Android II: Assign Certificates to Active Directory User Objects
Assign Certificates to Active Directory Object
Prerequisites
- Supported Server Operating Systems
- Certificate Authority is installed on Windows Server 2008 R2
- Certificate Authority is installed on Windows Server 2012
- Certificate Authority is installed on Windows Server 2016
- Certification Authority Server needs the following configured roles
- Certification Authority
- Certification Authority Web Enrollment
- Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site)
- Certification Authority and Silverback Server are joined to the same Active Directory Domain
- When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
- Service Account for publishing certificates into Active Directory User Object
- Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group. Please refer to Installation Guide I: System Requirements
- An enrolled Android or SamsungSafe device
Scope
- Assigning Certificates to Active Directory Objects is supported for Wi-Fi Certificates
- You may have already performed some parts during the iOS II: Assign Certificates to Active Directory User Objects
- Please ensure that you don't repeat these steps and maybe you need to start with Passcode Modification section
- For all Cloud Customers: Import Certificate to Local Computer needs to be done by Matrix42. Please get in touch with our support
Certificate Authority
Create Enrollment Agent Certificate Template
- Log into your Certification Authority server
- Open the Certification Authority MMC snap-in.
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
- Expand the Configuration Tree on the Right until the Certificate Templates section is visible
- Right Click Certificate Templates
- Click Manage
- Right Click Enrollment Agent in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback Enrollment Agent
- Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling
- Now navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Proceed with Yes at prompt for wish to change the certificate purpose
- Include symmetric algorithms allowed by the subject: Enabled
- Allow private key to be exported: Enabled
- Select Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Ensure the following values are configured:
- Built from this Active Directory information: Enabled
- Subject Name is set to Fully distinguished name
- User principal name (UPN): Enabled
Security
- Navigate to Security
- Click Add
- Enter in the "Enter the object names to select " the service account you want to use
- Click Check Names
- Select the service account that you want to use
- Click OK
- Allow Read and Enroll Permissions
- Click OK to finish Template Configuration
Create User Certificate Template
- Right Click User Certificate in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
- Select Windows Server 2003
- Click OK
- Enter as Template Display Name: Corporate User
- Enter as Template name: CorporateUser
- Ensure that Publish certificate in Active Directory is enabled
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Proceed with Yes at prompt for wish to change the certificate purpose
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
- Purpose: Signature and encryption
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Ensure that CA certificate manager approval is unchecked
- Enable This number of authorized signatures and keep default value 1
- Change Application policy to Certificate Request Agent
Security
- Navigate to Security
- Select Authenticated Users
- Enable Read and Enroll Permissions
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click Ok
- Enable Read and Enroll Permissions
Extensions
- Navigate to Extensions
- Select Application Policies
- Click Edit
- Select Encryption File System
- Click Remove
- Click OK
- Click OK to finish Template Configuration
- Close Certificate Templates Console window
Issue Certificate Templates
- Navigate to Certification Authority window
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Silverback Enrollment Agent
- Click OK
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Corporate User
- Click OK
Create Enrollment Agent Certificate Request
- Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
- Open Internet Explorer
- Enter URL for the Certification Authority Web Enrollment web site
- Click Continue to this website
- Login with your Service Account
If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account
- Click Request a certificate
- Click advanced certificate request
- Click Create and submit a request to this CA
- When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
- You will be redirected directly Submit a Certificate Request or Renewal Request Action
- Open Compatibility View Settings on Internet Explorer
- Click Add to add your domain (e.g. imagoverum.com) and Close the Window
- Navigate back to Request a certificate step and try again (maybe refresh your browser)
- When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
- After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm
- If you don't see this and your CSP keeps loading, open Internet options
- Navigate to Security
- Select Trusted Sites
- Click Sites
- Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
- Click Close
- Click OK
- Refresh this page, you should see now the pop-op
- Click Yes
- Change Certificate Template to Silverback Enrollment Agent
- Click Submit
- Click Yes
Install Certificate
- Click Install this certificate
- Your new certificate should be successfully installed
Export Certificate from Current User
- Right click Windows Icon in taskbar
- Click Run
- Enter certmgr.msc
- Click OK or press enter
- Expand Personal
- Expand Certificates
- Right Click the installed certificate
- Click All Tasks
- Click Export
- Click Next
- Click Yes, export the private key
- Click Next
- Uncheck Include all certificates in the certification path if possible
- Click Next
- Enable Password
- Enter a Password
- Confirm Password
- Click Next
- Click Browse
- Choose your location and save it as a *.pfx file
- Click Next
- Click Finish
- Click OK
Import Certificate to Local Computer
- Login to your Silverback or Cloud Connector server as a Domain Administrator
- Right click Windows Icon in taskbar
- Click Run
- Enter certlm.msc
- Click OK or press enter
- Expand Personal
- Expand Certificates
- Perform a right click in the right pane
- Select All Tasks
- Select Import
- Click Next
- Click Browse
- Select your *.pfx file
Change Search to All Files (*.*)
- Click Open
- Click Next
- Enter your created password
- Enable Mark this key as exportable
- Click Next
- Ensure that Personal is selected
- Click Next
- Click Finish
- Click OK
Add Permission
- Right click the new imported enrollment agent certificate
- Select All Tasks
- Select Manage Private Keys
- Click Add
- Enter network
- Click Check Names
- Select Network Service
- Click OK
- Click OK
- Ensure that only Read is allowed
- Uncheck Full control
- Click Apply
- Click OK
Silverback
Add Certification Authority
- Open your Silverback Management Console
- Login as an Settings Administrator
- Navigate to Certificates
- Under Certificate Deployment enable Individual Client
- Enter your Corporate Certification Authority in the following format:
- ca.imagoverum.com\domain-server-CA
- Click Save
- Confirm with OK
From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate
Restart IIS
- Run PowerShell with elevated priviledges
- Run the following command:
- restart-service w3svc,silv*,epic*,mat*
Change User
- Logout as Settings Administrator
- Login as Administrator
Passcode Modification
Android and SamsungSafe devices needs to be secured with a configured Lock screen to work properly with Certificates. In any case it should be your default policy, that devices are secured with a passcode. During this Guide we will create a new Passcode Tag, but you can use any other already existing in your company. At the end it is important, that your devices will have a proper given passcode on the device. If not, Companion will force the user to create a screen lock type with accepted lowest security type (Swipe), before profiles will be applied on the device.
