deploy certificates to mobile devices - schedschd.ws/hosted_files/mms2016/35/deploying...
TRANSCRIPT
Deploy Certificates to Mobile Devices
Kenny Buntinx
Coretech Benelux - Managing Consultant
Http://www.scug.be/sccm
Tim De Keukelaere
Coretech Benelux - Managing Consultant
Http://www.scug.be/tim
@KennyBuntinx
MVP – SCUGBe Board
Enterprise Client Mgmt / Mobility
Genk
@Tim_DK
MVP – SCUGBe Board
Enterprise Client Mgmt / Mobility
Gent
Kenny BuntinxTim De Keukelaere
Session Takeaways
• How to install and configure NDES
• Deploying Certificate Profiles through NDES
• Deploying Certificate Profiles through PFX
Assumptions
• Practical experience with System Center Configuration Manager
• Knowledge of Windows Intune and Device Enrollment
Certificate DeploymentDifferent Methods
NDES vs Pfx certs
Certificate DeploymentThe NDES way …Installation
#CMCE_CH
The process
#CMCE_CH
Install
Prerequisites
Install
NDESConfiguration
Install CRP
Role
Install Policy
Module
Further
Configuration
The lab …
Prerequisites
Root & Intermediate CA• Intermediate: Windows Server 2012 R2 (for NDES)
ADFS / WAP
• KB3013769• Profile Installation Failed on iOS (workplace join)
• Large URI request in Web Application Proxy fails in Windows Server 2012 R2 (NDES)
CA (2008 R2)• KB2483564
Details: http://scug.be/sccm/2014/12/29/hybrid-scenarios-with-system-center-configuration-manager-2012-r2-windows-intune-adfs-wap-ndes-workplace-join-hotfixes-you-really-need-in-your-environment/
#CMCE_CH
Configuring the NDES role
#CMCE_CH
Further Configuration
On the NDES and WAP server
The NDES server will receive very long URL’s (queries) and therefore a few changes are needed. Open the registry editor and add two entries:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxFieldLengthType DWORD Data: 65534 (decimal)
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxRequestBytesType DWORD Data: 65534 (decimal)
#CMCE_CH
Further Configuration (2)
On the NDES server
Add Request Filtering role
#CMCE_CH
Further Configuration (3)
On the NDES server
Change the Maximum URL length and Maximum query string to 65534 on the Request Filtering tab of the default website.
Reboot the server.(restarting IIS is not sufficient!)
#CMCE_CH
Time to test!
http://FQDN/certsrv/mscep/mscep.dll
#CMCE_CH
So far so good …
Traffic between the NDES server and the CM12 CRP needs to be encrypted using SSL.
The NDES server needs a certificate with Client Authentication Enhanced Key Usages (EKU’s)
A certificate using with a Server authentication EKU that it will use as it's SSL certificate for the IIS web server
Test Again : https://FQDN/certsrv/mscep/mscep.dll
#CMCE_CH
Certificate Registration Point role
• On NDES Server
Configuration Manager Policy Module
Creating the NDES Encryption Cert
Duplicate Web Service Template (on sub CA)
And some more configuration …
• HKLM\Software\Microsoft\Cryptography\MSCEP
EncryptionTemplate : Key Usage of Encryption selected on cert template
GeneralPurposeTemplate : Key Usage of Signature and Encryption selected on cert template
SignatureTemplate : Key Usage of Signature selected on cert template
#CMCE_CH
Certificate DeploymentThe NDES wayDeploy trusted root certificates
Simple Certificate Enrollment Protocol (SCEP)
Certificate enrollment via NDES
1. Certificate profile deployed to device
2. Device sends SCEP request
3. Challenge is validated
4. Certificate is issued
DemoCertificate deployment
End result …
Certificate Deployment MethodsTips & Tricks
Tips & Tricks
Certain tips for NDES deployment :• Always target to user instead of devices
> Ensures fastest delivery
• Pre R2 CU3 templates need to be recreated when upgrading.
> Re-targetting from device to user is not sufficient
> You will need to recreate them
#MMSMinnesota
Tips & Tricks
Certificate deployment iOS 8 or later
• Required modification to template: Remove Signature in proof of origin
See:• http://blog.coretech.dk/kea/troubleshooting-
certificate-deployment-on-ios-devices-with-configmgr-intune/
#MMSMinnesota
Tips & Tricks
Expired Certificates or upgrading to CB ?
Do not forget to re-run the policy module setup!
Certificate Deployment The *.PFX way
PFX use cases
WiFi Access point certificate authentication
o They refuse to implement NDES in hybrid
o They do not care if the cert is the same on all the devices.
S.Mime mail encryption (Secure/Multipurpose Internet Mail Extensions)
o S/MIME allows a user to: (1) encrypt an email and (2) digitally sign an email
o Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see https://docs.microsoft.com/en-gb/intune/deploy-use/secure-resource-access-with-certificate-profiles
PFX Deployment in R2 SP1 and above :
• Here is some doc to get started:https://technet.microsoft.com/en-us/library/mt131410.aspx
• Create & Deploy the Import PFX profile – “Personal Information Exchange – PKCS #12 (PFX) settings – import”
• This is for customers who already have certs that need to imported and distributed to MDM devices. This is supported for W10, Android & iOS.
#ITDEVCON
How to …
• Step 1 – Encode PFX file to Base64 blob using Certutil tool
• Certutil –encode <InFile> <OutFile>
• Step 2 : Open base64blob.txt and remove following lines leaving just the actual blob in it.
----- BEGIN CERTIFICATE -----
----- END CERTIFICATE -----
• Step 3 : Open Configuration Console and create a certificate profile :
How to …
• Step 4 – Open Configuration Console using following command line :• \AdminConsole\bin\Microsoft.ConfigurationManagement.exe sms:debugview
• Step 5 : Note down the CI_UniqueID of newly created certificate profile.
How to …
• Use SMS_ClientPfxCertificate class as part of the SDK to import (or delete) PFX certificate. This class includes the following methods:
ImportForUser - parameters below• Import Pfx Profile Template Name
• Encrypted user’s PFX blob (encrypted pfx, random pfx password)
• User’s Name (DOMAIN\USERNAME)
DeleteForUser - parameters below• Import Pfx Profile Template Name
• User’s Name (DOMAIN\USERNAME)
• Thumbprint
#ITDEVCON
Use powershell
DemoCertificate PFX deployment
And Then …