Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

How to Setup EAP-TLS with Workspace One

The Simple Certificate Enrollment Protocol (SCEP) is a protocol commonly used with Mobile Device Management (MDM) systems to automate the certificate life cycle for their managed devices. The Simple Certificate Enrollment Protocol uses a combination of a unique API URL and a Shared Secret, distributed to devices in a SCEP Profile, that enables the devices to enroll themselves for certificates without any user intervention. The SCEP enrollment helps IT Admins save some time compared to enrolling certificates for the MDM manually.

This enables devices to be configured for certificate-based Wi-Fi authentication from the Certificate Authority (CA) of your choosing, the instant they open their laptop. Using an SCEP profile to enable certificate-based authentication allows business users to improve their network security by safeguarding their devices from insecure password-based authentication.

Workspace One is a type of digital platform that provides services for IT admin to operate Mobile Device Management (MDM) and Mobile Access Management (MAM) from the Cloud Management. For the certificate enrollment in SCEP protocol, the MDM, like Workspace One, offers SCEP that devices can use and request certificates from our Public Key Infrastructure (PKI). In this document, you will see the configuration of Extensible Authentication Protocol- Transport Layer Security (EAP-TLS) with Workspace One.

Tech Overview

  1. Configuring the SecureW2 Managed Device Gateway API
    • SecureW2’s PKI allows you to easily enroll certificates on your Workspace One devices by setting up a SCEP gateway.
    • Using a trusted CA, which SecureW2 offers, you can configure the payload to distribute authenticated certificates onto Workspace One devices.
  2. Configuring the SCEP profile
    • The SecureW2 API token wizard allows you to configure the SCEP profile by generating a shared secret and access token.
    • The shared secret and access token can generate a SCEP URL which will start enrolling certificates when added to Workspace One.
  3. Configuring the Wi-Fi profile
    • Configure the appropriate Wi-Fi settings so the certificate will automatically connect to the right server.
    • Using the SCEP-enrolled certificate, the device can be authenticated with EAP-TLS.
  4. Pushing certificates to Workspace One devices
    • The SCEP URL can be added to Workspace One devices so the SCEP gateway can distribute certificates.
    • With the certificates equipped onto the Workspace One devices and EAP-TLS authenticated, there is no need for manual configuration and the security risk it poses.

Prerequisites:

The following are the prerequisites that explain configuring the SCEP profile using our Public Key Infrastructure (PKI) with Workspace One Powered By AirWatch:

  • End users can enroll their device with Workspace One.
  • Certificate for Apple push notifications has been created and uploaded in Workspace One.

Creating the SCEP Gateway, SCEP URL, and Shared Secret

As a best practice, we recommend you should configure a new intermediate CA in the JoinNow Connector Public Key Infrastructure (PKI) to configure the SCEP Gateway with Workspace One. When you create a Certificate Authority in JoinNow Connector PKI, you can configurate settings like Validity Period, Signature Algorithm, Automated Revocation, and much more.

The Steps are to be followed to Add a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Identity Management > API Tokens.
  3. Click Add API Token.
  4. Under the Basic section, in the Name field, enter the name of the API Token.
  5. In the Description field, enter a suitable description for the API token.
  6. From the Type drop-down list, select SCEP Enrollment Token.
  7. From the SCEP Vendor drop-down list, select Workspace ONE.
  8. From the Certificate Authority drop-down list, select a CA. If you do not select a CA, by default, the organization CA is Chosen.
  9. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded. In addition, the Enrollment URL is displayed on the page.

    NOTE: Sace the file securely. This file is downloaded only once at the time of token creation. If lost, the token and secret cannot be retrieved.

You can also refer to the steps mentioned in the Configuring API Tokens (SCEP Enrollment Token) section in the JoinNow MultiOS and Connector Configuration Guide available in the JoinNow Management Portal.

 

Creating New Intermediate CA for SCEP Gateway Integration

As a best practice, we recommend having a new intermediate CA for JoinNow, SCEP Gateway integration with Workspace One. With this in place, emails triggered from SecureW2 JoinNow can be disabled when the certificate expires.

To add a new intermediate CA, perform the following steps:

  1. Log in the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select Device and User Authentication to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes "SCEP."
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. Click Save.

This generates the new Intermediate CA.

Creating a Certificate Template

The steps are to be followed for creating a Workspace ONE Certificate Template to configure with EAP-TLS Authentication:

  1. Navigate to PKI > Certificate Authorities.
  2. Click Add Certificate Template.
  3. Under the Basic section, in the Name field, enter the name of the certificate template.
  4. In the Subject field, enter CN=${/device/identity}.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  8. In the SAN section:
    1. In the Other Name field, enter ${/device/clientId}.
    2. In the RFC822 field, enter ${/device/clientId}.
    3. In the DNS field, enter ${/device/buildModel:/device/operatingSystem:/device/identity}.
  9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  10. Click Save.

Creating Roles

The Role Policy is where you can specify your Identity Provider, which in this case is Workspace One, and attributes (like groups) that you want tied to a specific role. Then, this role can be used to trigger a Certificate Enrollment policy, or a Network Policy.

