Skip to main content
Matrix42 Self-Service Help Center

iOS I: Add Certification Authority and Assign Certificates

Identity Certificates without Active Directory Object

This part shows how to generate certificates for devices without adding them in the corresponding user Active Directory User Object.

Prerequisites

  • Certification Authority Server needs the following configured roles
    • Certification Authority
  • Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
  • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
  • Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group 

Silverback Enterprise Device Management Group will gain access to created templates on the Certification Authority.

  • An enrolled iOS device

Certificate Authority

Create User Certificate Template

  • Log into your Certification Authority server
  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK

General

  • Navigate to General
  • Enter as Template Display Name: Silverback User
  • Enter as Template name: SilverbackUser (will be filled automatically)
  • Uncheck Publish certificate in Active Directory

Request Handling

  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input

Subject Name

  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm

Issuance Requirements

  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked

Extensions

  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encrypting File System
  • Click Remove
  • Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security

  • Navigate to Security
  • Select Authenticated Users
  • Enable Read and Enroll Permissions
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Click on to finish Template Configuration
  • Close Certificate Templates Console window

Issue Certificate Templates

  • Navigate to Certification Authority window
  • Right Click Certificate Templates in the left panel
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback User
  • Click OK

Silverback

Add Certificate Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Certificate Authority in the following format:
    • ca.imagoverum.com\domain-server-CA
  • Enter under Template ActiveSync Certificate Name: SilverbackUser
  • Click Save
  • Confirm with OK 

From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate

Restart IIS

  • Run PowerShell with elevated priviledges
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User

  • Logout as Settings Administrator
  • Login as Administrator

Exchange Active Sync

Create a new Exchange ActiveSync Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. iOS Exchange ActiveSync 
    • Enter as description e.g. Exchange with certificate based authentication (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. iPhone or iPad
    • Click Save

Create Exchange ActiveSync Profile

  • Navigate to Profile
    • Navigate to Exchange ActiveSync
    • Click New Profile
    • Enter a Label Name: e.g. Imagoverum Exchange
    • Enter a Server Name: e.g. mail.imagoverum.com
    • Configure Additional Settings
    • Click Save
    • Click OK
  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to General
    • Navigate to Profiles & Device Management
    • Select Silverback MDM Profile
    • Navigate to Accounts
    • Your previously created Exchange Account should be listed
  • Open Mail 
    • You should be logged in automatically
    • You should receive now emails

Check Certification Authority

  • Go back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template
  • If you have assigned 2 or more ExchangeActiveSync Profile to your device, you will see multiple created certificates
  • Proceed with Virtual Private Network

Virtual Private Network

Create Virtual Private Network Tag

To create a VPN Profile with certificate based authentication perform te following steps :

  • Create a Tag
    • Name it e.g. iOS VPN
    • Enter as description e.g. VPN with certificate based authentication
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. iPhone or iPad
    • Click Save

Create Virtual Private Network Profile

  • Navigate to Profile
    • Navigate to VPN
    • Enable VPN Settings
    • Select VPN Type
    • Enter a Connection Name: e.g. Imagoverum VPN
    • Enter a Server Address: e.g. vpn.imagoverum.com (use a custom URL for testing purpose, there is no backend needed right now)
    • Select Certificate at Authentication Type
    • Click Save
    • Click Yes
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to General
    • Navigate to Profiles & Device Management
    • Open Silverback MDM Profile
    • Click More Details
    • Under VPN Settings you should see now a VPN Configuration
    • Under Certificates you should see now 2 Certificates
    • u_username@domain.com coming from Silverback Server
    • username@domain.com  coming from your Certificate Authority

Check Certification Authority

  • Navigate back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a second newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template
    • Proceed with adding a Wireless Local Area Network

Wireless Local Area Network

Create Wireless Local Area Network Tag

  • Create a Tag
    • Name it e.g. iOS WiFi
    • Enter as description e.g. WiFi with certificate based authentication
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. iPhone or iPad
    • Click Save

Create Wireless Local Area Network Profile

  • Navigate to Profile
    • Navigate to Wi-Fi
    • Click New WiFi Profile
      • Enable Wi-Fi settings
      • Enter SSID, e.g. Imagoverum WiFi
      • Select as Security Type WPA2 Enterprise
      • Navigate to Authentication
        • Enable Use Individual Username (optional)
        • Enable Use Individual Client Certificates
        • Enter as subject name e.g. u_{firstname}.{lastname}_WiFi
      • Click Save
      • Click Yes
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to  General
    • Navigate to Profiles & Device Management
    • Open Silverback MDM Profile
    • Click More Details
    • Under WI-FI Network you should see now your Network
    • Under Certificates you should see now 2 Certificates
      • u_username@domain.com coming from Silverback Server
      • u_{firstname}.{lastname}_WiFi  coming from your Certificate Authority

Previously generated certificate for VPN is now superseded with the Wi-Fi Certificate. 

Check Certification Authority

  • Navigate back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a third newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template

All in One

  • Unenroll your device
  • Revoke all previously created certificates
  • Enable on all created Tags Auto Population  (ActiveSync, VPN and WiFi)
  • Re-Enroll your device
  • Navigate back to Settings and re-open the Silverback MDM Profile
  • Select More Details
  • Under Certificates you should see now 2 Certificates
    • u_username@domain.com coming from Silverback Server
    • u_{firstname}.{lastname}_WiFi coming from your Certificate Authority

Due to Apple's security policies the Exchange Active Sync Certificate isn't displayed in the MDM Profile

  • On your Certificate Authority you should see 2 newly created certificate
    • One is for WiFi and VPN and one is for EAS 
  • As a result you will have now certificates on your device and you can configure your Backend to trust these certificates
  • Was this article helpful?