Skip to main content
Matrix42 Self-Service Help Center

Android I: Add Certification Authority and Assign Certificates

Identity Certificates without Active Directory Object

This guide demonstrates how to generate individual user certificates without adding them in the corresponding user Active Directory User Object. Within this guide, we will deploy certificates to managed devices with an Exchange ActiveSync and a Wi-Fi Profile. In case your devices running on Android Enterprise, please refer to Android III: Certificate Profile for VPN and Apps and use rather the Managed Configuration for the Exchange ActiveSync configuration for your application (e.g. for Gmail or Samsung Mail) and deploy the certificate(s) via the Certificate Profile. In this case, you will be redirected back to this guide for the creation and issuing of the User Certificate Template. For Wi-Fi profiles on Android Enterprise, you can follow this guide and create later only a Wi-Fi Profile to distribute certificates that will not be assigned to Active Directory User Objects. In case you want to distribute certificates for Wi-Fi profiles and assign them to User Objects, please refer to Android II: Assign Certificates to Active Directory User Objects.  

Prerequisites

  • Certification Authority Server needs the following configured roles
    • Certification Authority
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
  • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
  • Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group

Silverback Enterprise Device Management Group will gain access to created templates on the Certification Authority.

  • An enrolled Android or Samsung Knox device 

Certificate Authority

Create User Certificate Template

  • Log into your Certification Authority server
  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK

General

  • Navigate to General
  • Enter as Template Display Name: Silverback User
  • Enter as Template name: SilverbackUser (will be filled automatically)
  • Uncheck Publish certificate in Active Directory

Request Handling

  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input

Subject Name

  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm

Issuance Requirements

  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked

Extensions

  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encrypting File System
  • Click Remove
  • Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security

  • Navigate to Security
  • Select Authenticated Users
  • Ensure that Read Permissions are enabled
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Select Domain Users
  • Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future. 

  • Click OK to finish Template Configuration
  • Close Certificate Templates Console window

Issue Certificate Templates

  • Navigate to Certification Authority window
  • Right Click Certificate Templates in the left panel
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback User
  • Click OK

Silverback

Add Certification Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Corporate Certification Authority in the following format:
    • ca.imagoverum.com\domain-server-CA

Open a command prompt on your Certification Authority and type certutil, press enter and take the value displayed in config.

  • Under Templates enter your previously issued User Certificate Template Name:
    • e.g. SilverbackUser

Ensure to not add here a Template that has enabled Publish to Active Directory as configured in the Android II: Assign Certificates to Active Directory User Objects. Templates with enabled Publish to Active Directory option are only valid in Wi-Fi Profiles in combination with enabled Populate into Active Directory Wi-Fi Authentication setting.

  • Click Save
  • Confirm with OK

From now on for every assigned Exchange ActiveSync Profile, Silverback will generate a certificate.

Additional Tasks with Cloud Connector

If you are running Silverback with the Cloud Connector, please perform the additional tasks:

  • Navigate to Cloud Connector
  • Ensure to have enabled Send LDAP requests through Tunnel 
  • Ensure to have enabled Request Client Certificates through Tunnel
  • Press Save
  • Restart your Cloud Connector Services on your Cloud Connector Server

Additional Tasks for On-Premise Installations without Cloud Connector

  • Run PowerShell with elevated privileges on your Silverback Server
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User

  • Logout as Settings Administrator
  • Login as Administrator

Passcode Configuration

Android and Samsung Knox devices needs to be secured with a configured Lock screen to work properly with Certificates. In any case it should be your default policy, that devices are secured with a passcode. During this Guide we will create a new Passcode Tag, but you can use any other already existing in your company. At the end it is important, that your devices will have a proper given passcode on the device. If not, Companion will force the user to create a screen lock type with accepted lowest security type (Swipe), before profiles will be applied on the device. 

Create a new Passcode Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. Password Policy
    • Enter as description e.g. Password Policy for any Certificate Based Authentication (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device type, e.g. Samsung Knox
    • Click Save

Create a new Passcode Profile

  • Navigate to Profile
    • Navigate to Passcode
    • Enable Passcode Settings
    • Enable minimum Numeric as Quality
    • Keep or change the minimum length (optional)
    • Adjust Maximum Passcode Age (optional)
    • Adjust Auto-lock in minutes (optional)
    • Enforce passcode history (optional)
    • Change Maximum Failed Attempts to a suitable value, e.g. 5 or 10 or keep 0 for deactivated
    • Click Save
    • Confirm with OK
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK
  • Check your Device
    • If not already present, you should now configure your screen unlock settings
    • Choose e.g. PIN and create one for the device
    • Proceed with next chapter

Exchange Active Sync

Before you start with creating an Exchange Active Sync configuration for your devices, please check the following support matrix for Exchange Active Sync on Android and devices in general.

Platform / Management Type Legacy Management Android Enterprise Device Owner Android Enterprise Work Profile
Android
  • not supported
  • Gmail
  • Gmail
Samsung Knox
  • Samsung Mail
  • Samsung Mail
  • Gmail
  • Gmail

For Active Sync, we recommend to use the new approach and configure your Email applications via Managed Configurations on Android Enterprise and deploy certificates separately with a Certificate Profile. Please refer to Android III: Certificate Profile for VPN and Apps for additional information.

Create a new Exchange ActiveSync Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. Samsung Exchange ActiveSync
    • Enter as description e.g. Exchange with certificate based authentication (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. Samsung Knox
    • Click Save

Create Exchange ActiveSync Profile

  • Navigate to Profile
    • Navigate to Exchange ActiveSync
    • Click Edit to configure the blank profile
    • Click Enabled
    • Here you will depending on your configuration meet 2 different views
      • With Android Enterprise you can choose Exchange Type between Gmail and Samsung Mail
        • Please ensure that your users will have either Gmail or Samsung Mail installed on their device
        • On some devices and OS Version it could be that the applications aren't pre-installed
      • Without Android Enterprise Integration Samsung Mail will be used per default
        • Please ensure that your users will have Samsung Mail installed on their device
        • On some devices and OS Version Samsung Mail is not pre-installed or user skipped the installation
    • Depending on your configuration and preferred E-Mail application choose either Gmail or Samsung Mail as Exchange Type
    • Enter a Label Name: e.g. Imagoverum Exchange
    • Enter a Server Name: e.g. mail.imagoverum.com
    • Enable Use SSL
    • Configure Additional Settings
    • Click Save
    • Confirm with OK
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

Check Email Profile

  • When Samsung Mail has been selected as Exchange Type
    •  You will received a new notification about "New email Account"
    • Open the notification
    • Allow all permissions and agree with all requested policies
    • You should now be logged in and should receive Emails
  • When Gmail has been selected as Exchange Type
    • Just open the application on the device
    • Allow all permissions and agree with all requested policies
    • You should now be logged in and should receive Emails

Check Installed Certificates

  • On your device open Settings
  • Navigate to Biometrics and security
  • Open Other Security Settings
  • Select User certificates
  • You should see a listed certificate from your Certification Authority

Check Certification Authority

  • Go back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template
    • If you have assigned 2 or more ExchangeActiveSync Profile to your device, you will see multiple created certificates

Best practices for Troubleshooting

  • Check if required Gmail or Samsung Mail application is installed on the device
  • Check if you have assigned the correct device or if your auto-population settings are not sufficient
  • Check if a screen lock type is applied
  • Recheck your Tag Configuration
  • Open companion on device and perform a manual refresh
  • Open Device Information and refresh device from Console
  • Open under Actions the Pending Commands List and check for Errors on InstallProfile Request Type
  • Try to update Gmail or Samsung Mail to a newer version
  • Review general log files

Wireless Local Area Network

Create Wireless Local Area Network Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. Samsung Wi-Fi Corporate
    • Enter as description e.g. WiFi with certificate based authentication (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. Samsung Knox
    • Click Save

Create Wireless Local Area Network Profile

This section describes a basic configuration of a Wi-Fi Profile to check if the certificate distribution is working properly and we recommend to get in contact with your Wi-Fi Administrator to review additional required settings, options and trusts. Please refer to WPA Enterprise Settings for Apple and Android Enterprise for additional information.

  • Navigate to Profile
    • Navigate to Wi-Fi
    • Click New Wi-Fi profile
    • Configure General Settings
      • Enable Wi-Fi settings
      • Enter your SSID, e.g. Imagoverum Wi-Fi
      • Select as Security Type WPA2 Enterprise
      • Enable Hidden Network (optional)
    • Configure Protocol Settings
      • Select your individual EAP Type
    • Configure Authentication Settings
      • Select Individual Client Certificate as Certificate Type
      • Enter as Individual Client Certificate subject e.g. u_{firstname}.{lastname}_WiFi
    • Save your configuration
      • Click Save
      • Click Yes

Ensure to use a subject name that matches the minimum requirements of your RADIUS Server, e.g. use rather {UserName} or {UserEmail}.

  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to Biometrics and security
    • Open Other Security Settings
    • Select User certificates
    • You should see a listed certificate from your Certification Authority
      • e.g. u_Tim.Tober_WiFi

Check Certification Authority

  • Go back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template

Device Overview

  • Navigate back to Silverback Management Console
  • Navigate to Devices > Managed
  • Open your recently enrolled devices
  • Press Refresh
  • Scroll down to Certificate List
  • You should see now listed two assigned certificate
  • Please note the following table of supported certificate listings in device overview
Platform / Management Type Legacy Management Android Enterprise Device Owner Android Enterprise Work Profile
Android
  • not supported
  • User Certificates
  • Certificate Trust Certificates
  • Certificate Trust Certificates
Samsung Knox
  • User Certificates
  • Certificate Trust Certificates
  • User Certificates
  • Certificate Trust Certificates
  • Certificate Trust Certificates
  • Was this article helpful?