iOS II: Assign Certificates to Active Directory User Objects

Prerequisites

• Supported Server Operating Systems
  • Certificate Authority is installed on Windows Server 2008 R2
  • Certificate Authority is installed on Windows Server 2012
  • Certificate Authority is installed on Windows Server 2016 
• Certification Authority Server needs the following configured roles
  • Certification Authority
  • Certification Authority Web Enrollment 
• Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
• Certification Authority and Silverback Server are joined to the same Active Directory Domain
• When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
• Service Account for publishing certificates  into Active Directory User Object 
• Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group. Please refer to Installation Guide I: System Requirements
• An enrolled iOS device

Scope 

• Assigning Certificates to Active Directory Objects is supported for Wi-Fi Certificates
• You may have already performed some parts during the Android II: Assign Certificates to Active Directory User Objects
• Please ensure that you don't repeat these steps and maybe you need to start with the Wireless Local Area Network section
• For all Cloud Customers: Import Certificate to Local Computer needs to be done by Matrix42. Please get in touch with our support

Certificate Authority

Create Enrollment Agent Certificate Request

• Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
• Open Internet Explorer
• Enter URL for the Certification Authority Web Enrollment web site 
  • https://ca01.imagoverum.com/certsrv 
• Click Continue to this website
• Login with your Service Account 

• Click Request a certificate
• Click advanced certificate request
• Click Create and submit a request to this CA
  • When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
    • You will be redirected directly Submit a Certificate Request or Renewal Request Action
    • Open Compatibility View Settings on Internet Explorer
    • Click Add to add your domain (e.g. imagoverum.com) and Close the Window
    • Navigate back to Request a certificate step and try again (maybe refresh your browser)
• After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm 
  • If you don't see this and your CSP keeps loading,  open Internet options
  • Navigate to Security
  • Select Trusted Sites
  • Click Sites
  • Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
  • Click Close
  • Click OK
  • Refresh this page, you should see now the pop-op
• Click Yes
• Change Certificate Template to Silverback Enrollment Agent
• Click Submit
• Click Yes

Add Certification Authority

• Open your Silverback Management Console
• Login as an Settings Administrator
• Navigate to Certificates
• Under Certificate Deployment enable Individual Client
• Enter your Corporate Certification Authority in the following format:
  • ca.imagoverum.com\domain-server-CA
• Click Save
• Confirm with OK 

Restart IIS

• Run PowerShell with elevated priviledges
• Run the following command:
  • restart-service w3svc,silv*,epic*,mat*

Change User

• Logout as Settings Administrator
• Login as Administrator

Create Wireless Local Area Network Tag

• Login as an Administrator
• Create a Tag
  • Navigate to Tags
  • Click New Tag
  • Enter as Name e.g. iOS WiFi Corporate
  • Enter as Description e.g. WiFi with Certificate Based Authentication (optional)
  • Enable Profile
  • Enable iPhone and/or iPad
  • Click Save

Create Wireless Local Area Network Profile

• Navigate to Profile
  • Navigate to Wi-Fi
  • Click New WiFi profile
  • Click Enabled
  • Enter your SSID e.g. Imagoverum WiFi
  • Select Security Type WPA 2 Enterprise
  • Navigate to Authentication
  • Enable Use Individual Username (optional)
  • Enable Use Individual Client Certificates
  • Enter as Individual Client Certificate subject e.g. u_{firstname}.{lastname}_WiFi
  • Enable Populate into Active Directory
  • Enter a Certificate Template Name CorporateUser
  • Enter as Requester Name LDAP Attribute: SamAccountName (Use SamAccountName, nothing else!)
  • Select as Agent Certificate your previously created Enrollment Agent Certificate 
    • Or if you are running with a Cloud Connector, paste the thumbprint manually: e.g. ‎d17843663fbaa87f49c4e97cd860867efc2c20b6
  • Click Save
• Navigate to Definition
  • Click Associated Devices
  • Click Attach More Devices
  • Select your previously enrolled device
  • Click Attach Selected Devices
  • Click OK
  • Click Close
  • Click Push to Devices

Check Device

• On your device open Settings
  • Open General
  • Navigate to Profiles &  Device Management
  • Open Silverback MDM Profile
  • Click More Details
  • Under WiFi Network you should see now an entry with your SSID
  • Under Certificates you should see now 2 Certificates
  • u_username
  • u_firstname.lastname_WiFi

Check Certification Authority

• Navigate back to your Certificate Authority
  • Navigate to Issued Certificates
  • Right click and click refresh
  • You should see now a newly issue certificate to firstname.lastame with the Corporate User Template
• Navigate to your Active Directory
  • Open Active Directory User and Groups
  • Click View
  • Click Advanced Features
  • Navigate to your User
  • Double Click your User
  • Navigate to Attribute Editor
  • Scroll down to userCertificate
  • The issued certificate should be listed in Binary Format