Home Knowledge Base SecureW2 Documentation Configure Soti for EAP-TLS Certificate Auto-Enrollment with SCEP

Configure Soti for EAP-TLS Certificate Auto-Enrollment with SCEP

Introduction

SecureW2 integrates with SOTI MobiControl, a mobile device management (MDM) platform that supports Generic SCEP (Simple Certificate Enrollment Protocol). In this integration, SOTI MobiControl uses the SecureW2 Certificate Authority (CA) to automate the deployment, renewal, and revocation of digital certificates for managed devices such as Android, iOS, and Windows.

This guide outlines how to integrate SecureW2 with SOTI MobiControl to create and automatically enroll certificates on Android and macOS devices using Generic SCEP.

Prerequisites

The following are the prerequisites to set up SCEP on SOTI Mobicontrol:

  1. End users should enroll their devices with SOTI MobiControl.
  2. Contact SOTI support for Cloud deployment.

Configure SecureW2

The following are the high-level steps to set up certificate enrollment through SCEP:

  1. Creating an Intermediate CA for SCEP Gateway Integration
  2. Creating a Certificate Template
  3. Creating a Device Management Platform
  4. Policy Management

Creating an Intermediate CA for SCEP Gateway Integration

SecureW2 recommends using a dedicated intermediate CA as a best practice for SCEP-based enrollments.

To create a new intermediate CA, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select Device and User Authentication to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA for your organization.
  7. In the Common Name field, enter a common name for the CA certificate.
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. In the Notifications section: 
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment checkbox to notify users after a successful enrollment.
    3. If the RFC contains a valid email address, the user will receive a certificate-issued or expired notification; otherwise, no notification will be sent.
  12. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked. 
      1. Certificate Hold.
      2. AA Compromise.
      3. Privilege Withdrawn.
      4. Unspecified.
  13. Click Save. The new intermediate CA is generated.

Creating a Certificate Template

A certificate template defines how information is encoded in a certificate issued by the Certificate Authority (CA). It includes a list of certificate attributes and specifies how information must be encoded in each attribute value.

To create a Certificate Template for SOTI Mobicontrol, perform the following steps:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, enter the name of the certificate template in the Name field.
  4. In the Subject field, enter CN=${/device/identity}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. To override the Validity Period attribute, select the Override Validity Period checkbox and choose an end date from the date picker to set a hard-coded expiry date for a certificate.
  8. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request. 
  9. In the SAN section:
    1. In the Other Name and RFC822 fields, enter ${/device/clientID}
    2. In the DNS field, enter CN=${/device/identity}
  10. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  11. In the Notification section, select the Notify admin on certificate expiry checkbox to send certificate expiry email notifications to all Admins.
  12. Click Save.

Create a Device Management Platform

The SCEP URL serves as the endpoint through which managed devices connect to the SCEP server to enroll for certificates, while the associated secret is used by SOTI MobiControl to authenticate these certificate requests. Both the SCEP URL and secret are generated when creating a Device Management Platform in the JoinNow Management Portal.

To create a device management platform, perform the following steps:

  1. Navigate to Integration Hub > Device Management Platforms.
  2. Click Add.
  3. In the Basic section, enter the name of the device management platform in the Name field.
  4. In the Description field, enter a suitable description for the device management platform.
  5. From the Type drop-down list, select SCEP (Multi-Vendor) Enrollment Token.
  6. From the Vendor drop-down list, select Soti.
  7. From the Certificate Authority drop-down list, select a CA created in the Create an Intermediate CA for SCEP Gateway Integration section. If you do not select a CA, by default, the organization CA is chosen.
  8. Click Save. A .csv file containing the API Secret and Enrollment URL are downloaded. In addition, the Enrollment URL is displayed on the screen.
  9. Click Update.

NOTE: Save the .csv file securely. This file is downloaded only once when the token is created. If you lose this file, you cannot retrieve the secret.

Policy Management

This section outlines the policies that must be configured in JoinNow to enable SCEP-based certificate auto-enrollment.

  1. Policy Workflow
  2. Enrollment Policy

Creating a Policy Workflow

The Policy Workflow facilitates the segmentation of users and devices based on predefined criteria or associated attributes and groups, with each segment identified as a distinct Policy Workflow. This allows admins to configure the issuance of specific certificate types or formats for each Policy Workflow through an Enrollment Policy.

