check to make sure certificates are generated for mobile devices, under “Issued Certificates”.
See the Centrify documentation for configuration guides for PKI authentication for ActiveSync and WiFI.Read more...
Greetings Community Members!
Did you know that Centrify for Mobile has a free online help reference available for all Centrify users? We're proud to offer a complete online reference for administering settings and devices in the Cloud Manager as well as an easy to read reference for end users when accessing the MyCentrify user portal.
A complete Application Configuration reference is also available for Centrify for SaaS (see below).
Administrators will find the online reference helpful as specific topics can be linked directly and provided to end-users. The guide can also be exported to PDF for offline viewing.
To access the online help, select it from the drop-down menu in either the Cloud Manager or MyCentrify user portals:
Centrify for SaaS also offers it's own detailed Application Configuration online reference to assist Administrators with quickly adding and configuring web and mobile apps. Each App available within the Cloud Manager offers 1-click access to specific help for that particular app or app type:
It may be helpful to bookmark the below links to access the online help directly:
APNS Renewal – don’t let your APNS certificate expire!
Greetings Community Members! The one year anniversary of APNS integration with Centrify for Mobile is quickly approaching and I wanted to provide some information regarding renewal of APNS certificates to avoid any loss in functionality for iOS and OS X devices.
When a new APNS certificate is created and issued by Apple, it comes with an expiration date exactly one year from the date of creation. The current APNS certificate in use must be renewed and uploaded into the Cloud Manager prior to expiration In order to continue management of currently enrolled iOS and OS X devices. Failure to renew the certificate before it expires will require a new certificate be created and all iOS devices will need to re-enroll in order to restore MDM functionality. APNS configuration is specific for Apple iOS and OS X only - does not apply to Android devices.
You can verify your current certificate expiration from the Cloud Manager under Settings > APNS Certificate. In this example, the certificate will expire on October 11, 2013 @ 6:55pm
To renew the APNS certificate, follow the steps below
- Login to the Cloud Manager (cloud.centrify.com/manage) and select Settings from the top menu then APNS Certificates
- Select the Generate Request button and download the MDM_csr.pem file when prompted
- Login to the Apple Push Certificates Portal at https://identity.apple.com/pushcert - a valid Apple ID is required for login
- After login, the Manage Certificates page should be displayed. Locate the certificate that matches the expiration date displayed in the Cloud Manager
The below example shows the matching certificate is set to expire on October 11, 2013
- Select the Renew button on the matching certificate and upload the MDM_csr.pem file downloaded in Step 2 above when prompted. DO NOT SELECT REVOKE!!
- After the certificate has been updated and a new expiration date is displayed in the Apple Manage Certificates page, select the Download button and save the new MDM_ Centrify Corporation_Certificate.pem file when prompted
- In the Cloud Manager APNS settings, select the Upload Apple Response button and upload the new MDM_ Centrify Corporation_Certificate.pem file
- After refreshing the Cloud Manager, the new APNS expiration should now be displayed
The updated expiration date of the renewed certificate now displays October 11, 2014 in the below example. The actual expiration will be determined by the date when the new certificate is created by Apple
After renewing and uploading the new certificate into the Cloud Manager, be sure to test MDM functions and iOS device enrollment to ensure everything is working as expected.
If you have enrolled iOS devices , it is necessary to setup a APNS Certificate so that you can enroll iOS devices and ensure connectivity. For details on how to setup APNS Certificate refer to this video.
Apple only issues certificates that are valid for 1 year from the time of issue. It is important to ensure that you renew this certificate every year before the expiry date else your iOS devices will not communicate with Centrify Cloud Service.
To check the current expiry date follow the steps below and take steps to ensure the validity of your certificate.
1. Login to "Cloud Manager" - https://cloud.centrify.com/manage
2. Go to Settings
3. Click on APNS Certificate
4. On the top you will see the "Current Expiry Date"
5. To renew your certificate visit https://identity.apple.com/pushcert and follow the steps.
Additional info can also be found in the Administrators Guide on page 41
This short video will show how to configure the Group Policy and setup Exchange Active Sync for Touchdown on Android.Read more...
In order for the Centrify Cloud Service to communicate securely with your enrolled iOS devices, you need an Apple Push Notification Service (APNS) SSL certificate signed by both Centrify and Apple. An APNS cert is required before you can enroll iOS devices. This step is not required if you intend to enroll only Android devices.Read more...
For the Beta3 release the Android Mobile Manager has to be upgraded. Please follow the steps to ensure a smooth upgrade for your Android device.
Step1: Unenroll your device
1. Launch the Mobile Manager on your Android
2. Once you see the main screen, on the top right hand corner click on “Menu”
3. Click on “Settings” under “Menu”
4. In the settings option, click on “Unenroll”
5. Once this operation completes you will not see the “Unenroll” option, which indicates the operation, completed successfully ( as shown below )
Step 2:Delete the existing Centrify Mobile Manager App
1. On your Android device under "Applications" , select "Manage Applications"
2. Locate the "Centrify Mobile Manager" and click on the same
3. Once the "Application Info" screen shows the Centrify Mobile Manager app, click on "Uninstall" to remove the app
4. Click "OK" when prompted to uninstall the app
Step 3:Download and Install new Centrify Mobile Manager App
Visit the cloud portal at – http://cloud.centrify.com from your Android device and click on the “Enroll Your Android Now”
Refer to the earlier posting on "How to: Enroll Android Devices" to Install the new App ( Beta3 )
Step 4: Enroll your device again
Refer to the earlier posting on “How to: Enroll Android Devices” and continue from Step4 to complete the enrollmentRead more...
- Once the device has been enrolled its time to validate the settings on your device
This short video shows where to validate the settings
This short video shows you an example of how to configure a prompt for a passcode for the devices before they can use the device.
- On the host where Cloud Management Suite was installed, if the default options were selected then the installer would have also installed the Group Policy templates that can be used with GPMC.
- Make sure GPMC is installed on the machine as well.
- This video shows you how to import the templates so that you can start using the settings through Group Policies
- Once you have defined a group of mobile users on Active Directory, the users need to enroll their mobile devices ( iphones or ipads ).
- Ensure that cookies are enabled for the device. Refer to the instructions on how to enable cookies for Safari on your mobile devices here
- Users need to open https://cloud.centrify.com from their devices and click on the "Enroll Your Phone or Tablet Now" button
- You will need the Customer ID for your organization, check with your IT team to get the ID.
- Go through the install on your device.
How to:Install the Centrify Cloud Proxy Server on your host machine ( Installing Cloud Management Suite )
This video shows how to install the Centrify Cloud Proxy Server which connects your Active Directory to the Centrify Cloud Service on a host in your environment. You are also installing Centrify extensions to your standard windows management tools
On what ports does the Centrify cloud proxy server talk to the Centrify cloud serviceRead more...
When trying to enroll your iphone or ipad , your device ends up with an failure during the enrolment process that says "You appear to have cookies disabled. Cookie support is required for enrollment, please enable before continuing"Read more...