Android I: Add Certification Authority and Assign Certificates

Identity Certificates without Active Directory Object

This part shows how to generate certificates for devices without adding them in the corresponding user Active Directory User Object.

Prerequisites

Certification Authority Server needs the following configured roles
- Certification Authority
Certification Authority and Silverback Server are joined to the same Active Directory Domain
When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group

Silverback Enterprise Device Management Group will gain access to created templates on the Certification Authority.

An enrolled Android or SamsungSafe device

Certificate Authority

Create User Certificate Template

Log into your Certification Authority server
Open the Certification Authority MMC snap-in.
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
Expand the Configuration Tree on the Right until the Certificate Templates section is visible
Right Click Certificate Templates
Click Manage
Right Click User in the middle pane
Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK

General

Navigate to General
Enter as Template Display Name: Silverback User
Enter as Template name: SilverbackUser (will be filled automatically)
Uncheck Publish certificate in Active Directory

Request Handling

Navigate to Request Handling
Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input

Subject Name

Navigate to Subject Name
Enable Supply in the request
Click OK to confirm

Issuance Requirements

Navigate to Issuance Requirements
Ensure that CA certificate manager approval is unchecked

Extensions

Navigate to Extensions
Select Application Policies
Click Edit
Select Encrypting File System
Click Remove
Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security

Navigate to Security
Select Authenticated Users
Ensure that Read Permissions are enabled
Click Add
Enter in the "Enter the object names to select": Silverback
Click Check Names
Select Silverback Enterprise Device Management
Click Ok
Enable Read and Enroll Permissions
Select Domain Users
Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future.

Click OK to finish Template Configuration
Close Certificate Templates Console window

Issue Certificate Templates

Navigate to Certification Authority window
Right Click Certificate Templates in the left panel
Select New
Click Certificate Template to Issue
Select Silverback User
Click OK

Silverback

Add Certificate Authority

Open your Silverback Management Console
Login as an Settings Administrator
Navigate to Certificates
Under Certificate Deployment enable Individual Client
Enter your Corporate Certification Authority in the following format:
- ca.imagoverum.com\domain-server-CA
Under Templates enter your previously issued User Certificate Template Name:
- e.g. SilverbackUser
Click Save
Confirm with OK

From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate

Restart IIS

Run PowerShell with elevated priviledges
Run the following command:
- restart-service w3svc,silv*,epic*,mat*

Change User

Logout as Settings Administrator
Login as Administrator

Passcode Configuration

Android and SamsungSafe devices needs to be secured with a configured Lock screen to work properly with Certificates. In any case it should be your default policy, that devices are secured with a passcode. During this Guide we will create a new Passcode Tag, but you can use any other already existing in your company. At the end it is important, that your devices will have a proper given passcode on the device. If not, Companion will force the user to create a screen lock type with accepted lowest security type (Swipe), before profiles will be applied on the device.

Create a new Passcode Tag

Navigate to Tags
Click New Tag
- Name it e.g. Password Policy
- Enter as description e.g. Password Policy for any Certificate Based Authentication (optional)
- Enable Profile under Enabled Features
- Enable your desired device type, e.g. SamsungSafe
- Click Save

Create a new Passcode Profile

Navigate to Profile
- Navigate to Passcode
- Enable Passcode Settings
- Enable minimum Numeric as Quality
- Keep or change the minimum length (optional)
- Adjust Maximum Passcode Age (optional)
- Adjust Auto-lock in minutes (optional)
- Enforce passcode history (optional)
- Change Maximum Failed Attempts to a suitable value, e.g. 5 or 10 or keep 0 for deactivated
- Click Save
- Confirm with OK
Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
Check your Device
- If not already present, you should now configure your screen unlock settings
- Choose e.g. PIN and create one for the device
- Proceed with next chapter

Exchange Active Sync

Before you start with creating an Exchange Active Sync configuration for your devices, please check the following support matrix for Exchange Active Sync on Android and Samsung Safe devices in general.

Platform / Management Type	Legacy Management	Android Enterprise Device Owner	Android Enterprise Work Profile
Android	not supported	Gmail	Gmail
SamsungSafe	Samsung Mail	Samsung Mail Gmail	Gmail

Create a new Exchange ActiveSync Tag

Navigate to Tags
Click New Tag
- Name it e.g. Samsung Exchange ActiveSync
- Enter as description e.g. Exchange with certificate based authentication (optional)
- Enable Profile under Enabled Features
- Enable your desired device, e.g. SamsungSafe
- Click Save

Create Exchange ActiveSync Profile

Navigate to Profile
- Navigate to Exchange ActiveSync
- Click Edit to configure the blank profile
- Click Enabled
- Here you will depending on your configuration meet 2 different views
  - With Android Enterprise you can choose Exchange Type between Gmail and Samsung Mail
    - Please ensure that your users will have either Gmail or Samsung Mail installed on their device
    - On some devices and OS Version it could be that the applications aren't pre-installed
  - Without Android Enterprise Integration Samsung Mail will be used per default
    - Please ensure that your users will have Samsung Mail installed on their device
    - On some devices and OS Version Samsung Mail is not pre-installed or user skipped the installation
- Depending on your configuration and preferred E-Mail application choose either Gmail or Samsung Mail as Exchange Type
- Enter a Label Name: e.g. Imagoverum Exchange
- Enter a Server Name: e.g. mail.imagoverum.com
- Enable Use SSL
- Configure Additional Settings
- Click Save
- Confirm with OK
Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK

Check Device

Check Email Profile

When Samsung Mail has been selected as Exchange Type
- You will received a new notification about "New email Account"
- Open the notification
- Allow all permissions and agree with all requested policies
- You should now be logged in and should receive Emails
When Gmail has been selected as Exchange Type
- Just open the application on the device
- Allow all permissions and agree with all requested policies
- You should now be logged in and should receive Emails

Check Installed Certificates

On your device open Settings
Navigate to Biometrics and security
Open Other Security Settings
Select User certificates
You should see a listed certificate from your Certification Authority

Check Certification Authority

Go back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template
- If you have assigned 2 or more ExchangeActiveSync Profile to your device, you will see multiple created certificates

Best practices for Troubleshooting

Check if required Gmail or Samsung Mail application is installed on the device
Check if you have assigned the correct device or if your auto-population settings are not sufficient
Check if a screen lock type is applied
Recheck your Tag Configuration
Open companion on device and perform a manual refresh
Open Device Information and refresh device from Console
Open under Actions the Pending Commands List and check for Errors on InstallProfile Request Type
Try to update Gmail or Samsung Mail to a newer version
Review general log files

Wireless Local Area Network

Create Wireless Local Area Network Tag

Navigate to Tags
Click New Tag
- Name it e.g. Samsung Wi-Fi Corporate
- Enter as description e.g. WiFi with certificate based authentication (optional)
- Enable Profile under Enabled Features
- Enable your desired device, e.g. SamsungSafe
- Click Save

Create Wireless Local Area Network Profile

Navigate to Profile
- Navigate to Wi-Fi
- Click New WiFi Profile
  - Enable Wi-Fi settings
  - Enter SSID, e.g. Imagoverum WiFi
  - Select as Security Type WPA2 Enterprise
  - Configure your individual EAP Type
  - Navigate to Authentication
    - Enable Use Individual Client Certificates
    - Enter as subject name e.g. u_{firstname}.{lastname}_WiFi
  - Click Save
  - Click Yes
Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK

Check Device

On your device open Settings
- Navigate to Biometrics and security
- Open Other Security Settings
- Select User certificates
- You should see a listed certificate from your Certification Authority
  - e.g. u_Tim.Tober_WiFi

Check Certification Authority

Go back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template

Device Overview

Navigate back to Silverback Management Console
Navigate to Devices > Managed
Open your recently enrolled devices
Press Refresh
Scroll down to Certificate List
You should see now listed two assigned certificate
Please note the following table of supported certificate listings in device overview

Platform / Management Type	Legacy Management	Android Enterprise Device Owner	Android Enterprise Work Profile
Android	not supported	Certificate Trust Certificates	Certificate Trust Certificates
SamsungSafe	User Certificates Certificate Trust Certificates	User Certificates Certificate Trust Certificates	Certificate Trust Certificates

Next Steps

Learn how to add Certificate into Active Directory User Object
Check our Android Enterprise Integration
Check our Apple Deployment Program Integration
Check our Certification Authority Integration for iOS and iPadOS
Check our Certificate Integration for Windows 10