Create a new Passcode Tag
- Navigate to Tags
- Click New Tag
- Name it e.g. Password Policy
- Enter as description e.g. Password Policy for any Certificate Based Authentication (optional)
- Enable Profile under Enabled Features
- Enable your desired device type, e.g. SamsungSafe
- Click Save
Create a new Passcode Profile
- Navigate to Profile
- Navigate to Passcode
- Enable Passcode Settings
- Enable minimum Numeric as Quality
- Keep or change the minimum length (optional)
- Adjust Maximum Passcode Age (optional)
- Adjust Auto-lock in minutes (optional)
- Enforce passcode history (optional)
- Change Maximum Failed Attempts to a suitable value, e.g. 5 or 10 or keep 0 for deactivated
- Click Save
- Confirm with OK
- Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
- Check your Device
- If not already present, you should now configure your screen unlock settings
- Choose e.g. PIN and create one for the device
- Proceed with next chapter
Wireless Local Area Network
Create Wireless Local Area Network Tag
- Navigate to Tags
- Click New Tag
- Name it e.g. Samsung Wi-Fi Corporate
- Enter as description e.g. WiFi with certificate based authentication for User Objects (optional)
- Enable Profile under Enabled Features
- Enable your desired device, e.g. SamsungSafe
- Click Save
Create Wireless Local Area Network Profile
- Navigate to Profile
- Navigate to Wi-Fi
- Click New WiFi profile
- Click Enabled
- Enter a SSID, e.g. Imagoverum WiFi
- Select Security Type WPA 2 Enterprise
- Configure your individual EAP Type
- Navigate to Authentication
- Enable Use Individual Client Certificates
- Enter as Individual Client Certificate subject e.g. u_{firstname}.{lastname}_WiFi
- Enable Populate into Active Directory
- Enter a Certificate Template Name CorporateUser
- Enter as Requester Name LDAP Attribute: SamAccountName (Use SamAccountName, nothing else!)
- Select as Agent Certificate your previously created Enrollment Agent Certificate
- Or if you are running with a Cloud Connector, paste the thumbprint manually: e.g. d17843663fbaa87f49c4e97cd860867efc2c20b6
- Click Save
- Confirm with Yes
- Navigate to Definition
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to Devices
Check Device
- On your device open Settings
- Navigate to Biometrics and security
- Open Other Security Settings
- Select User certificates
- You should see a listed certificate from your Certification Authority
- e.g. u_Tim.Tober_WiFi
Check Certification Authority
- Navigate back to your Certificate Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a newly issue certificate to firstname.lastame with the Corporate User Template
- Navigate to your Active Directory
- Open Active Directory User and Groups
- Click View
- Click Advanced Features
- Navigate to your User
- Double Click your User
- Navigate to Attribute Editor
- Scroll down to userCertificate
- The issued certificate should be listed in Binary Format
Device Overview
- Navigate back to Silverback Management Console
- Navigate to Devices > Managed
- Open your recently enrolled devices
- Press Refresh
- Scroll down to Certificate List
- You should see now listed a certificate with the common name u_{firstname}.{lastname}_WiFi
- Please note the following table of supported certificate listings in device overview
| Platform / Management Type | Legacy Management | Android Enterprise Device Owner | Android Enterprise Work Profile |
|---|---|---|---|
| Android |
|
|
|
| SamsungSafe |
|
|
|
Next Steps
- Check our Android Enterprise Integration
- Check our Certification Authority Integration for Windows 10
- Check our Certification Authority Integration for iOS and iPadOS
- Check our Apple Deployment Program Integration