To add a role policy, perform the following steps:

  1. Navigate to Policy Management > Roles Policies.
  2. Click Add Role.
  3. Under the Basic section, in the Name field, enter the name of the role policy.
  4. In the Display Description field, enter a suitable description for the role policy.
  5. Click Save.
  6. The page refreshes and the Conditions tab is displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Identity Provider drop down list, select the API Token that you created earlier (see the Generating SCEP URL and Secret section).
  9. Under the Attributes/Groups section, in the Attribute field, retain ANY.
  10. Click Update.

Creating Enrollment Policy

The Enrollment policy where you can specify what Role uses a Certificate Authority, Certificate Template, or other certificate settings during enrollment.

To add an Enrollment Policy, perform the following steps:

  1. Navigate o Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. Under the Basic section, in the Name field, enter the name of the enrollment policy.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role drop-down list, select the role policy you created earlier (see the Creating Roles section).
  9. Under the Attributes/Groups section, in the Attribute field, retain ANY.
  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop down list, select the intermediate CA you created earlier (see the Create New Intermediate CA for SCEP Gateway Integration section).
  12. From the Use Certificate Template drop down list, select the intermediate CA you created earlier (see the Creating a Certificate Template section)
  13. In the other settings, retain the default values.
  14. Click Update.

Setting Up Certificate Enrollment via SCEP on Workspace One

The steps to be followed to set up the Certificate Enrollment via SCEP protocol that offers solutions to streamline the process on MDM like Workspace One.

  1. To create a certificate authority:
    1. Log in to the Workspace ONE UEM Portal.
    2. Navigate to Devices > Certificates > Certificate Authorities.
    3. Click + ADD to create a new Certificate Authority.
      1. In the Name field, enter the name of the certificate authority.
      2. In the Description field, enter a suitable description for the certificate authority.
      3. From the Authority Type drop-down list, select Generic SCEP.
      4. In the SCEP URL field, enter the SCEP server URL from the downloaded .csv file (see the Generating SCEP URL and Secret section). This is the endpoint that Workspace ONE will use to submit API calls to the Certificate Authority.
      5. In the Change Type field, select STATIC.
      6. In the Static Challenge and Confirm Challenge Phrase fields, enter API secret from the downloaded .csv file (see the Generating SCEP URL and Secret section).
      7. In the Max Retries When Pending field, retain the default value.
      8. In the Enable Proxy field, select DISABLED.
      9. Click SAVE.
  2. To create a Workspace ONE certificate template:
    1. Navigate to Devices > Certificates > Certificate Authorities > Request Templates.
    2. Click + ADD to create a new Certificate Template.
      1. In the Name field, enter the name of the certificate template.
      2. In the Description field, enter a suitable description for the certificate template.
      3. From the Certificate Authority drop-down list, select the CA created earlier.
      4. Select the common name of the certificate by clicking the + button next to the Subject Name field. For example, the Email address of the user.
      5. From the Private Key Length drop-down list, select 2048.
      6. Select the Private Key Type options: SigningEncryption, or both.
      7. In the SAN Type section, click Add.
      8. Select Email Address from the drop-down list. Use the following:
        • {DeviceUid};;;;;;;;;;{DeviceOperatingSystem}NOTE: {$DeviceUid} is followed by ten semicolons.
      9. In the Automatic Certificate Renewal field, select ENABLED.
      10. In the Publish Private Key field, select DISABLED.
      11. Click SAVE.
  3. To create a profile:
    1. Navigate to Devices > Provisioning > Components > Profiles.
    2. Click ADD PROFILE and select the Operating System. In this example, a profile for Android is created.
    3. In the Name field, enter the name of the profile.
    4. Navigate to Credentials and click CONFIGURE.
    5. In the Credentials section, from the Credential Source drop-down list, select Defined Certificate Authority.
    6. From the Certificate Authority drop-down list, select the CA you created earlier (see the Creating New Intermediate CA for SCEP Gateway Integration section).
    7. From the Certificate Template drop-down list, select the certificate template you created earlier (see the Creating a Certificate Template section).
    8. Click the + icon to add the version of the profile.
    9. Click SAVE.

NOTE: SecureW2 JoinNow SCEP Gateway requires a unique identifier of the device such as UDID/Mac-Address to be sent as part of the SCEP request. This information is used to create a device in Management Portal.

Enabling Certificate-Based Authentication with Workspace One and the SecureW2 SCEP Gateway

Organizations are used to challenges in issuing certificates to every device on the Wi-Fi network access during past events. Now, with the simple solution of SecureW2 SCEP Gateway, organizations can remove the Pre-shared key requirements and improve the authentication method by following the steps explained in this article about configuring EAP-TLS with Workspace One. By creating the SCEP profile in Workspace One, managed devices can enrolled for digital certificates automatically without end-users needing to do anything.

With the JoinNow Connector PKI, you can attain superior network security based on device trust and improve the user experience. By integrating SecureW2 with Workspace One for SCEP certificate enrollment, your organization enjoys streamlined certificate distribution at an affordable cost. For more information, click here to see our pricing details.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing