Skip to main content
Matrix42 Self-Service Help Center

Android II: Assign Certificates to Active Directory User Objects

  1. Last updated
  2. Save as PDF

Assign Certificates to Active Directory Object

Prerequisites 

  • Supported Server Operating Systems
    • Certificate Authority is installed on Windows Server 2008 R2
    • Certificate Authority is installed on Windows Server 2012
    • Certificate Authority is installed on Windows Server 2016
    • Certificate Authority is installed on Windows Server 2019
  • Certification Authority Server needs the following configured roles
    • Certification Authority
    • Certification Authority Web Enrollment 
  • Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
  • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined.
  • Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group
  • Service Account for publishing certificates  into Active Directory User Object 
  • An enrolled Android or Samsung Knox device

Scope

Certificate Authority 

Create Enrollment Agent Certificate Template  

  • Log into your Certification Authority server
  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click Enrollment Agent in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
    • Select Windows Server 2003 Enterprise
    • Click OK
General 
  • Navigate to General
  • Enter as Template Display Name: Silverback Enrollment Agent
  • Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling 
  • Now navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Proceed with Yes at prompt for wish to change the certificate purpose
    • Include symmetric algorithms allowed by the subject: Enabled
    • Allow private key to be exported: Enabled
    • Select Enroll subject without requiring any user input
Subject Name 
  • Navigate to Subject Name
  • Ensure the following values are configured:
    • Built from this Active Directory information: Enabled
    • Subject Name is set to Fully distinguished name
    • User principal name (UPN): Enabled
Security 
  • Navigate to Security
  • Click Add
  • Enter in the "Enter the object names to select " the service account you want to use
  • Click Check Names
  • Select the service account that you want to use 
  • Click OK
  • Allow Read and Enroll Permissions
  • Click OK to finish Template Configuration

Create User Certificate Template 

  • Right Click User Certificate in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
    • Select Windows Server 2003
    • Click OK
  • Enter as Template Display Name: Corporate User
  • Enter as Template name: CorporateUser
  • Ensure that Publish certificate in Active Directory is enabled
Request Handling  
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
      • Proceed with Yes at prompt for wish to change the certificate purpose
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name  
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements  
  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked
  • Enable This number of authorized signatures and keep default value 1
  • Change Application policy to Certificate Request Agent
Extensions 
  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encryption File System
  • Click Remove
  • Click OK
Security  
  • Navigate to Security
  • Select Authenticated Users
  • Ensure that Read Permissions are enabled
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Select Domain Users
  • Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future.

  • Click OK to finish Template Configuration
  • Close Certificate Templates Console window

Issue Certificate Templates  

  • Navigate to Certification Authority window
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback Enrollment Agent
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Corporate User
  • Click OK

Create Enrollment Agent Certificate Request 

  • Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
  • Open Internet Explorer
  • Enter URL for the Certification Authority Web Enrollment web site 
  • Click Continue to this website
  • Login with your Service Account 

If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account

  • Click Request a certificate
  • Click advanced certificate request
  • Click Create and submit a request to this CA
    • When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
      • You will be redirected directly Submit a Certificate Request or Renewal Request Action
      • Open Compatibility View Settings on Internet Explorer
      • Click Add to add your domain (e.g. imagoverum.com) and Close the Window
      • Navigate back to Request a certificate step and try again (maybe refresh your browser)
  • After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm 
    • If you don't see this and your CSP keeps loading,  open Internet options
    • Navigate to Security
    • Select Trusted Sites
    • Click Sites
    • Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
    • Click Close
    • Click OK
    • Refresh this page, you should see now the pop-op
  • Click Yes
  • Change Certificate Template to Silverback Enrollment Agent
  • Click Submit
  • Click Yes

Install Certificate 

  • Click Install this certificate
  • Your new certificate should be successfully installed

Export Certificate from Current User 

  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certmgr.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
    • Right Click the installed certificate
    • Click All Tasks
    • Click Export
    • Click Next
    • Click Yes, export the private key
    • Click Next
    • Uncheck Include all certificates in the certification path if possible
    • Click Next
    • Enable Password
      • Enter a Password
      • Confirm Password
    • Click Next
    • Click Browse
    • Choose your location and save it as a *.pfx file
    • Click Next
    • Click Finish
    • Click OK

Import Certificate to Local Computer 

  • Login to your Silverback or Cloud Connector server as a Domain Administrator
  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certlm.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
  • Perform a right click in the right pane
  • Select All Tasks
  • Select Import
  • Click Next
  • Click Browse
  • Select your *.pfx file

Change Search to All Files (*.*)

  • Click Open
  • Click Next
  • Enter your created password
  • Enable Mark this key as exportable
  • Click Next
  • Ensure that Personal is selected
  • Click Next
  • Click Finish
  • Click OK

Add Permission

  • Right click the new imported enrollment agent certificate
  • Select All Tasks
  • Select Manage Private Keys
  • Click Add
  • Enter network
  • Click Check Names
  • Select Network Service
  • Click OK
  • Click OK
  • Ensure that only Read is allowed
    • Uncheck Full control
  • Click Apply
  • Click OK

Silverback

Add Certification Authority 

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Corporate Certification Authority in the following format:
    • ca.imagoverum.com\domain-server-CA

Open a command prompt on your Certification Authority and type certutil, press enter and take the value displayed in config.

