Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

How to Configure Mosyle for EAP-TLS Certificate Auto-Enrollment with SCEP

Mosyle is an MDM solution often used as an alternative to Jamf when it comes to managing Apple devices. With Mosyle, organizations can enable the deployment of certificate-based authentication for Wi-Fi access, VPN access, and much more. This is accomplished through the Simple Certificate Enrollment Protocol (SCEP).

With SCEP, administrators can issue certificates automatically by integrating with an external CA or Certificate Authority. SecureW2 provides a cloud CA service that empowers organizations to easily issue and manage their own certificates for passwordless authentication. These digital certificates can be used for a number of purposes, but we see them most often used to build an 802.1X network based on certificate-driven security.

This guide describes the steps to integrate SecureW2’s third-party CA with Mosyle using SCEP to auto-enroll managed devices with X.509 certificates and 802.1X settings.

Prerequisites

To set up Mosyle for device enrollment using SCEP, you need:

  1. A Mosyle account subscription
  2. Active subscription to the JoinNow Management Portal.

Creating an Intermediate CA for Mosyle SCEP Gateway Integration

As a best practice, SecureW2 recommends creating a new intermediate CA for each SCEP Gateway API we create. Using a separate CA makes it easier to manage certificates, and enables us to create enrollment and network policies based on the issuing CA. We also recommend having a separate CA for BYOD and Managed devices, as you can configure certificate expiration notification emails in the CA settings for BYOD; but for managed devices this is not required as renewal is automatic.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. Click Save. The new intermediate CA is generated.

Creating a Mosyle Certificate Template

A certificate template determines how information is encoded in the certificate to be issued by the Certificate Authority. It will consist of a list of certificate attributes and how the information must be encoded in the attribute values. This information is provided by the organization administrator using the JoinNow Management Portal.

SecureW2 recommends creating a separate template for each MDM platform for easier identification of different values being passed.

To create a Mosyle Certificate Template:

  1. Navigate to PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. In the Subject field, enter CN=${/device/clientId}.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  8. In the SAN section:
    1. In the Other Name field, enter ${/device/identity}.
    2. In the RFC822 field, enter ${/device/clientId}.
    3. In the DNS field, enter ${/device/identity}.
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Generating a SCEP URL and Secret

The SCEP URL and secret generated here will be passed to Mosyle to securely automate certificate enrollment for managed devices.

To generate a SCEP URL and Secret:

  1. Navigate to Identity Management > API Gateways.
  2. Click Add API Gateway.
  3. In the Basic section, for the Name field, enter the name of the API Gateway.
  4. In the Description field, enter a suitable description for the API Gateway.
  5. From the Type drop-down list, select SCEP Enrollment Token.
  6. From the Vendor drop-down list, select Other.
  7. In the Vendor Name field, enter Mosyle.
  8. From the Certificate Authority drop-down list, select the CA created earlier (refer to the Creating an Intermediate CA for Mosyle SCEP Gateway Integration section). If you do not select a CA, the organization CA is chosen by default.
  9. Click Save.
  10. A .csv file that contains the API Secret and URL is downloaded. In addition, the Enrollment URL is displayed on the screen.

    NOTE: Securely save the .csv file. This file is downloaded only once when the token is created. If you lose it, you cannot retrieve the secret.

Policy Management

Setting up MDM in Mosyle requires configuring three policies in the JoinNow Management Portal:

  • Policy Engine Workflow
  • Enrollment Policy
  • Network Policy

Policy Engine Workflow allows us to create specific roles for users and groups, which can be used in the JoinNow Management Portal to create custom certificate enrollment policies and custom network access policies for use cases like network segmentation.

Configuring a Policy Engine Workflow

To configure a Policy Engine Workflow:

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section, enter the name of the policy engine workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy engine workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Identity Provider drop-down list, select the Mosyle API Token created earlier (refer to the Generating a SCEP URL and Secret section).
  9. Click Update.

Configuring an Enrollment Policy

To configure enrollment policy:

  1. Navigate to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.

    NOTE: You must select a User Role and Device Role for enrollment. Based on the Policy Engine Workflow, you can use a fallback device policy to allow enrollment.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, select the Policy Engine Workflow you created earlier from the Role list (refer to the Configuring a Policy Engine Workflow section).
  9. From the Device Role list, select DEFAULT DEVICE ROLE POLICY.
  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (refer to the Creating an Intermediate CA for Mosyle SCEP Gateway Integration​ section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (refer to the Creating a Mosyle Certificate Template section).
  13. In the other settings, retain the default values.
  14. Click Update.

