![Page 1: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/1.jpg)
Deploy Certificates to Mobile Devices
Kenny Buntinx
Coretech Benelux - Managing Consultant
Http://www.scug.be/sccm
Tim De Keukelaere
Coretech Benelux - Managing Consultant
Http://www.scug.be/tim
![Page 2: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/2.jpg)
@KennyBuntinx
MVP – SCUGBe Board
Enterprise Client Mgmt / Mobility
Genk
@Tim_DK
MVP – SCUGBe Board
Enterprise Client Mgmt / Mobility
Gent
Kenny BuntinxTim De Keukelaere
![Page 3: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/3.jpg)
Session Takeaways
• How to install and configure NDES
• Deploying Certificate Profiles through NDES
• Deploying Certificate Profiles through PFX
![Page 4: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/4.jpg)
Assumptions
• Practical experience with System Center Configuration Manager
• Knowledge of Windows Intune and Device Enrollment
![Page 5: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/5.jpg)
Certificate DeploymentDifferent Methods
![Page 6: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/6.jpg)
NDES vs Pfx certs
![Page 7: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/7.jpg)
Certificate DeploymentThe NDES way …Installation
#CMCE_CH
![Page 8: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/8.jpg)
The process
#CMCE_CH
Install
Prerequisites
Install
NDESConfiguration
Install CRP
Role
Install Policy
Module
Further
Configuration
![Page 9: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/9.jpg)
The lab …
![Page 10: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/10.jpg)
Prerequisites
Root & Intermediate CA• Intermediate: Windows Server 2012 R2 (for NDES)
ADFS / WAP
• KB3013769• Profile Installation Failed on iOS (workplace join)
• Large URI request in Web Application Proxy fails in Windows Server 2012 R2 (NDES)
CA (2008 R2)• KB2483564
Details: http://scug.be/sccm/2014/12/29/hybrid-scenarios-with-system-center-configuration-manager-2012-r2-windows-intune-adfs-wap-ndes-workplace-join-hotfixes-you-really-need-in-your-environment/
#CMCE_CH
![Page 11: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/11.jpg)
Configuring the NDES role
#CMCE_CH
![Page 12: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/12.jpg)
Further Configuration
On the NDES and WAP server
The NDES server will receive very long URL’s (queries) and therefore a few changes are needed. Open the registry editor and add two entries:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxFieldLengthType DWORD Data: 65534 (decimal)
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxRequestBytesType DWORD Data: 65534 (decimal)
#CMCE_CH
![Page 13: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/13.jpg)
Further Configuration (2)
On the NDES server
Add Request Filtering role
#CMCE_CH
![Page 14: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/14.jpg)
Further Configuration (3)
On the NDES server
Change the Maximum URL length and Maximum query string to 65534 on the Request Filtering tab of the default website.
Reboot the server.(restarting IIS is not sufficient!)
#CMCE_CH
![Page 15: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/15.jpg)
Time to test!
http://FQDN/certsrv/mscep/mscep.dll
#CMCE_CH
![Page 16: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/16.jpg)
So far so good …
Traffic between the NDES server and the CM12 CRP needs to be encrypted using SSL.
The NDES server needs a certificate with Client Authentication Enhanced Key Usages (EKU’s)
A certificate using with a Server authentication EKU that it will use as it's SSL certificate for the IIS web server
Test Again : https://FQDN/certsrv/mscep/mscep.dll
#CMCE_CH
![Page 17: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/17.jpg)
Certificate Registration Point role
• On NDES Server
![Page 18: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/18.jpg)
Configuration Manager Policy Module
![Page 19: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/19.jpg)
Creating the NDES Encryption Cert
Duplicate Web Service Template (on sub CA)
![Page 20: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/20.jpg)
And some more configuration …
• HKLM\Software\Microsoft\Cryptography\MSCEP
EncryptionTemplate : Key Usage of Encryption selected on cert template
GeneralPurposeTemplate : Key Usage of Signature and Encryption selected on cert template
SignatureTemplate : Key Usage of Signature selected on cert template
#CMCE_CH
![Page 21: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/21.jpg)
Certificate DeploymentThe NDES wayDeploy trusted root certificates
Simple Certificate Enrollment Protocol (SCEP)
![Page 22: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/22.jpg)
Certificate enrollment via NDES
1. Certificate profile deployed to device
2. Device sends SCEP request
3. Challenge is validated
4. Certificate is issued
![Page 23: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/23.jpg)
DemoCertificate deployment
![Page 24: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/24.jpg)
End result …
![Page 25: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/25.jpg)
Certificate Deployment MethodsTips & Tricks
![Page 26: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/26.jpg)
Tips & Tricks
Certain tips for NDES deployment :• Always target to user instead of devices
> Ensures fastest delivery
• Pre R2 CU3 templates need to be recreated when upgrading.
> Re-targetting from device to user is not sufficient
> You will need to recreate them
#MMSMinnesota
![Page 27: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/27.jpg)
Tips & Tricks
Certificate deployment iOS 8 or later
• Required modification to template: Remove Signature in proof of origin
See:• http://blog.coretech.dk/kea/troubleshooting-
certificate-deployment-on-ios-devices-with-configmgr-intune/
#MMSMinnesota
![Page 28: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/28.jpg)
Tips & Tricks
Expired Certificates or upgrading to CB ?
Do not forget to re-run the policy module setup!
![Page 29: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/29.jpg)
Certificate Deployment The *.PFX way
![Page 30: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/30.jpg)
PFX use cases
WiFi Access point certificate authentication
o They refuse to implement NDES in hybrid
o They do not care if the cert is the same on all the devices.
S.Mime mail encryption (Secure/Multipurpose Internet Mail Extensions)
o S/MIME allows a user to: (1) encrypt an email and (2) digitally sign an email
o Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see https://docs.microsoft.com/en-gb/intune/deploy-use/secure-resource-access-with-certificate-profiles
![Page 31: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/31.jpg)
PFX Deployment in R2 SP1 and above :
• Here is some doc to get started:https://technet.microsoft.com/en-us/library/mt131410.aspx
• Create & Deploy the Import PFX profile – “Personal Information Exchange – PKCS #12 (PFX) settings – import”
• This is for customers who already have certs that need to imported and distributed to MDM devices. This is supported for W10, Android & iOS.
#ITDEVCON
![Page 32: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/32.jpg)
How to …
• Step 1 – Encode PFX file to Base64 blob using Certutil tool
• Certutil –encode <InFile> <OutFile>
• Step 2 : Open base64blob.txt and remove following lines leaving just the actual blob in it.
----- BEGIN CERTIFICATE -----
----- END CERTIFICATE -----
• Step 3 : Open Configuration Console and create a certificate profile :
![Page 33: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/33.jpg)
How to …
• Step 4 – Open Configuration Console using following command line :• \AdminConsole\bin\Microsoft.ConfigurationManagement.exe sms:debugview
• Step 5 : Note down the CI_UniqueID of newly created certificate profile.
![Page 34: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/34.jpg)
How to …
• Use SMS_ClientPfxCertificate class as part of the SDK to import (or delete) PFX certificate. This class includes the following methods:
ImportForUser - parameters below• Import Pfx Profile Template Name
• Encrypted user’s PFX blob (encrypted pfx, random pfx password)
• User’s Name (DOMAIN\USERNAME)
DeleteForUser - parameters below• Import Pfx Profile Template Name
• User’s Name (DOMAIN\USERNAME)
• Thumbprint
#ITDEVCON
![Page 35: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/35.jpg)
Use powershell
![Page 36: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/36.jpg)
DemoCertificate PFX deployment
![Page 37: Deploy Certificates to Mobile Devices - Schedschd.ws/hosted_files/mms2016/35/Deploying Certificates_KB_TDK_v0 … · Deploy Certificates to Mobile Devices Kenny Buntinx ... WiFi Access](https://reader031.vdocuments.site/reader031/viewer/2022030412/5a9e1deb7f8b9ad2298d7bd4/html5/thumbnails/37.jpg)
And Then …