To create a policy workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the Policy Workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed. 
  7. Click the Conditions tab.
    1. From the Core Provider drop-down list, select the device management platform that you created in the Creating a Device Management Platform section.
    2. Click Update.

Creating an Enrollment Policy

An Enrollment Policy defines the client certificate template and the Certificate Issuer to be used for each Policy Workflow. It leverages the segmentation established in the Policy Workflow to ensure that the appropriate client certificate template is issued for each workflow.

To create an Enrollment policy, follow these steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save. The page refreshes, and the Conditions and Settings tabs are displayed.
  6. Select the Conditions tab.
    1. From the Policy Workflow list, select the policy workflow that you created earlier.
    2. From the Device Role drop-down list, select DEFAULT DEVICE ROLE POLICY 1.
  7. Select the Settings tab.
    1. From the Use Certificate Authority drop-down list, select the intermediate CA created earlier.
    2. From the Use Certificate Template drop-down list, select the template that you created earlier.
  8. Click Update.

Configure Soti Mobicontrol

This section describes how to configure SCEP in SOTI MobiControl.

Configuring Certificate Authority via SCEP

In SOTI MobiControl, Certificate Authorities are configured to enable secure certificate issuance and automated enrollment for managed devices.

To set up a certificate authority via SCEP on Soti Mobicontrol, perform the following steps:

  1. Log in to the SOTI Mobicontrol portal.
  2. On the left pane, navigate to Global settings > Services > Certificate Authority.
  3. Click the + button in the Certificate authorities section to integrate the certificate authority from SecureW2 and create certificate templates.
  4. In the CERTIFICATE AUTHORITY pop-up window:
    1. In the Name field, enter a name for the certificate authority.
    2. From the Certificate type drop-down list, select Generic SCEP.
    3. In the Service URL field, enter the Enrollment URL from the .csv file generated in the Creating a Device Management Platform section.
    4. Turn on the Use Static Challenge toggle to use a static challenge when devices request new certificates.
    5. In the Static Challenge field, enter the API Secret from the .csv file generated in the Creating a Device Management Platform section.
    6. Turn on the Use SCEP client toggle to use the SCEP client for the certificate authority.
    7. In the Thumbprint field, enter the thumbprint value from the SecureW2 CA. To retrieve the thumbprint value, follow these steps:
      1. Log in to the JoinNow Management Portal.
      2. Navigate to Dynamic PKI > Certificate Authorities and click the Download link for the Intermediate CA you created in the Creating an Intermediate CA for SCEP Gateway Integration section. Then, click the Download link for the root CA.
      3. Open the intermediate CA downloaded earlier, copy the thumbprint value, and paste it into the Thumbprint field in Certificate Authority in the SOTI MobiControl portal.
    8. In the Certificate templates section:
      1. Click the + button to create certificate templates using the integrated SecureW2 CA to issue managed certificates. Certificate Templates define how certificates are generated and assigned to devices.
      2. In the MobiControl template name field, enter a name for the certificate template.
        NOTE: The template name in SOTI Mobicontrol must match the exact name of the certificate template in the SecureW2 portal.
      3. In the Subject name field, enter “CN=“, select the macro button, and then choose Device Name.
      4. In the Alternative Subject field, enter either “DNS Name=%DEVICENAME%” or “User Principal Name=%MAC%”.
      5. Disable the Provision certificate to authenticated users only option.
      6. In the Key Size section, select 2048.
      7. Click ADD to create a certificate template.
      8. Click SAVE.

Creating Soti Mobicontrol Configuration Profiles

Profiles are used to deploy device settings and software to devices. This section describes how to configure profiles for Android and macOS.

Creating a Profile for Android

To create and configure an Android profile in SOTI MobiControl, follow these steps:

  1. From the SOTI MobiControl console, in the left pane, click Profiles.
  2. Click the + ADD PROFILE button.
  3. In the ADD PROFILE dialog box, select Create new and then click Android > Work Managed.
  4. In the CREATE PROFILE dialog box, on the GENERAL tab:
    1. In the Profile Name field, enter a name for the Android profile.
  5. Click the CONFIGURATIONS tab.
    1. In PROFILE CONFIGURATION, click the + button and select Certificates under Security.
    2. On the CERTIFICATES pop-up window:
      1. In Add Certificates, click the upload icon.
      2. In the Add Certificate dialog box, in the Certificate field, click BROWSE and then click IMPORT to upload the root and intermediate CA certificates.
      3. Enable the DigiCert Global Root G3 and the uploaded root and intermediate CA certificates.
      4. In the Certificate Templates section, enable the certificate template you created earlier in the Configuring Certificate Authority via SCEP section.
      5. Click SAVE to apply the Certificate profile configuration to the Android profile.
Configuring a Wi-Fi Payload for Android

Wi-Fi settings on Android devices allow you to define SSID(s), security protocols, authentication details, and other parameters to ensure secure and reliable wireless connectivity.

To configure a Wi-Fi profile for Android devices, perform the following steps:

  1. In PROFILE CONFIGURATION, click the + button and select WiFi under Connectivity.
  2. On the WIFI pop-up window:
    1. In the WiFi SSID section, click the + button to define the Wi-Fi settings.
    2. In the Network Name field, enter the wireless network name.
    3. From the Security Type drop-down list, select 802.1x Enterprise.
    4. Expand Protocols and select TLS under Accepted EAP Types.
    5. Expand Authentication, then configure the settings in the section.
      1. From the User Identity Certificate drop-down list, select the certificate template created in the Configuring Certificate Authority via SCEP section.
      2. From the CA Certificate drop-down list, select DigiCert Global Root G3.
      3. In the Domain field, enter radius01.securew2.com
      4. Click ADD to create a Wi-Fi SSID.
      5. Click SAVE to apply the Wi-Fi profile configuration to the Android profile.
  3. Click SAVE AND ASSIGN to assign the profile to the target Android devices.
  4. In the ASSIGN dialog box, click the DEVICES tab, select the device group, and then choose your configured device.
  5. Click ASSIGN to install the profile on the selected devices.

Creating a Profile for macOS

To create and configure a macOS profile in SOTI MobiControl, follow these steps:

  1. From the SOTI MobiControl console, in the left pane, click Profiles.
  2. Click the + ADD PROFILE button.
  3. In the ADD PROFILE dialog box, select Create new and then click Apple > macOS Device.
  4. In the CREATE PROFILE pop-up window, select Reactive Profile.
  5. In the CREATE PROFILE (Reactive) dialog box, click the GENERAL tab.
    1. In the Profile Name field, enter a name for the profile.
  6. Click the CONFIGURATIONS tab.
    1. In PROFILE CONFIGURATION, click the + button and select Certificates under Security & Restrictions.
    2. On the CERTIFICATES pop-up window:
      1. In Add Certificates, click the upload icon.
      2. In the Add Certificate dialog box, in the Certificate field, click BROWSE and then click IMPORT to upload the root and intermediate CA certificates.
      3. Enable the DigiCert Global Root G3 and the uploaded root and intermediate CA certificates.
      4. In the Certificate Templates section, enable the certificate template you created earlier in the Configuring Certificate Authority via SCEP section.
      5. Click SAVE to apply the Certificate profile configuration to the macOS profile.

Configuring a Wi-Fi Payload for macOS

The Wi-Fi profile configures Wi-Fi settings on devices, enabling automatic authentication and connection to the specified network when it is within range.

To configure a Wi-Fi profile for macOS devices, perform the following steps:

  1. In PROFILE CONFIGURATION, click the + button and select WiFi under Connectivity.
  2. On the WIFI pop-up window:
    1. In the GENERAL tab:
      1. In the Name field, enter the wireless network name.
      2. From the Type drop-down list, select WPA2 Enterprise.
      3. Expand Protocols and select TLS under Accepted EAP Types.
      4. Expand Authentication, then configure the settings in the section.
        1. From the User Identity Certificate drop-down list, select the certificate template created in the Configuring Certificate Authority via SCEP section.
      5. Expand Trust, then configure the settings in the section.
        1. From the Trusted Certificates list, select DigiCert Global Root G3 and click APPLY.
        2. In the Add Trusted Server Names section, click the + button.
        3. In the TRUSTED SERVER NAME field, enter radius01.securew2.com if using a RADIUS server.
        4. Click SAVE to apply the Wi-Fi profile configuration to the macOS profile.
  3. Click SAVE AND ASSIGN to assign the profile to the target macOS devices.
  4. In the ASSIGN dialog box, click the DEVICES tab, select the device group, and then choose your configured device.
  5. Click ASSIGN to install the profile on the selected devices.

Data and Monitoring

SecureW2 Admins can verify successful certificate enrollment by navigating to Data and Monitoring > Enhanced Events. Enrolled devices will display a “CERTIFICATE_ISSUANCE” event.