  • Click Save
  • Confirm with OK 

From now on for every assigned Exchange ActiveSync Profile, Silverback will generate a certificate. In case you are deploying or you want to deploy Exchange ActiveSync Profiles to your managed devices, ensure to add under the Template Name a Template that has not enabled the Publish to Active Directory Option. Add a User template based on the following guide: Android I: Add Certification Authority and Assign Certificates

Additional Tasks with Cloud Connector

If you are running Silverback with the Cloud Connector, please perform the additional tasks:

  • Navigate to Cloud Connector
  • Ensure to have enabled Send LDAP requests through Tunnel 
  • Ensure to have enabled Request Client Certificates through Tunnel
  • Press Save
  • Restart your Cloud Connector Services on your Cloud Connector Server

Additional Tasks for On-Premise Installations without Cloud Connector

  • Run PowerShell with elevated privileges on your Silverback Server
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User 

  • Logout as Settings Administrator
  • Login as Administrator

Passcode Modification

Android and Samsung Knox devices needs to be secured with a configured Lock screen to work properly with Certificates. In any case it should be your default policy, that devices are secured with a passcode. During this Guide we will create a new Passcode Tag, but you can use any other already existing in your company. At the end it is important, that your devices will have a proper given passcode on the device. If not, Companion will force the user to create a screen lock type with accepted lowest security type (Swipe), before profiles will be applied on the device. 

Create a new Passcode Tag 

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. Password Policy
    • Enter as description e.g. Password Policy for any Certificate Based Authentication (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device type, e.g. Samsung Knox
    • Click Save

Create a new Passcode Profile 

  • Navigate to Profile
    • Navigate to Passcode
    • Enable Passcode Settings
    • Enable minimum Numeric as Quality
    • Keep or change the minimum length (optional)
    • Adjust Maximum Passcode Age (optional)
    • Adjust Auto-lock in minutes (optional)
    • Enforce passcode history (optional)
    • Change Maximum Failed Attempts to a suitable value, e.g. 5 or 10 or keep 0 for deactivated
    • Click Save
    • Confirm with OK
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK
  • Check your Device
    • If not already present, you should now configure your screen unlock settings
    • Choose e.g. PIN and create one for the device
    • Proceed with next chapter

Wireless Local Area Network

Create Wireless Local Area Network Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. Samsung Wi-Fi Corporate
    • Enter as description e.g. WiFi with certificate based authentication for User Objects (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. Samsung Knox
    • Click Save

Create Wireless Local Area Network Profile 

This section describes a basic configuration of a Wi-Fi Profile to check if the certificate distribution is working properly and we recommend to get in contact with your Wi-Fi Administrator to review additional required settings, options and trusts. Please refer to WPA Enterprise Settings for Apple and Android Enterprise for additional information.

  • Navigate to Profile
    • Navigate to Wi-Fi
    • Click New Wi-Fi profile
    • Configure General Settings
      • Enable Wi-Fi settings
      • Enter your SSID, e.g. Imagoverum Wi-Fi
      • Select as Security Type WPA 2 Enterprise
      • Enable Hidden Network (optional)
    • Configure Protocol Settings
      • Select your individual EAP Type
    • Configure Authentication Settings
      • Select Individual Client Certificate as Certificate Type
      • Enter as Individual Client Certificate subject e.g. u_{firstname}.{lastname}_WiFi
      • Enable Populate into Active Directory
      • Enter a Certificate Template Name CorporateUser
      • Enter as Requester Name LDAP Attribute: SamAccountName (Use SamAccountName, nothing else!)
      • Select as Agent Certificate your previously created Enrollment Agent Certificate 
    • Save your configuration
      • Click Save
      • Confirm with Yes

Ensure to use a subject name that matches the minimum requirements of your RADIUS Server, e.g. use rather {UserName} or {UserEmail} 

  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to Devices

Check Device 

  • On your device open Settings
    • Navigate to Biometrics and security
    • Open Other Security Settings
    • Select User certificates
    • You should see a listed certificate from your Certification Authority
      • e.g. u_Tim.Tober_WiFi

Check Certification Authority 

  • Navigate back to your Certificate Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a newly issue certificate to firstname.lastname with the Corporate User Template
  • Navigate to your Active Directory
    • Open Active Directory User and Groups
    • Click View
    • Click Advanced Features
    • Navigate to your User
    • Double Click your User
    • Navigate to Attribute Editor
    • Scroll down to userCertificate
    • The issued certificate should be listed in Binary Format

Device Overview

  • Navigate back to Silverback Management Console
  • Navigate to Devices > Managed
  • Open your recently enrolled devices
  • Press Refresh
  • Scroll down to Certificate List
  • You should see now listed a certificate with the common name u_{firstname}.{lastname}_WiFi
  • Please note the following table of supported certificate listings in device overview
Platform / Management Type Legacy Management Android Enterprise Device Owner Android Enterprise Work Profile
Android
  • not supported
  • User Certificates
  • Certificate Trust Certificates
  • Certificate Trust Certificates
Samsung Knox
  • User Certificates
  • Certificate Trust Certificates
  • User Certificates
  • Certificate Trust Certificates
  • Certificate Trust Certificates
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-To
  2. Tags
    This page has no tags.