Skip to main content
Matrix42 Self-Service Help Center

iOS III: Create Computer Objects and Assign Certificates

Assign Computer Certificates to Computer Object 

You may already be familiar with the automatic creation of Computer Objects after a Computers joins your Active Directory.  Silverback can do the same and has the ability to create Computer Objects during the Enrollment on your behalf. Also you might want to add distributed Wi-Fi certificates to the created computer object in your Active Directory based on computer certificate templates.. To achieve the adding of certificates to computer objects a couple of steps needs to be done. 

Prerequisites

  • Supported Server Operating Systems
    • Certificate Authority is installed on Windows Server 2008 R2
    • Certificate Authority is installed on Windows Server 2012
    • Certificate Authority is installed on Windows Server 2016 
  • Certification Authority Server needs the following configured roles
    • Certification Authority
    • Certification Authority Web Enrollment 
  • Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
  • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
  • Service Account for publishing certificates  into Active Directory User Object 
  • Domain Account with privileges to Create Computer Objects in a specific OU
  • Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group.
  • Please refer to Installation Guide I: System Requirements
  • An enrolled iOS device

Scope

  • Assigning Certificates to Active Directory Objects is supported for Wi-Fi Certificates

Certificate Authority

  • Log into your Certification Authority server

Create Enrollment Agent Certificate Template 

You might created the Enrollment Agent Certificate Template already during the previous Guide.  In this case proceed with the creation of a new Computer Template

  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click Enrollment Agent in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback Enrollment Agent
  • Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling
  • Now navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Proceed with Yes at prompt for wish to change the certificate purpose
    • Include symmetric algorithms allowed by the subject: Enabled
    • Allow private key to be exported: Enabled
    • Select Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Ensure the following values are configured:
    • Built from this Active Directory information: Enabled
    • Subject Name is set to Fully distinguished name
    • User principal name (UPN): Enabled
Security
  • Navigate to Security
  • Click Add
  • Enter in the "Enter the object names to select " the service account you want to use
  • Click Check Names
  • Select the service account that you want to use 
  • Click OK
  • Allow Read and Enroll Permissions
  • Click OK to finish Template Configuration

Create Computer Template 

  • Perform a right click on Computer
  • Choose Duplicate Template
  • If prompted, select Windows Server 2003 Enterprise as version
  • Click OK
General
  • Navigate to General
  • Enter as Template display name e.g. Silverback Computer
  • Enable Publish certificate in Active Directory
Request Handling
  • Navigate to Request Handling
  • Enable Include symmetric algorithms allowed by the subject
  • Enable Allow private key to be exported
Subject Name
  • Navigate to Subject Name
  • Enable Supply in the Request
  • Accept the prompt with OK
Issuance Requirements
  • Navigate to Issuance Requirements
  • Enable This number of authorized signatures
  • Change Application Policy to Certificate Request Agent
Extensions
  • Select Application Policies
  • Click Edit
  • Select Server Authentication
  • Click Remove
  • Click OK
  • Add Secure Email (optional)
Security
  • Navigate to Security
  • Click Add
  • Enter Silverback and click Check Names
  • Select the Silverback Enterprise Device Management Group
  • Click OK (2x)
  • Enable Enroll Permissions for the added group 
  • Click OK

Issue Certificate Templates 

  • Navigate to Certification Authority window
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback Enrollment Agent
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback Computer
  • Click OK

Create Enrollment Agent Certificate Request

You may created the Certificate Request already during the previous Guide. Please proceed in this case with Add Certificate Authority

  • Login to your Silverback server as a Local Administrator (not Active Directory Domain Account)
  • Open Internet Explorer
  • Enter URL for the Certification Authority Web Enrollment web site 
  • Click Continue to this website
  • Login with your Service Account 

If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account

  • Click Request a certificate
  • Click advanced certificate request
  • Click Create and submit a request to this CA
    • When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
      • You will be redirected directly Submit a Certificate Request or Renewal Request Action
      • Open Compatibility View Settings on Internet Explorer
      • Click Add to add your domain (e.g. imagoverum.com) and Close the Window
      • Navigate back to Request a certificate step and try again (maybe refresh your browser)
    • After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm 
      • If you don't see this and your CSP keeps loading,  open Internet options
      • Navigate to Security
      • Select Trusted Sites
      • Click Sites
      • Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
      • Click Close
      • Click OK
      • Refresh this page, you should see now the pop-op
  • Click Yes
  • Change Certificate Template to Silverback Enrollment Agent
  • Click Submit
  • Click Yes

Install Certificate

  • Click Install this certificate
  • Your new certificate should be successfully installed.

Export Certificate from Current User

  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certmgr.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
    • Right Click the installed certificate
    • Click All Tasks
    • Click Export
    • Click Next
    • Click Yes, export the private key
    • Click Next
    • Click Next
    • Enabled Password
      • Enter a Password
      • Confirm Password
    • Click Next
    • Click Browse
    • Choose your location and save it as a *.pfx file
    • Click Next
    • Click Finish
    • Click OK

Import Certificate to Local Computer

  • Login to your Silverback server as a Domain Administrator
  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certlm.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
  • Perform a right click in the right pane
  • Select All Tasks
  • Select Import
  • Click Next
  • Click Browse
  • Select your *.pfx file

Change Search to All Files (*.*)

  • Click Open
  • Click Next
  • Enter your created password
  • Enable Mark this key as exportable
  • Click Next
  • Ensure that Personal is selected
  • Click Next
  • Click Finish
  • Click OK

Add Permission

  • Right click the new imported enrollment agent certificate
  • Select All Tasks
  • Select Manage Private Keys
  • Click Add
  • Enter network
  • Click Check Names
  • Select Network Service
  • Click OK
  • Click OK
  • Ensure that only Read is allowed
    • Uncheck Full control
  • Click Apply
  • Click OK

Copy Thumbprint

  • Double click the enrollment agent certificate
  • Navigate to Details
  • Scroll down to Thumbprint
  • Copy the Thumbprint into any Text Editor (e.g. d17843663fbaa87f49c4e97cd860867efc2c20b6)
  • Click OK

Silverback

You might added the Certification Authority already to Silverback during the previous Guide. In this case proceed proceed with the new Tag

Add Certificate Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Certificate Authority in the following format:
    • ca.imagoverum.com\domain-server-CA
  • Click Save
  • Confirm with OK 

Restart IIS

  • Run PowerShell with elevated priviledges
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User

  • Logout as Settings Administrator
  • Login as Administrator

Create a new Tag

  • Login as an Administrator
  • Create a Tag
    • Navigate to Tags
    • Click New Tag
    • Enter as Name e.g. iOS WiFi Corporate Extended
    • Enter as Description e.g. WiFi with Certificate Based Authentication attached to Active Directory Computer Objects (optional)
    • Enable Profile
    • Enabled Policy
    • Enable iPhone and/or iPad
    • Click Save

Create Computer Objects Policy

  • Navigate to Policy
  • Navigate to Computer Objects
  • Click Enabled
  • Add your Computer name prefix, e.g. iPhone-[DeviceId} or {SerialNumber}
  • Add your Organization Unit, e.g. OU=Silverback,DC=imagoverum.com,DC=com
  • Add your Domain Administrator Account, e.g. Imagoverum\Administrator
  • Add your Domain Administrator Password, e.g. Pa$$w0rd
  • Click Save
  • Click OK

Create Wireless Local Area Network Profile

  • Navigate to Profile
    • Navigate to Wi-Fi
    • Click New WiFi Profile
    • Enable Wi-Fi Settings
      • Enter your SSID, e.g. Imagoverum #5.0
      • Change Security Type WPA 2 Enterprise 
      • Enable Hidden Network (optional)
      • Enable Automatically Join (optional)
    • Select Authentication
      • Enable Use Individual Client Certificates
      • Enter an Individual Client Certificate subject: e.g. {SerialNumber}
      • Enable Populate into Active Directory
      • Enable Use Computer Object
      • Enter Certificate Template Name, e.g. SilverbackComputer
      • Enter Agent Certificate Thumbprint: e.g. ‎d17843663fbaa87f49c4e97cd860867efc2c20b6
    • Click Save
    • Click Yes
  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to Devices

Check Device

  • On your device open Settings
    • Open General
    • Navigate to Profiles &  Device Management
    • Open Silverback MDM Profile
    • Click More Details
    • Under WiFi Network you should see now an entry with your SSID
    • Under Certificates you should see now 2 Certificates
    • u_username
    • SerialNumber, e.g. DNPQFFYEGRY9

Check Certification Authority

  • Navigate back to your Certificate Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a newly issued certificate to {SerialNumber} with the Silverback Computer Template and the requester name e.g. DNPQFFYEGRY9$
  • Navigate to your Active Directory
    • Open Active Directory User and Groups
    • Click View
    • Click Advanced Features
    • Navigate to your Organizational Unit
    • Click Refresh
    • You should see now a create computer object named as e.g. DNPQFFYEGRY9
    • Perform a double click on the  device
    • Navigate to Attribute Editor
    • Scroll down to userCertificate
    • The issued certificate should be listed in Binary Format
  • Was this article helpful?