Configuring Network Policy

To configure network policy:

  1. Navigate to Policy Management > Network Policies.
  2. Click Add Network Policy.
  3. In the Basic section, enter the name of the network policy in the Name field.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. Select Match All or Match Any based on your requirements to set authentication criteria.
  9. Click Add rule.
  10. Expand Identity and select the Role option.
  11. Click Save.
  12. The Role option appears under the Conditions tab.
  13. From the Role Equals drop-down list, select the user role policy you created earlier (refer to the Configuring a Policy Engine Workflow section). You can select multiple User Roles to assign to a Network Policy.
  14. Navigate to the Settings tab.
  15. Click Add Attribute.
  16. From the Dictionary drop-down list, select RADIUS:IETF or Custom.
    1. From the Attribute drop-down list, select an option.
    2. In the Value text box, enter a value for the attribute.
  17. Click Save.

Trusted Certificate Profiles

You should configure the Trusted Certificate Profile with the certificate of your RADIUS server certificate’s issuing authority. This is to make the devices trust your RADIUS server by validating the RADIUS server certificate. We achieve this server validation in the profile configuration by adding the Root and/or Intermediate Certificate Authority (CA) certificates that issued the RADIUS server certificate. When you assign this profile, the Mosyle managed devices receive the trusted certificates.

Exporting the SecureW2 Root, Intermediate, and RADIUS CA

To establish trusted profiles in Mosyle, the Root, Intermediate, and RADIUS Server CA certificates must be uploaded into their respective profiles within the platform. To download these certificates from the JoinNow Management portal, follow the below steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. In the Certificate Authorities section, click the Download link for the Root CA, and Intermediate CA issued to your organization (refer to the Creating an Intermediate CA for Mosyle SCEP Gateway Integration​ section).

Exporting RADIUS Root CA

Similarly, for downloading the RADIUS Server Root CA:

  1. Navigate to Device Onboarding > Network Profiles.
  2. On the Network Profiles page, click the Edit link of the network profile configured earlier.
  3. Scroll down to the Certificates section and click Add/Remove Certificate.
  4. Select the DigiCert Global Root CA (Mon Nov 10 00:00:00 UTC 2031) and DigiCert Global Root G3 (Fri Jan 15 12:00:00 UTC 2038) checkboxes as shown in the following screen.
  5. Click Update.
  6. The CA appears in the Certificates section.
  7. Click Download.

Configuring SCEP Enrollment in Mosyle

By configuring a Multi-cert profile in Mosyle, devices can be enrolled for certificates via SCEP. Five profiles must be created in Mosyle to configure SCEP.

NOTE: You require a Mosyle Premium subscription for an automated Wi-Fi connection.

Creating a Multi-Cert Profile

The device needs to have the Issuing CA installed to complete the chain of trust, and the RADIUS CA installed so it can perform server certificate validation for a more secure connection. We will use a Multi-Cert Profile to install the CAs on the device.

  1. Log in to the Mosyle Portal.
  2. To add a new profile, navigate to Management > Management Profiles and select Multi-Cert Profile.

    NOTE: If the Multi-Cert Profile option isn’t available, you might need to activate that profile type.
  3. Click Add new profile.

Creating a ROOT CA Profile

  1. In the Profile Name field, enter a name for your Multi-Cert Profile.
  2. Click + ADD PROFILE.
  3. Click Add Certificate profile.
  4. On the Certificate Profile pop-up window, enter a name in the Profile name field for your Root CA profile.
  5. Click the Select the file button and upload the Root Certificate created earlier in the Exporting the SecureW2 Root, Intermediate, and RADIUS CA section.

  6. Click Save.

Creating an Intermediate CA Profile

This Certificate Profile is required to map the SecureW2 Issuing CA certificate to the SCEP certificate profile created at a later step. This CA certificate will be used to issue the end-user certificates.

  1. Click + ADD PROFILE.
  2. Click Add Certificate profile.
  3. On the Certificate Profile page, enter a name in the Profile name field for your Intermediate CA profile.
  4. Click Select the file and upload the Intermediate CA Certificate created earlier in the Exporting the SecureW2 Root, Intermediate, and RADIUS CA section.

     
  5. Click Save.

Creating a Global Root CA Profile

This profile is created with the RADIUS server certificate and will be pushed into the devices so we can configure Server Certificate Validation, and ensure they only attempt authentication with our RADIUS server.

  1. Click + ADD PROFILE.
  2. Click Add Certificate profile.
  3. On the Certificate Profile page, enter a name in the Profile name field for your Global Root CA profile.
  4. Click Select the file and upload the Global Root CA Certificate created earlier in the Exporting RADIUS Root CA section.

  5. Click Save.
  6. Repeat steps 1-5 to upload the new Global Root CA Certificate. This helps in installing the new Root CA in the device which establishes trust and connection with the CloudRADIUS Server when migrating to the new Root CA.

