Android III: Certificate Profile for VPN and Apps

Benefits of the Certificate Profile 

• Multiple certificates profiles are supported within one Tag
• Created certificate profiles can be imported easily in other tags and between the platforms Android and Samsung Knox 
• Trusted Credentials and VPN and Apps can be selected as credential location
• For VPN and Apps, enterprise certificates with private keys can be uploaded and/or individual client certificates can be configured
• Individual client certificates support different templates
• Alias and Subject names are supporting System Variables and can be used in Managed Configurations
• Certificate Locations can be addressed for all supported management types
• The certificate profile works independently from the selected Web Setting Certificate Deployment Method

Before you Start

Before you start, please note the following:

• Certificate Profiles are dedicated for VPN and Apps with Managed Configurations
• Certificate Profiles are not supported for Wi-Fi Profiles
• Certificates can be distributed without and with adding them into user objects Active Directory and both scenarios require different prerequisites
• Ensure to select later on only the Certificate Location that should target your Management Type
  • If you have only Device Owner Devices, enable only Device Owner
  • If you have only Work Profiles, enable only Work Profile

Root and/or Intermediate Certificate

• A certificate that contains the public key (.cer)

Enterprise Certificate

• A certificate that contains a private key (*.pfx)
• The corresponding password for the private key

Individual Certificates

• A Certification Authority Server with the configured Certification Authority role 
• The Certification Authority and the Silverback or the Cloud Connector Server must be joined to the same Active Directory Domain
• The Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group
• If you have a setup with a Cloud Connector, ensure to have enabled both Web Settings in the Cloud Connector configuration: 
  • Send LDAP requests through Tunnel 
  • Request Client Certificates through Tunnel
• If you plan to distribute certificates without adding them into the user objects in the Active Directory, at least one created and issued User Certificate Template, based on the configuration from Android I: Add Certification Authority and Assign Certificates is required

• If you plan to distribute certificates and add them to user objects in Active Directory, the following Certificate Authority steps from Android II: Assign Certificates to Active Directory User Objects are required:
  • Create and issue the Enrollment Agent Certificate Template 
  • Create and issue the User Certificate Template with the Publish certificate in Active Directory is enabled option
  • Create the Enrollment Agent Certificate Request and export and import the certificate

Create a new Tag 

• Open your Silverback Management Console
• Login as Administrator
• Navigate to Tags
• Click New Tag
  • Name it e.g. Certificate Profile
  • Enter as description e.g. Certificate Profile for VPN and Apps (optional)
  • Enable Profile under Enabled Features
  • Enable your desired device type, e.g. Samsung Knox
  • Click Save

Create a Passcode Profile

In case your devices do not have already a passcode profile assigned, create a new one in this tag. 

• Navigate to Profile
  • Navigate to Passcode
  • Enable Passcode Settings
  • Enable minimum Numeric as Quality
  • Keep or change the minimum length (optional)
  • Adjust Maximum Passcode Age (optional)
  • Adjust Auto-lock in minutes (optional)
  • Enforce passcode history (optional)
  • Change Maximum Failed Attempts to a suitable value, e.g. 5 or 10 or keep 0 for deactivated
  • Click Save
  • Confirm with OK
• Navigate to Definitions
  • Click Associated Devices
  • Click Attach More Devices
  • Select your previously enrolled device
  • Click Attach Selected Devices
  • Click OK
  • Click Close
  • Click Push to devices
  • Click OK
• Check your Device
  • If not already present, you should now configure your screen unlock settings
  • Choose e.g. PIN and create one for the device
  • Proceed with the next chapter

Upload a Root or Intermediate Certificate

• Navigate to Profile
• Select Certificate Profile
• Click Add new Certificate
• Select Choose File to upload your intermediate or root certificate 
• Ensure to have at least one certificate location enabled

• Press Save and Confirm with OK

Upload an Enterprise Certificate

• Press Add new Certificate
• Select as Credential Location VPN and apps
• Ensure to select as Certificate Type Enterprise Certificate
• Select Choose File and upload your Enterprise Certificate
• Enter the corresponding password for the private key
• Ensure to have at least one certificate location enabled
• Press Save and Confirm with OK

Deploy Individual Certificates

• Press Add new Certificate
• Select as Credential Location VPN and apps
• Select as Certificate Type Individual Certificate
• Enter your Certification Authority Address in the following format: ca.imagoverum.com\domain-server-CA

• Enter a Template Name, e.g. SilverbackUser 
  • If you plan to distribute certificates and add them to user objects in Active Directory, use e.g. CorporateUser
• Enter a subject name, e.g. {UserName}
• Enter a Subject Alternative Name, e.g. {DeviceEmail}
  • If you plan to add certificates to user objects in Active Directory, enter SamAccountName
  • If you plan ta add certificates  to user objects in Active Directory, select also your created Agent Certificate from the drop down list
  • If you have a setup with a Cloud Connector, paste the Agent Certificate thumbprint manually: e.g. ‎d17843663fbaa87f49c4e97cd860867efc2c20b6
• Enter as Renewal Threshold the time when the certificate should be renewed. Enter e.g. 180 if after 180 days you want to let the certificate be replaced
• Ensure to have at least one certificate location enabled
• Press Save and Confirm with OK

Review Device

• Open Settings applications
• Select Biometrics and security
• Tap Other security settings
• Tab View security certificates
• Select Users, you should see here now your uploaded root and/or intermediate certificate
• Go Back
• Select User certificate
• Review your Enterprise and/or Individual Client Certificate

Review Certificate List

• At your Silverback Management Console, navigate to Devices
• Locate your device and open the device overview
• Ensure the device is online and press refresh
• Scroll down to the certificate list to review available certificates
• Please note the following table of supported certificate listings in device overview:

Review Certification Authority 

• Log into your Certification Authority server
• Open the Certification Authority MMC snap-in.
  • Choose from Server Manager > Tools > Certification Authority
  • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Navigate to Issued Certificates
  • Right click and click refresh
  • You should see now a newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template
  • If you distribute certificates with adding them to user objects in Active Directory, the requester name will be the SamAccountName of the User with the CorporateUser Template
  • If you have assigned 2 or more Individual Client Certificate Profiles to your device, you will see multiple created certificates

Review Active Directory

• If you distribute certificates and add them to user objects in Active Directory, go to your Active Directory Server
• Open Active Directory Users and Computers
• Locate the Active Directory object of the user
• Perform a double-click on the object
• Select the Published Certificates Tab
• Review the recently created certificate