Skip to main content
Matrix42 Self-Service Help Center

macOS I: Add Certification Authority and Assign Certificates

Identity Certificates without Active Directory Object

This part shows how to generate certificates for devices without adding them in the corresponding user Active Directory User Object.

Prerequisites

  • Certification Authority Server needs the following configured roles
    • Certification Authority
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
    • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
  • Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group

Silverback Enterprise Device Management Group will gain access to created templates on the Certification Authority.

  • An enrolled macOS device

Supported Scenarios

  • Deployment for user certificates for Wi-Fi
  • Deployment for user certificates for Virtual Private Network

Certificate Authority

Create User Certificate Template

  • Log into your Certification Authority server
  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK

General

  • Navigate to General
  • Enter as Template Display Name: Silverback User
  • Enter as Template name: SilverbackUser (will be filled automatically)
  • Uncheck Publish certificate in Active Directory

Request Handling

  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input

Subject Name

  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm

Issuance Requirements

  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked

Extensions

  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encrypting File System
  • Click Remove
  • Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security

  • Navigate to Security
  • Select Authenticated Users
  • Ensure that Read Permissions are enabled
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Select Domain Users
  • Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future. 

  • Click OK to finish Template Configuration
  • Close Certificate Templates Console window

Issue Certificate Templates

  • Navigate to Certification Authority window
  • Right Click Certificate Templates in the left panel
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback User
  • Click OK

Silverback

Add Certification Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Corporate Certification Authority in the following format:
    • ca.imagoverum.com\domain-server-CA

Open a command prompt on your Certification Authority and type certutil, press enter and take the value displayed in config.

  • Under Templates enter your previously issued User Certificate Template Name:
    • e.g. SilverbackUser

Ensure to not add here a Template that has enabled Publish to Active Directory as configured in the macOS II: Assign Certificates to Active Directory User Objects. Templates with enabled Publish to Active Directory option are only valid in Wi-Fi Profiles in combination with enabled Populate into Active Directory Wi-Fi Authentication setting.

  • Click Save
  • Confirm with OK 

From now on for every assigned Exchange ActiveSync Profile, Silverback will generate a certificate.

Additional Tasks with Cloud Connector

If you are running Silverback with the Cloud Connector, please perform the additional tasks:

  • Navigate to Cloud Connector
  • Ensure to have enabled Send LDAP requests through Tunnel 
  • Ensure to have enabled Request Client Certificates through Tunnel
  • Press Save
  • Restart your Cloud Connector Services on your Cloud Connector Server

Additional Tasks for On-Premise Installations without Cloud Connector

  • Run PowerShell with elevated privileges on your Silverback Server
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User

  • Logout as Settings Administrator
  • Login as Administrator

Wireless Local Area Network

Create Wireless Local Area Network Tag

  • Create a Tag
    • Name it e.g. macOS WiFi
    • Enter as description e.g. WiFi with certificate based authentication
    • Enable Profile under Enabled Features
    • Enable macOS as Device Type
    • Click Save

Create Wireless Local Area Network Profile

This section describes a basic configuration of a Wi-Fi Profile to check if the certificate distribution is working properly and we recommend to get in contact with your Wi-Fi Administrator to review additional required settings, options and trusts. Please refer to WPA Enterprise Settings for Apple and Android Enterprise for additional information.

  • Navigate to Profile
    • Navigate to Wi-Fi
    • Click New Wi-Fi profile
    • Configure General Settings
      • Enable Wi-Fi settings
      • Enter your SSID, e.g. Imagoverum Wi-Fi
      • Select as Security Type Any Enterprise
      • Enable Hidden Network (optional)
      • Enable Automatically Join (optional)
    • Configure Protocol Settings
      • Enable your desired EAP Type that supports certificate-based authentication (e.g. TLS)
    • Configure Authentication Settings
      • Select Individual Client Certificate as Certificate Type
      • Enter as Individual Client Certificate subject e.g. u_{firstname}.{lastname}_WiFi
    • Save your configuration
      • Click Save
      • Click Yes

Ensure to use a subject name that matches the minimum requirements of your RADIUS Server, e.g. use rather {UserName} or {UserEmail}.

  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open System Preferences
  • Select Profiles
    • Select Silverback Privileges Profile
    • Under settings you should see now a Certificate and a Wi-Fi Network
    • Scroll down to view Details 
  • Open Launchpad 
    • Open Keychain Access
    • Under Login you should see now a new certificate

Check Certification Authority

  • Navigate back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a third newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template

Virtual Private Network

Create Virtual Private Network Tag

To create a VPN Profile with certificate based authentication perform te following steps :

  • Create a Tag
    • Name it e.g. macOS VPN
    • Enter as description e.g. VPN with certificate based authentication
    • Enable Profile under Enabled Features
    • Enable macOS as Device Type
    • Click Save

Create Virtual Private Network Profile

  • Navigate to Profile
    • Navigate to VPN
    • Enable VPN Settings
    • Select VPN Type
    • Enter a Connection Name: e.g. Imagoverum VPN
    • Enter a Server Address: e.g. vpn.imagoverum.com (use a custom URL for testing purpose, there is no backend needed right now)
    • Select Certificate at Authentication Type
    • Click Save
    • Click Yes
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • Open System Preferences
    • Select Profiles
      • Select Silverback Privileges Profile
      • Under settings you should see now VPN Service applied
      • Scroll down to review VPN Auth Method
    • Navigate back and open Network
      • On the bottom your configured VPN connection should be available
  • Open Launchpad
    • Open Keychain Access
    • Under Login you should see now a new certificate with the same name, but with a different private key and serial number

Check Certification Authority

  • Navigate back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a second newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template

All in One

  • Unenroll your device
  • Revoke all previously created certificates
  • Enable on all created Tags Auto Population (WiFi & VPN)
  • Re-Enroll your device
  • Navigate back to Profiles and re-open Silverback Privileges Profile
    • Under Settings you should see now your Certificate, your VPN Service and your Wi-Fi Network
    • Scroll down to review Certificates, VPN Service and Wi-Fi Networks
  • Navigate back to Keychain Access
  • On your Certificate Authority you should see 1 newly created certificate
  • As a result you will have now certificates on your device and you can configure your Backend to trust these certificates

By deploying a VPN Profile without a Wi-Fi Profile, a certificate will be issued with the captured username. 

  • Was this article helpful?