Creating a SCEP Profile

The SCEP Certificate Profile delivers essential details for end-user devices to connect to the JoinNow CloudConnector and obtain client certificates. It can also include secure Wi-Fi configurations, enabling devices to authenticate with the issued certificate and connect to the secure network.

To create a SCEP profile:

  1. Click + ADD PROFILE.
  2. Click Add SCEP profile.
  3. In the Profile Name field, enter a name for your SCEP profile. SecureW2 recommends a name involving SCEP for easier identification in the future.
  4. From the Server drop-down list, select URL.
  5. Next, open the .csv file containing the API token created in the Generating a SCEP URL and Secret section. Copy the URL available and paste it into the URL field.
  6. For the Subject field, click View available variables. A list of variables to select from for the subject will be displayed.

  7. Click CONTINUE after selecting the variable. For example, the Email variable is selected as a Subject for demonstration purposes.
  8. From the Subject Alternative Name Type drop-down list, select RFC822 Name.
  9. For the Subject Alternative Name Value field, click View available variables. A list of variables to select from for the subject alternative name will be displayed.

  10. Click CONTINUE after selecting the variable. For demonstration purposes, the WiFi Mac Address and Product Name variables are selected as Subject Alternative Name Values.
  11. For the Challenge field, open the .csv file and copy and paste the API Secret into the Challenge field box.
  12. From the Key Size drop-down list, select 2048.
  13. Select the Use for signing, Use for encryption, and Allow access to all apps check boxes.
  14. Click the Create from Certificate button and select the Intermediate CA certificate.

  15. Click Save.

Creating a Wi-Fi Profile

You can create a Wi-Fi profile in Mosyle with specific settings and assign it to users, devices, and groups.

To create a Wi-Fi profile:

  1. Click + ADD PROFILE.
  2. Click Add WiFi profile.
  3. In the Profile Name field, enter a name for your Wi-Fi profile.
  4. In the SSID (network name) field, enter the name of the secure network to which users will connect using their SCEP certificates.
  5. From the Security Type drop-down list, select WPA2 Enterprise.
  6. Under the Protocols tab, select the TLS checkbox.
  7. From the Identity Certificate drop-down list, select Use SCEP profile.
  8. Click the Trust tab.
  9. In the Trust Certificates section, click Choose file and select both the existing and new Global Root CA certificates.

  10. In the Trusted Server Certificate Names textbox, enter *.securew2.com.
  11. Check the Auto Join and Disable MAC Address Randomization boxes.

  12. Click Save.

Assigning a Profile

The created Multi-cert profile can then be assigned to specific users or devices that require the created certificate.

To assign the profile:

  1. On the Multi-Cert Profile page, scroll down to the Profile Assignment section.
  2. Click + Add Assignment.
  3. Click the Device Enrollment tab and select All current and future Devices to assign the profile.

  4. Click Save.

Troubleshooting

This section lists the common issues and the steps to resolve them. Common issues that you may encounter after the configuration is done:

  1. Certificate fails to enroll.
  2. Connection to the secure SSID fails.
  3. Error messages are displayed:
    1. The “Device Creation Failed” error message is displayed on the Events page (Log in to the JoinNow Management Portal, navigate to Data and Monitoring > General Events).
    2. The “SCEP enrollment failed” error message is displayed in the Mosyle portal.
  4. Users not assigned to the application in Mosyle.

To resolve them:

  1. Check if the attributes have values and are mapped correctly. For more information, refer to the Creating an Intermediate CA for Mosyle SCEP Gateway Integration section.
  2. Make sure that the SCEP profile (in the Mosyle Portal) is configured to send values in the SAN attribute using an Email address (RFC822). For more information, refer to the Creating an Intermediate CA for Mosyle SCEP Gateway Integration section.
  3. Confirm if the Policy Engine Workflow is mapped to the Mosyle API Token as an Identity Provider. Similarly, ensure the Enrollment Policy is mapped to the User Role and default Device Role. For more information, refer to the Configuring a Policy Engine Workflow section.
  4. Ensure that the SCEP profile is configured accurately. For more information, refer to the Creating an Intermediate CA for Mosyle SCEP Gateway Integration section.
  5. Check if the Trusted Root CA of the RADIUS server certificate is mapped in the Wi-Fi profile. For more information, refer to the Creating a Wi-Fi Profile section.
  6. Remove the SCEP profile and push any other profile, like the Trusted Root CA profile, to confirm if the user is successful with the configuration. For more information, refer to the Exporting the SecureW2 Root, Intermediate, and RADIUS CA section.

Certificate Signing Requests Made Simple with SecureW2’s Gateway APIs

Our entire platform, including our managed PKI and RADIUS services, was built from the ground up with vendor neutrality in mind. We have over a decade of experience integrating with popular MDMs, including Mosyle. 

