Android I: Add Certification Authority and Assign Certificates
Identity Certificates without Active Directory Object
This part shows how to generate certificates for devices without adding them in the corresponding user Active Directory User Object.
Prerequisites
- Certification Authority Server needs the following configured roles
- Certification Authority
- Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site)
- Certification Authority and Silverback Server are joined to the same Active Directory Domain
- When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
- Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group
Silverback Enterprise Device Management Group will gain access to created templates on the Certification Authority.
- An enrolled Android or SamsungSafe device
Certificate Authority
Create User Certificate Template
- Log into your Certification Authority server
- Open the Certification Authority MMC snap-in.
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
- Expand the Configuration Tree on the Right until the Certificate Templates section is visible
- Right Click Certificate Templates
- Click Manage
- Right Click User in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback User
- Enter as Template name: SilverbackUser (will be filled automatically)
- Uncheck Publish certificate in Active Directory
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Ensure that CA certificate manager approval is unchecked
Extensions
- Navigate to Extensions
- Select Application Policies
- Click Edit
- Select Encrypting File System
- Click Remove
- Click OK
Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included
Security
- Navigate to Security
- Select Authenticated Users
- Enable Read and Enroll Permissions
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click Ok
- Enable Read and Enroll Permissions
- Click OK to finish Template Configuration
- Close Certificate Templates Console window
Issue Certificate Templates
- Navigate to Certification Authority window
- Right Click Certificate Templates in the left panel
- Select New
- Click Certificate Template to Issue
- Select Silverback User
- Click OK
Silverback
Add Certificate Authority
- Open your Silverback Management Console
- Login as an Settings Administrator
- Navigate to Certificates
- Under Certificate Deployment enable Individual Client
- Enter your Corporate Certification Authority in the following format:
- ca.imagoverum.com\domain-server-CA
- Under Templates enter your previously issued User Certificate Template Name:
- e.g. SilverbackUser
- Click Save
- Confirm with OK
From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate
Restart IIS
- Run PowerShell with elevated priviledges
- Run the following command:
- restart-service w3svc,silv*,epic*,mat*
Change User
- Logout as Settings Administrator
- Login as Administrator
Passcode Configuration
Android and SamsungSafe devices needs to be secured with a configured Lock screen to work properly with Certificates. In any case it should be your default policy, that devices are secured with a passcode. During this Guide we will create a new Passcode Tag, but you can use any other already existing in your company. At the end it is important, that your devices will have a proper given passcode on the device. If not, Companion will force the user to create a screen lock type with accepted lowest security type (Swipe), before profiles will be applied on the device.
Create a new Passcode Tag
- Navigate to Tags
- Click New Tag
- Name it e.g. Password Policy
- Enter as description e.g. Password Policy for any Certificate Based Authentication (optional)
- Enable Profile under Enabled Features
- Enable your desired device type, e.g. SamsungSafe
- Click Save
Create a new Passcode Profile
- Navigate to Profile
- Navigate to Passcode
- Enable Passcode Settings
- Enable minimum Numeric as Quality
- Keep or change the minimum length (optional)
- Adjust Maximum Passcode Age (optional)
- Adjust Auto-lock in minutes (optional)
- Enforce passcode history (optional)
- Change Maximum Failed Attempts to a suitable value, e.g. 5 or 10 or keep 0 for deactivated
- Click Save
- Confirm with OK
- Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
- Check your Device
- If not already present, you should now configure your screen unlock settings
- Choose e.g. PIN and create one for the device
- Proceed with next chapter
Exchange Active Sync
Before you start with creating an Exchange Active Sync configuration for your devices, please check the following support matrix for Exchange Active Sync on Android and Samsung Safe devices in general.
Platform / Management Type | Legacy Management | Android Enterprise Device Owner | Android Enterprise Work Profile |
---|---|---|---|
Android |
|
|
|
SamsungSafe |
|
|
|
Create a new Exchange ActiveSync Tag
- Navigate to Tags
- Click New Tag
- Name it e.g. Samsung Exchange ActiveSync
- Enter as description e.g. Exchange with certificate based authentication (optional)
- Enable Profile under Enabled Features
- Enable your desired device, e.g. SamsungSafe
- Click Save
Create Exchange ActiveSync Profile
- Navigate to Profile
- Navigate to Exchange ActiveSync
- Click Edit to configure the blank profile
- Click Enabled
- Here you will depending on your configuration meet 2 different views
- With Android Enterprise you can choose Exchange Type between Gmail and Samsung Mail
- Without Android Enterprise Integration Samsung Mail will be used per default
- Please ensure that your users will have Samsung Mail installed on their device
- On some devices and OS Version Samsung Mail is not pre-installed or user skipped the installation
- Depending on your configuration and preferred E-Mail application choose either Gmail or Samsung Mail as Exchange Type
- Enter a Label Name: e.g. Imagoverum Exchange
- Enter a Server Name: e.g. mail.imagoverum.com
- Enable Use SSL
- Configure Additional Settings
- Click Save
- Confirm with OK
- Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
Check Device
Check Email Profile
- When Samsung Mail has been selected as Exchange Type
- You will received a new notification about "New email Account"
- Open the notification
- Allow all permissions and agree with all requested policies
- You should now be logged in and should receive Emails
- When Gmail has been selected as Exchange Type
- Just open the application on the device
- Allow all permissions and agree with all requested policies
- You should now be logged in and should receive Emails
Check Installed Certificates
- On your device open Settings
- Navigate to Biometrics and security
- Open Other Security Settings
- Select User certificates
- You should see a listed certificate from your Certification Authority
Check Certification Authority
- Go back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template
- If you have assigned 2 or more ExchangeActiveSync Profile to your device, you will see multiple created certificates
Best practices for Troubleshooting
- Check if required Gmail or Samsung Mail application is installed on the device
- Check if you have assigned the correct device or if your auto-population settings are not sufficient
- Check if a screen lock type is applied
- Recheck your Tag Configuration
- Open companion on device and perform a manual refresh
- Open Device Information and refresh device from Console
- Open under Actions the Pending Commands List and check for Errors on InstallProfile Request Type
- Try to update Gmail or Samsung Mail to a newer version
- Review general log files
Wireless Local Area Network
Create Wireless Local Area Network Tag
- Navigate to Tags
- Click New Tag
- Name it e.g. Samsung Wi-Fi Corporate
- Enter as description e.g. WiFi with certificate based authentication (optional)
- Enable Profile under Enabled Features
- Enable your desired device, e.g. SamsungSafe
- Click Save
Create Wireless Local Area Network Profile
- Navigate to Profile
- Navigate to Wi-Fi
- Click New WiFi Profile
- Enable Wi-Fi settings
- Enter SSID, e.g. Imagoverum WiFi
- Select as Security Type WPA2 Enterprise
- Configure your individual EAP Type
- Navigate to Authentication
- Enable Use Individual Client Certificates
- Enter as subject name e.g. u_{firstname}.{lastname}_WiFi
- Click Save
- Click Yes
- Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
Check Device
- On your device open Settings
- Navigate to Biometrics and security
- Open Other Security Settings
- Select User certificates
- You should see a listed certificate from your Certification Authority
- e.g. u_Tim.Tober_WiFi
Check Certification Authority
- Go back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template
Device Overview
- Navigate back to Silverback Management Console
- Navigate to Devices > Managed
- Open your recently enrolled devices
- Press Refresh
- Scroll down to Certificate List
- You should see now listed two assigned certificate
- Please note the following table of supported certificate listings in device overview
Platform / Management Type | Legacy Management | Android Enterprise Device Owner | Android Enterprise Work Profile |
---|---|---|---|
Android |
|
|
|
SamsungSafe |
|
|
|
Next Steps
- Learn how to add Certificate into Active Directory User Object
- Check our Android Enterprise Integration
- Check our Apple Deployment Program Integration
- Check our Certification Authority Integration for iOS and iPadOS
- Check our Certificate Integration for Windows 10