Implementing certificate-based security doesn’t have to be challenging or tedious. We’ve made deploying certificates simple. By integrating with Mosyle, we can automatically push certificates to all of your managed endpoints for a range of use cases, including Wi-Fi authentication, VPN authentication, application security, and more. If you’d like to learn more or see a demonstration of how our platform works, don’t hesitate to reach out to our knowledgeable team of solutions engineers.  

Mosyle SCEP FAQs

How Can I Leverage Mosyle for 802.1X Network Security?

In short, an 802.1X network is one that is only accessible through individualized credentials or certificates that are authenticated by a RADIUS server. You can use your Mosyle environment to establish an 802.1X network by pushing certificates to your endpoints with it. This is accomplished through the Simple Certificate Enrollment Protocol (SCEP), which allows you to use Mosyle to automatically enroll your managed devices for certificates.

Certificates are a much more secure alternative to Wi-Fi authentication than passwords. They cannot be transferred to other devices or stolen, giving you greater visibility of the devices accessing your network. Beyond that, certificates enable device trust; you can customize information on their templates to show that they were issued through Mosyle, allowing you to create network access policies based on whether a device is managed by Mosyle or not. An example of a policy we see customers use often is segmenting devices into separate VLANs based on whether the devices are managed or unmanaged.

How Do Mosyle and SCEP Work Together to Issue Certificates to Managed Devices?

Simple Certificate Enrollment Protocol (SCEP) is used to automate the provisioning of digital certificates. It works with all major MDMs, including Mosyle. The process generally follows these steps:

  1. Mosyle pushes a SCEP payload to managed devices that includes a Wi-Fi profile, SCEP profile, and trusted CA profile.
  2. The managed device uses the SCEP URL and key included in the payload and requests a certificate from the PKI / SCEP Server.
  3. After receiving the certificate and public key, the device generates a private key on its own hardware which is never sent over-the-air.

Once the device has completed the certificate enrollment process, it can passwordlessly access the network, VPN, or other resource. Certificates are often configured for a 4-year validity period, so this process is infrequent.

Are There Any Other Protocols Supported Besides SCEP?

Yes, our PKI’s gateway APIs can support a range of protocols commonly used in certificate issuance, including Dynamic SCEP, JSON, WSTEP, and SAML. For Apple devices, we also support Automated Certificate Management Environment (ACME), which improves upon SCEP by validating users and devices before even beginning the enrollment process.

With ACME, we can verify that a device is an Apple product and hasn’t been tampered with. We achieve this by using its serial number with Apple’s Managed Device Attestation (MDA) feature.

Traditional SCEP implementations only require a pre-shared key for certificate issuance. With ACME, organizations can ensure that only trusted, managed devices obtain and maintain certificates that are used to access critical resources. SecureW2 allows devices, such as macOS, iOS, iPadOS, and tvOS, to enroll for digital certificates via an ACME Client Certificate Enrollment token.

What is the Certificate Enrollment Experience Like for the End-Users?

Typically, the end-user doesn’t notice anything. The entire certificate enrollment process is performed automatically with Mosyle pushing the SCEP payload to the device, and the device then accessing the SCEP URL to request a certificate.

Once the device has been successfully enrolled, it will connect automatically to your secure 802.1X network. The certificate can also be used to authenticate the device to a VPN or some cloud applications, such as those that can be controlled with Azure Certificate-Based Authentication (CBA).

Why Can’t We Build Our Own PKI for Mosyle?

Many organizations see the benefits of going passwordless, but think that they can reduce the cost of doing so by building their own PKI infrastructure. Unfortunately, this often ends up being a costlier venture in terms of finances and time spent. Building a private PKI to use with any MDM, such as Mosyle, requires expertise, space for the servers, and regular maintenance. Additionally, certificate lifecycle management - from issuance to renewal to revocation - is time-consuming.

It’s important to understand the costs of building a PKI with Active Directory Certificate Services. Aside from taking potentially hundreds of hours to set up initially, there’s a high upfront infrastructure and software cost that can easily exceed $200,000 USD. On top of up-front software and infrastructure costs, they will have recurring costs in the form of high maintenance.

These costs, unfortunately, are unavoidable. A PKI is a foundational part of security systems. Rushing a configuration, or setting it up with inexperienced professionals is a huge liability. In this writeup by Specter Ops, they identify countless security vulnerabilities organizations will run into if they leave default settings enabled in AD CS. This reason alone is why many organizations choose a managed PKI.

PKI as a service solutions like our JoinNow Connector PKI can save you the resources you would otherwise spend on building and maintaining your own. What’s more, since our PKI infrastructure is cloud-based, your administrators can access it from anywhere without having to replicate it at every office location.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing